From 377236f895d0702a53a19de3d3580ab69ac8ce1d Mon Sep 17 00:00:00 2001
From: Gavin Inglis <giinglis@amazon.com>
Date: Fri, 21 Jul 2023 15:33:37 -0700
Subject: [PATCH] feat: rootfs - build/upload action and Dockerfile

In order to facilitate Finch on Windows, we need a root filesystem. We
will use this Dockerfile as a basis for that root filesystem - using
`docker export` to turn a built container into an archived rootfs. For
the scope of these changes, create the Dockerfile and an action that
runs on changes to the file to build and push to ECR repo.

Signed-off-by: Gavin Inglis <giinglis@amazon.com>
---
 .github/workflows/rootfs.yaml | 54 +++++++++++++++++++++++++++++++++++
 Dockerfile                    | 30 +++++++++++++++++++
 2 files changed, 84 insertions(+)
 create mode 100644 .github/workflows/rootfs.yaml
 create mode 100644 Dockerfile

diff --git a/.github/workflows/rootfs.yaml b/.github/workflows/rootfs.yaml
new file mode 100644
index 0000000..20027d4
--- /dev/null
+++ b/.github/workflows/rootfs.yaml
@@ -0,0 +1,54 @@
+name: Build and Push Rootfs Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  pull_request: # TODO: remove, we should only be pushing to ECR on merge to main.
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  workflow_dispatch:
+
+permissions:
+  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+  id-token: write
+  contents: write
+  pull-requests: write # TODO: remove, we should only be pushing to ECR on merge.
+
+jobs:
+  build-rootfs-image:
+    strategy:
+      #fail-fast: true
+      matrix:
+        os: ['ubuntu-latest']
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+          aws-region: ${{ secrets.REGION }}
+
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+          submodules: true
+
+      - name: Build, Tag, and Push Image
+        run: |
+          # create sha256 of the Dockerfile to use as tag
+          HASH=$(sha256sum Dockerfile | cut -d ' ' -f 1)
+          # make empty tempdir for build context
+          BUILDCTX=$(mktemp -d)
+
+          DOCKER_BUILDKIT=1 docker build -f Dockerfile -t ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" "$BUILDCTX"
+          docker tag ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..5b9f227
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,30 @@
+# syntax = docker/dockerfile:1.4
+FROM public.ecr.aws/docker/library/fedora:38
+
+# install necessary cloud-server packages
+RUN dnf group install -y cloud-server-environment --exclude=plymouth* \
+    --exclude=geolite* \
+    --exclude=firewalld* \
+    --exclude=grub* \
+    --exclude=dracut* \
+    --exclude=shim-*
+
+RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final
+
+# enable systemd
+# disabled network conf in cloud config
+RUN <<EOF cat >> /etc/wsl.conf
+[boot]
+systemd=true
+EOF
+
+RUN <<EOF cat >> /etc/cloud/cloud.cfg
+network:
+      config: disabled
+EOF
+
+# cleanup
+RUN dnf clean all &&\
+    rm -f /etc/NetworkManager/system-connections/*.nmconnection && \
+    truncate -s 0 /etc/machine-id && \
+    rm -f /var/lib/systemd/random-seed
\ No newline at end of file