Rebase dev image to Tumbleweed (#1363)

* Rebase Dev image to Tumbleweed

Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

* Enable SELinux by default but not enforce it

Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

* Install default SELinux policies

Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

---------

Signed-off-by: Andrea Mazzotti <andrea.mazzotti@suse.com>

Author: anmazzotti

Dockerfile.dev.iso

@@ -1,10 +1,13 @@
 ARG ELEMENTAL_OS_IMAGE
 
 FROM ${ELEMENTAL_OS_IMAGE} as os
+FROM ${ELEMENTAL_OS_IMAGE} as builder
 
 COPY manifest.yaml manifest.yaml
-RUN elemental --debug --config-dir . build-iso -o /output -n "elemental-dev" dir:/
+COPY --from=os / rootfs
+
+RUN elemental --debug --config-dir . build-iso -o /output -n "elemental-dev" dir:rootfs
 
 FROM busybox:stable
 
-COPY --from=os /output /elemental-iso
+COPY --from=builder /output /elemental-iso

Dockerfile.dev.os

@@ -5,7 +5,7 @@ FROM ${ELEMENTAL_REGISTER} as register
 FROM ${ELEMENTAL_TOOLKIT} as toolkit
 
 # OS base image of our choice
-FROM registry.opensuse.org/opensuse/leap:15.5 as OS
+FROM registry.opensuse.org/opensuse/tumbleweed:latest as OS
 
 ARG RANCHER_SYSTEM_AGENT_VERSION
 
@@ -53,10 +53,25 @@ RUN ARCH=$(uname -m); \
 RUN ARCH=$(uname -m); \
     [[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
     zypper --non-interactive install --no-recommends -- \
-      dmidecode
+      dmidecode \
+      libopenssl1_1
+
+# SELinux policy and tools
+RUN ARCH=$(uname -m); \
+    [[ "${ARCH}" == "aarch64" ]] && ARCH="arm64"; \
+    zypper --non-interactive install --no-recommends -- \
+      patterns-microos-selinux \
+      k3s-selinux \
+      audit
 
 # Add system files
 COPY framework/files/ /
+
+# Enable SELinux (The security=selinux arg is default on Micro, not on Tumbleweed)
+RUN sed -i "s/selinux=1/security=selinux selinux=1/g" /etc/elemental/bootargs.cfg
+# Enforce SELinux
+# RUN sed -i "s/enforcing=0/enforcing=1/g" /etc/elemental/bootargs.cfg
+
 # Add elemental-register
 COPY --from=register /usr/sbin/elemental-register /usr/sbin/elemental-register
 COPY --from=register /usr/sbin/elemental-support /usr/sbin/elemental-support
@@ -67,17 +82,31 @@ COPY --from=toolkit /usr/bin/elemental /usr/bin/elemental
 ADD --chmod=0755 https://github.com/rancher/system-agent/releases/download/${RANCHER_SYSTEM_AGENT_VERSION}/rancher-system-agent-amd64 /usr/sbin/elemental-system-agent
 
 # Enable essential services
-RUN systemctl enable NetworkManager.service
+RUN systemctl enable NetworkManager.service sshd
+
+# This is for testing purposes, do not do this in production.
+RUN echo "PermitRootLogin yes" > /etc/ssh/sshd_config.d/rootlogin.conf
 
-# Enable /tmp to be on tmpfs
-RUN cp /usr/share/systemd/tmp.mount /etc/systemd/system
+# Make sure trusted certificates are properly generated
+RUN /usr/sbin/update-ca-certificates
 
-# Generate initrd with required elemental services
-RUN elemental init --debug --force
+# Ensure /tmp is mounted as tmpfs by default
+RUN if [ -e /usr/share/systemd/tmp.mount ]; then \
+      cp /usr/share/systemd/tmp.mount /etc/systemd/system; \
+    fi
+
+# Save some space
+RUN zypper clean --all && \
+    rm -rf /var/log/update* && \
+    >/var/log/lastlog && \
+    rm -rf /boot/vmlinux*
 
 # Update os-release file with some metadata
 RUN echo TIMESTAMP="`date +'%Y%m%d%H%M%S'`" >> /etc/os-release && \
     echo GRUB_ENTRY_NAME=\"Elemental Dev\" >> /etc/os-release
 
+# Rebuild initrd to setup dracut with the boot configurations
+RUN elemental init --force elemental-rootfs,elemental-sysroot,grub-config,dracut-config,cloud-config-essentials,elemental-setup,boot-assessment
+
 # Good for validation after the build
 CMD /bin/bash