-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: rootfs - build/upload action and Dockerfile
In order to facilitate Finch on Windows, we need a root filesystem. We will use this Dockerfile as a basis for that root filesystem - using `docker export` to turn a built container into an archived rootfs. For the scope of these changes, create the Dockerfile and an action that runs on changes to the file to build and push to ECR repo. Signed-off-by: Gavin Inglis <[email protected]>
- Loading branch information
Showing
2 changed files
with
73 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,43 @@ | ||
| name: Build and Push Rootfs Docker Image | ||
|
|
||
| on: | ||
| push: | ||
| branches: | ||
| - main | ||
| paths: | ||
| - 'Dockerfile' | ||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on. | ||
| # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings | ||
| id-token: write | ||
| contents: write | ||
|
|
||
| jobs: | ||
| build-rootfs-image: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: configure aws credentials | ||
| uses: aws-actions/configure-aws-credentials@v2 | ||
| with: | ||
| aws-region: ${{ secrets.REGION }} | ||
| role-to-assume: ${{ secrets.ROLE }} | ||
| role-session-name: rootfs-ecr-image-upload-session | ||
|
|
||
| - name: checkout repo | ||
| uses: actions/checkout@v3 | ||
| with: | ||
| fetch-depth: 0 | ||
| persist-credentials: false | ||
|
|
||
| - name: Build, Tag, and Push Image | ||
| run: | | ||
| # create sha256 of the Dockerfile to use as tag | ||
| HASH=$(sha256sum Dockerfile | cut -d ' ' -f 1) | ||
| # make empty tempdir for build context | ||
| BUILDCTX=$(mktemp -d) | ||
| DOCKER_BUILDKIT=1 docker build -f Dockerfile -t ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" "$BUILDCTX" | ||
| docker tag ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" | ||
| docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| # syntax = docker/dockerfile:1.4 | ||
| FROM public.ecr.aws/docker/library/fedora:38 | ||
|
|
||
| # install necessary cloud-server packages | ||
| RUN dnf group install -y cloud-server-environment --exclude=plymouth* \ | ||
| --exclude=geolite* \ | ||
| --exclude=firewalld* \ | ||
| --exclude=grub* \ | ||
| --exclude=dracut* \ | ||
| --exclude=shim-* | ||
|
|
||
| RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final | ||
|
|
||
| # enable systemd | ||
| # disabled network conf in cloud config | ||
| RUN <<EOF cat >> /etc/wsl.conf | ||
| [boot] | ||
| systemd=true | ||
| EOF | ||
|
|
||
| RUN <<EOF cat >> /etc/cloud/cloud.cfg | ||
| network: | ||
| config: disabled | ||
| EOF | ||
|
|
||
| # cleanup | ||
| RUN dnf clean all &&\ | ||
| rm -f /etc/NetworkManager/system-connections/*.nmconnection && \ | ||
| truncate -s 0 /etc/machine-id && \ | ||
| rm -f /var/lib/systemd/random-seed |