Skip to content

Commit

Permalink
rootless implementation (#53)
Browse files Browse the repository at this point in the history
* rootless implementation

Co-authored-by: madelen-axis <madelen-axis@users.noreply.github.com>
  • Loading branch information
madelen-at-work and madelen-axis authored Nov 9, 2023
1 parent 376990d commit abc4664
Show file tree
Hide file tree
Showing 14 changed files with 371 additions and 74 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/cd.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ on:
push:
branches:
- 'main'
- 'rootless-preview'
tags:
# semver, e.g. 1.2.0 (does not match 0.1.2)
- '[1-9]+.[0-9]+.[0-9]+'
Expand All @@ -22,6 +23,7 @@ on:
pull_request:
branches:
- 'main'
- 'rootless-preview'

jobs:
# Builds docker ACAP using the build.sh script, then signs the eap-file in
Expand Down
86 changes: 75 additions & 11 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,9 @@ ARG ACAP3_SDK_VERSION=3.5
ARG ACAP3_UBUNTU_VERSION=20.04
ARG ACAP3_SDK=acap-sdk

FROM ${REPO}/${NATIVE_SDK}:${VERSION}-${ACAPARCH}-ubuntu${UBUNTU_VERSION} as build_image

FROM ${REPO}/${ACAP3_SDK}:${ACAP3_SDK_VERSION}-${ACAPARCH}-ubuntu${ACAP3_UBUNTU_VERSION} as acap-sdk

FROM build_image AS ps
ARG PROCPS_VERSION=v3.3.17
ARG BUILD_DIR=/build
ARG EXPORT_DIR=/export
FROM ${REPO}/${NATIVE_SDK}:${VERSION}-${ACAPARCH}-ubuntu${UBUNTU_VERSION} as build_image

RUN <<EOF
apt-get update
Expand All @@ -30,11 +25,46 @@ RUN <<EOF
autopoint \
gettext \
git \
libtool
libtool \
bison
ln -s /usr/bin/libtoolize /usr/bin/libtool
apt-get clean
rm -rf /var/lib/apt/lists/*
EOF

FROM build_image AS nsenter

ARG NSENTER_VERSION=v2.39.1
ARG BUILD_DIR=/build
ARG EXPORT_DIR=/export

WORKDIR $BUILD_DIR
RUN git clone -b $NSENTER_VERSION 'https://github.com/util-linux/util-linux.git'

ARG BUILD_CACHE=build.cache
RUN echo ac_cv_func_realloc_0_nonnull=yes >$BUILD_CACHE \
&& echo ac_cv_func_malloc_0_nonnull=yes >>$BUILD_CACHE
RUN <<EOF
cd util-linux
. /opt/axis/acapsdk/environment-setup*
./autogen.sh
./configure --host="${TARGET_PREFIX%*-}" \
--disable-shared \
--without-ncurses \
--cache-file="$BUILD_CACHE"
make nsenter
$STRIP nsenter
EOF

WORKDIR $EXPORT_DIR
RUN cp $BUILD_DIR/util-linux/nsenter nsenter

FROM build_image AS ps

ARG PROCPS_VERSION=v3.3.17
ARG BUILD_DIR=/build
ARG EXPORT_DIR=/export

WORKDIR $BUILD_DIR
RUN git clone --depth 1 -b $PROCPS_VERSION 'https://gitlab.com/procps-ng/procps' .

Expand All @@ -60,6 +90,8 @@ FROM build_image as build
ARG DOCKER_VERSION
ARG DOCKER_COMPOSE_VERSION
ARG ACAPARCH
ARG SLIRP4NETNS_VERSION=1.2.0
ARG ROOTLESS_EXTRAS_VERSION=${DOCKER_VERSION}

# Copy over axparameter from the acap-sdk
COPY --from=acap-sdk /opt/axis/acapsdk/sysroots/${ACAPARCH}/usr/include/axsdk/ax_parameter /opt/axis/acapsdk/sysroots/${ACAPARCH}/usr/include/axsdk
Expand All @@ -70,8 +102,29 @@ COPY --from=acap-sdk /opt/axis/acapsdk/sysroots/${ACAPARCH}/usr/lib/pkgconfig/ax

COPY app /opt/app
COPY --from=ps /export/ps /opt/app
COPY --from=nsenter /export/nsenter /opt/app

COPY ./binaries/${ACAPARCH}/* /opt/app

# Get docker* binaries and scripts
# Temp fix to get binary onto aarch64 master fw
COPY ./binaries/systemd-user-runtime-dir /opt/app
COPY ./binaries/*.service /opt/app
COPY ./binaries/handle_directories.sh /opt/app

WORKDIR /opt/app

# Download and extract slirp4netns
RUN <<EOF
if [ "$ACAPARCH" = "armv7hf" ]; then
export SLIRP4NETNS_ARCH="armv7l";
elif [ "$ACAPARCH" = "aarch64" ]; then
export SLIRP4NETNS_ARCH="aarch64";
fi;
curl -Lo slirp4netns "https://github.com/rootless-containers/slirp4netns/releases/download/v${SLIRP4NETNS_VERSION}/slirp4netns-${SLIRP4NETNS_ARCH}";
chmod +x slirp4netns
EOF

# Download and extract docker scripts and docker-rootless-extras scripts
RUN <<EOF
if [ "$ACAPARCH" = "armv7hf" ]; then
export DOCKER_ARCH="armhf";
Expand All @@ -86,10 +139,11 @@ RUN <<EOF
tar -xz -f docker_binaries.tgz --strip-components=1 docker/docker-init ;
tar -xz -f docker_binaries.tgz --strip-components=1 docker/docker-proxy ;
curl -Lo docker-compose "https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-linux-${DOCKER_COMPOSE_ARCH}" ;
chmod +x docker-compose
chmod +x docker-compose ;
curl -Lo docker-rootless-extras.tgz "https://download.docker.com/linux/static/stable/${DOCKER_ARCH}/docker-rootless-extras-${ROOTLESS_EXTRAS_VERSION}.tgz" ;
tar -xz -f docker-rootless-extras.tgz --strip-components=1 ;
EOF

WORKDIR /opt/app
RUN <<EOF
. /opt/axis/acapsdk/environment-setup*
acap-build . \
Expand All @@ -99,7 +153,17 @@ RUN <<EOF
-a docker-init \
-a docker-proxy \
-a empty_daemon.json \
-a ps
-a ps \
-a slirp4netns \
-a rootlesskit \
-a rootlesskit-docker-proxy \
-a nsenter \
-a newgidmap \
-a newuidmap \
-a systemd-user-runtime-dir \
-a acap-user-runtime-dir@.service \
-a acap-user@.service \
-a handle_directories.sh
EOF

ENTRYPOINT [ "/opt/axis/acapsdk/sysroots/x86_64-pokysdk-linux/usr/bin/eap-install.sh" ]
Loading

0 comments on commit abc4664

Please sign in to comment.