feat: rootfs - build/upload action and Dockerfile

In order to facilitate Finch on Windows, we need a root filesystem. We
will use this Dockerfile as a basis for that root filesystem - using
`docker export` to turn a built container into an archived rootfs. For
the scope of these changes, create the Dockerfile and an action that
runs on changes to the file to build and push to ECR repo.

Signed-off-by: Gavin Inglis <[email protected]>

.github/workflows/rootfs.yaml

@@ -0,0 +1,49 @@
+name: Build and Push Rootfs Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  pull_request: # TODO: remove, we should only be pushing to ECR on merge to main.
+    branches:
+      - main
+    #paths:
+    #  - 'Dockerfile'
+  workflow_dispatch:
+
+permissions:
+  # This is required for configure-aws-credentials to request an OIDC JWT ID token to access AWS resources later on.
+  # More info: https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings
+  id-token: write
+  contents: write
+  pull-requests: write # TODO: remove, we should only be pushing to ECR on merge.
+
+jobs:
+  build-rootfs-image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: configure aws credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: ${{ secrets.REGION }}
+          role-to-assume: ${{ secrets.ROLE }}
+          role-session-name: rootfs-ecr-image-upload-session
+
+      - name: checkout repo
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Build, Tag, and Push Image
+        run: |
+          # create sha256 of the Dockerfile to use as tag
+          HASH=$(sha256sum Dockerfile | cut -d ' ' -f 1)
+          # make empty tempdir for build context
+          BUILDCTX=$(mktemp -d)
+
+          DOCKER_BUILDKIT=1 docker build -f Dockerfile -t ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" "$BUILDCTX"
+          docker tag ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH" ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"
+          docker push ${{ secrets.ROOTFS_IMAGE_ECR_REPOSITORY_NAME }}:"$HASH"

Dockerfile

@@ -0,0 +1,30 @@
+# syntax = docker/dockerfile:1.4
+FROM public.ecr.aws/docker/library/fedora:38
+
+# install necessary cloud-server packages
+RUN dnf group install -y cloud-server-environment --exclude=plymouth* \
+    --exclude=geolite* \
+    --exclude=firewalld* \
+    --exclude=grub* \
+    --exclude=dracut* \
+    --exclude=shim-*
+
+RUN systemctl enable cloud-init cloud-init-local cloud-config cloud-final
+
+# enable systemd
+# disabled network conf in cloud config
+RUN <<EOF cat >> /etc/wsl.conf
+[boot]
+systemd=true
+EOF
+
+RUN <<EOF cat >> /etc/cloud/cloud.cfg
+network:
+      config: disabled
+EOF
+
+# cleanup
+RUN dnf clean all &&\
+    rm -f /etc/NetworkManager/system-connections/*.nmconnection && \
+    truncate -s 0 /etc/machine-id && \
+    rm -f /var/lib/systemd/random-seed