Merge pull request #35 from sorenisanerd/docker-ext

sorenisanerd · web-flow · commit ad575a80cf4e · 2025-08-20T15:28:28.000-07:00
Build Docker as a sysext
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -8,7 +8,7 @@ jobs:
     strategy:
       matrix:
         profiles:
-          - verity-full
+          - verity-full,docker-ext
           - verity-full,docker
     runs-on: ubuntu-latest
     permissions:
@@ -106,7 +106,15 @@ jobs:
       - name: Remove symlinks
         run: find out/ -type l -delete
       - name: Compress artifacts
-        run: for file in out/mangos{,-installer}_*.raw out/mangos_*.efi; do zstd --rm "$file" ; done
+        run: |
+          for file in out/mangos{,-installer}_*.raw out/mangos_*.efi; do zstd --rm "$file" ; done
+          if ls out/docker_*.raw > /dev/null 2>&1
+          then
+              for file in out/docker_*.raw
+              do
+                  zstd --rm "$file"
+              done
+          fi
       - name: Sign artifacts
         run: for file in out/mangos* ; do cosign sign-blob -d -y --bundle "${file}.sigbundle" "${file}" > /dev/null; done
       - name: Upload build artifact (disk)
@@ -123,6 +131,7 @@ jobs:
             out/mangos_${{ env.IMAGE_VERSION }}.github.json
             out/mangos_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos_${{ env.IMAGE_VERSION }}.syft.json
+            out/docker_${{ env.IMAGE_VERSION }}.raw.zst
           name: mangos.${{ matrix.profiles }}.disk
       - name: Upload build artifact (installer)
         uses: actions/upload-artifact@v4
@@ -151,7 +160,7 @@ jobs:
         run: |
           mkdir release
 
-          mv artifacts/mangos.verity-full.disk/* release/
+          mv artifacts/mangos.verity-full,docker-ext.disk/* release/
           mv artifacts/mangos.verity-full.installer/* release/
           for f in artifacts/mangos.verity-full,docker.disk/* ; do
             mv "$f" "release/mangos+docker_$(basename $f | cut -f2- -d_)"
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -8,14 +8,12 @@ jobs:
     strategy:
       matrix:
         profiles:
-          - verity-full
+          - verity-full,docker-ext
           - verity-full,docker
     runs-on: ubuntu-latest
     steps:
       - name: Install cosign
         uses: sigstore/cosign-installer@v3.9.1
-      - name: Prevent man-db dpkg trigger (speeds up setup-mkosi)
-        run: sudo rm /var/lib/man-db/auto-update
       - name: setup-mkosi
         uses: sorenisanerd/mkosi@main
       - name: Checkout code
@@ -62,6 +60,7 @@ jobs:
           sudo apt-get install -y ovmf
 
           mkosi --debug vm -- -uuid $(uuidgen) > vm.log 2>&1 &
+          pid=$!
 
