feat: rootfs - build/upload action and Dockerfile

In order to facilitate Finch on Windows, we need a root filesystem. We will use this Dockerfile as a basis for that root filesystem - using `docker export` to turn a built container into an archived rootfs. For the scope of these changes, create the Dockerfile and an action that runs on changes to the file to build and push to ECR repo. Signed-off-by: Gavin Inglis <[email protected]>
runfinch · Jul 21, 2023 · 507dd59 · 507dd59
1 parent f1e9aa4
commit 507dd59
Show file tree

Hide file tree

Showing 2 changed files with 83 additions and 0 deletions.
diff --git a/.github/workflows/rootfs.yaml b/.github/workflows/rootfs.yaml
@@ -0,0 +1,53 @@
+name: Build and Push Rootfs Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  pull_request: # TODO: remove, we should only be pushing to ECR on merge to main.
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  workflow_dispatch:
+
+permissions:
+  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+  id-token: write
+  contents: write
+  pull-requests: write # TODO: remove, we should only be pushing to ECR on merge.
+
+jobs:
+  build-rootfs-image:
+    strategy:
+      #fail-fast: true
+      matrix:
+        os: ['ubuntu-latest']
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+          aws-region: ${{ secrets.REGION }}
+
+      - name: Build, Tag, and Push Image
+        run: |
+          # create sha256 of the Dockerfile to use as tag
+          HASH=$(sha256sum Dockerfile | cut -d ' ' -f 1)
+          # make empty tempdir for build context
+          BUILDCTX=$(mktemp -d)
+
+          DOCKER_BUILDKIT=1 docker build -f Dockerfile -t ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" "$BUILDCTX"
+          docker tag ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,30 @@
+# syntax = docker/dockerfile:1.4
+FROM public.ecr.aws/docker/library/fedora:38
+
+# install necessary cloud-server packages
+RUN dnf group install -y cloud-server-environment --exclude=plymouth* \
+    --exclude=geolite* \
+    --exclude=firewalld* \
+    --exclude=grub* \
+    --exclude=dracut* \
+    --exclude=shim-*
+
+RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final
+
+# enable systemd
+# disabled network conf in cloud config
+RUN <<EOF cat >> /etc/wsl.conf
+[boot]
+systemd=true
+EOF
+
+RUN <<EOF cat >> /etc/cloud/cloud.cfg
+network:
+      config: disabled
+EOF
+
+# cleanup
+RUN dnf clean all &&\
+    rm -f /etc/NetworkManager/system-connections/*.nmconnection && \
+    truncate -s 0 /etc/machine-id && \
+    rm -f /var/lib/systemd/random-seed