           success=0
           for try in {1..10}
@@ -88,7 +87,15 @@ jobs:
       - name: Remove symlinks
         run: find out/ -type l -delete
       - name: Compress artifacts
-        run: for file in out/mangos{,-installer}_*.raw out/mangos_*.efi ; do zstd --rm "$file" ; done
+        run: |
+          for file in out/mangos{,-installer}_*.raw out/mangos_*.efi ; do zstd --rm "$file" ; done
+          if ls out/docker_*.raw > /dev/null 2>&1
+          then
+              for file in out/docker_*.raw
+              do
+                  zstd --rm "$file"
+              done
+          fi
       - name: Upload build artifact (disk)
         id: upload-disk
         uses: actions/upload-artifact@v4
@@ -103,6 +110,7 @@ jobs:
             out/mangos_${{ env.IMAGE_VERSION }}.github.json
             out/mangos_${{ env.IMAGE_VERSION }}.spdx.json
             out/mangos_${{ env.IMAGE_VERSION }}.syft.json
+            out/docker_${{ env.IMAGE_VERSION }}.raw.zst
           name: mangos.${{ matrix.profiles }}.disk
       - name: Upload build artifact (installer)
         uses: actions/upload-artifact@v4
diff --git a/mkosi.conf.d/docker-repos/mkosi.conf b/mkosi.conf.d/docker-repos/mkosi.conf
@@ -0,0 +1,3 @@
+[Match]
+Profiles=|docker-ext
+Profiles=|docker
diff --git a/mkosi.conf.d/docker-repos/mkosi.sandbox/etc/apt/keyrings/docker.asc b/mkosi.conf.d/docker-repos/mkosi.sandbox/etc/apt/keyrings/docker.asc
diff --git a/mkosi.conf.d/docker-repos/mkosi.sandbox/etc/apt/sources.list.d/docker.list b/mkosi.conf.d/docker-repos/mkosi.sandbox/etc/apt/sources.list.d/docker.list
diff --git a/mkosi.conf.d/docker/mkosi.conf b/mkosi.conf.d/docker/mkosi.conf
@@ -0,0 +1,2 @@
+[Match]
+Profiles=|docker-ext
diff --git a/mkosi.conf.d/docker/mkosi.extra/usr/lib/sysupdate.d/25-docker-sysext.transfer b/mkosi.conf.d/docker/mkosi.extra/usr/lib/sysupdate.d/25-docker-sysext.transfer
@@ -0,0 +1,14 @@
+[Source]
+Type=url-file
+Path=http://localhost:1002/
+MatchPattern=docker_@v.raw \
+             docker_@v.raw.gz \
+             docker_@v.raw.zstd \
+             docker_@v.raw.xz \
+
+[Target]
+Type=regular-file
+Path=/var/lib/extensions
+InstancesMax=2
+MatchPattern=docker_@v.raw
+Mode=0444
diff --git a/mkosi.images/base/mkosi.extra/usr/lib/sysusers.d/mangos-docker.conf b/mkosi.images/base/mkosi.extra/usr/lib/sysusers.d/mangos-docker.conf
@@ -0,0 +1,2 @@
+#Type	Name	ID	GECOS	Home directory Shell
+g	docker	501	-
diff --git a/mkosi.images/docker/mkosi.conf b/mkosi.images/docker/mkosi.conf
@@ -0,0 +1,13 @@
+[Match]
+Profiles=docker-ext
+
+[Config]
+Dependencies=base
+
+[Content]
+BaseTrees=%O/base_%v
+Packages=docker-ce
+
+[Output]
+Format=sysext
+Overlay=yes
diff --git a/mkosi.images/docker/mkosi.extra/usr/lib/systemd/system/sockets.target.d/docker.conf b/mkosi.images/docker/mkosi.extra/usr/lib/systemd/system/sockets.target.d/docker.conf
@@ -0,0 +1,2 @@
+[Unit]
+Upholds=docker.socket
diff --git a/mkosi.images/docker/mkosi.postinst.chroot b/mkosi.images/docker/mkosi.postinst.chroot
@@ -0,0 +1,3 @@
+#!/bin/sh
+mkdir -p /usr/lib/extension-release.d
+echo EXTENSION_RELOAD_MANAGER=1 >> /usr/lib/extension-release.d/extension-release.docker_${IMAGE_VERSION}
diff --git a/mkosi.images/docker/mkosi.postinst.d/eradicate-alternatives.chroot b/mkosi.images/docker/mkosi.postinst.d/eradicate-alternatives.chroot
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# Ubuntu/Debian has an "alternatives" concept allowing multiple packages
+# to provide the same functionality. E.g. neovim and vim might both be
+# installed, but /usr/bin/vi can only refer to one of them. To do this,
+# /usr/bin/vi is a symlink to `/etc/alternatives/vi`, which in turn is
+# a symlink to the preferred implementation.
+#
+# This is problematic because /usr ceases to be self-contained and
+# behavior can change based on local modifications. Also, the symlinks
+# from the `bin` dirs are absolute, so if you mount the filesystem somewhere
+# for inspection/debugging, its symlinks will point to the host's `vi` (or
+# whatever). So:
+#
+# For every registered "alternative" with an identically named entry
+# point in /{usr,}/{s,}bin, replace the existing entry point, and replace it
+# with a relative symlink to whatever /etc/alternatives/ says it should be.
+
+for x in /etc/alternatives/*
+do
+        target="$(readlink $x)"
+        basename="$(basename $x)"
+        entrypoint="$(which $basename)"
+
+        if [ -z "${entrypoint}" ]
+        then
+                continue
+        fi
+
+        entrypointdir="$(dirname $entrypoint)"
+
+        if [ "$(readlink ${entrypoint})" != "${x}" ]
+        then
+                continue
+        fi
+
+        target="$(echo $target | sed -e s%^${entrypointdir}/%%)"
+
+        update-alternatives --remove-all $basename
+        ln -s $target "${entrypoint}"
+done

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[Match]`
	`2`	`+Profiles=\|docker-ext`
	`3`	`+Profiles=\|docker`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+#Type Name ID GECOS Home directory Shell`
	`2`	`+g docker 501 -`