[docker-images] Bootstrap for trixie

Signed-off-by: Eugenio Paolantonio (g7) <[email protected]>

.github/workflows/docker-images.yml

@@ -17,7 +17,7 @@ jobs:
       matrix:
         arch: [amd64, armhf, arm64]
         template: [build-essential, rootfs-builder, aptly-intake]
-        dist: [bookworm]
+        dist: [bookworm, trixie]
         namespace: [droidian]
         exclude:
           - template: aptly-intake

Dockerfile.amd64_droidian_aptly_intake_trixie

@@ -0,0 +1,79 @@
+# Pull latest Debian trixie
+ARG ARCH=
+FROM ${ARCH}/debian:trixie
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV DEBCONF_NOWARNINGS yes
+ENV DEBIAN_PRIORITY critical
+
+# Required for https repositories and to properly add users
+RUN apt-get update && apt-get install --yes ca-certificates adduser
+
+# Copy relevant repositories and keyrings
+# Note: .dummy files used to keep the directory hierarchy in git are
+# copied too, see moby/moby#26332
+COPY repositories/trixie/all/* /etc/apt/sources.list.d/
+COPY repositories/trixie/amd64/* /etc/apt/sources.list.d/
+
+# Copy apt preferences
+COPY preferences/trixie/* /etc/apt/preferences.d/
+
+COPY keyrings/all/* /etc/apt/droidian-gpg.d/
+COPY keyrings/amd64/* /etc/apt/droidian-gpg.d/
+
+COPY common/apt.conf.d/* /etc/apt/apt.conf.d/
+
+# Pre-create users and groups. We are going to remap them anyway
+# at runtime by looking at permissions of the bind-mounted directories
+# but at least we already know which ids to change
+RUN adduser --system --home /var/lib/aptly-api --no-create-home --uid 10100 aptly-api && \
+ addgroup --gid 10100 aptly-api && \
+ adduser aptly-api aptly-api && \
+ adduser --system --home /srv/aptly-queue --no-create-home --uid 10101 aptly-queue && \
+ addgroup --gid 10101 aptly-queue && \
+ adduser aptly-queue aptly-queue && \
+ adduser aptly-api aptly-queue
+
+# Update and install
+RUN apt-get update && apt-get install -y \
+ systemd \
+ systemd-sysv \
+ aptly \
+ aptly-api \
+ python3 \
+ python3-requests \
+ python3-debian \
+ wget \
+ aptly-intake
+
+# Systemd configuration:
+# Credits to Alexander Haase <[email protected]>
+#
+# https://github.com/alehaa/docker-debian-systemd
+
+# Configure systemd.
+#
+# For running systemd inside a Docker container, some additional tweaks are
+# required. Some of them have already been applied above.
+#
+# The 'container' environment variable tells systemd that it's running inside a
+# Docker container environment.
+ENV container docker
+
+# A different stop signal is required, so systemd will initiate a shutdown when
+# running 'docker stop <container>'.
+STOPSIGNAL SIGRTMIN+3
+
+# The host's cgroup filesystem need's to be mounted (read-only) in the
+# container. '/run', '/run/lock' and '/tmp' need to be tmpfs filesystems when
+# running the container without 'CAP_SYS_ADMIN'.
+#
+# NOTE: For running Debian stretch, 'CAP_SYS_ADMIN' still needs to be added, as
+#       stretch's version of systemd is not recent enough. Buster will run just
+#       fine without 'CAP_SYS_ADMIN'.
+VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ]
+
+# As this image should run systemd, the default command will be changed to start
+# the init system. CMD will be preferred in favor of ENTRYPOINT, so one may
+# override it when creating the container to e.g. to run a bash console instead.
+CMD [ "/sbin/init" ]

Dockerfile.amd64_droidian_build_essential_trixie

@@ -0,0 +1,53 @@
+# Pull latest Debian trixie
+ARG ARCH=
+FROM ${ARCH}/debian:trixie
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV DEBCONF_NOWARNINGS yes
+ENV DEBIAN_PRIORITY critical
+
+# Required for https repositories
+RUN apt-get update && apt-get install --yes ca-certificates
+
+# Copy relevant repositories and keyrings
+# Note: .dummy files used to keep the directory hierarchy in git are
+# copied too, see moby/moby#26332
+COPY repositories/trixie/all/* /etc/apt/sources.list.d/
+COPY repositories/trixie/amd64/* /etc/apt/sources.list.d/
+
+# Copy apt preferences
+COPY preferences/trixie/* /etc/apt/preferences.d/
+
+COPY keyrings/all/* /etc/apt/droidian-gpg.d/
+COPY keyrings/amd64/* /etc/apt/droidian-gpg.d/
+
+COPY common/apt.conf.d/* /etc/apt/apt.conf.d/
+
+# Copy deployer for repo.droidian.org
+COPY extra/repo-droidian-deploy.sh /usr/local/bin
+COPY extra/repo-droidian-sign.sh /usr/local/bin
+
+# Add secondary architectures
+RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf && dpkg --add-architecture i386
+
+# Update and install
+RUN apt-get update && apt-get install -y --allow-downgrades \
+ build-essential \
+ devscripts \
+ equivs \
+ wget \
+ openssh-client \
+ rsync \
+ releng-tools \
+ droidian-apt-config \
+ droidian-archive-keyring \
+ mobian-archive-keyring && \
+ rm -f /etc/apt/sources.list.d/hybris-mobian.list /etc/apt/sources.list.d/mobian.list && \
+ apt-get dist-upgrade -y --allow-downgrades
+
+# Patch dpkg-perl's Patch.pm to avoid overzealous checks
+RUN \
+	sed -i \
+		"s|error(g_('diff %s modifies file %s through a symlink: %s')|warning(g_('diff %s modifies file %s through a symlink: %s')|" \
+		/usr/share/perl5/Dpkg/Source/Patch.pm && \
+	echo "libdpkg-perl hold" | dpkg --set-selections

Dockerfile.amd64_droidian_rootfs_builder_trixie

@@ -0,0 +1,87 @@
+# Pull latest Debian trixie
+ARG ARCH=
+FROM ${ARCH}/debian:trixie
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV DEBCONF_NOWARNINGS yes
+ENV DEBIAN_PRIORITY critical
+
+# Required for https repositories
+RUN apt-get update && apt-get install --yes ca-certificates
+
+# Copy relevant repositories and keyrings
+# Note: .dummy files used to keep the directory hierarchy in git are
+# copied too, see moby/moby#26332
+COPY repositories/trixie/all/* /etc/apt/sources.list.d/
+COPY repositories/trixie/amd64/* /etc/apt/sources.list.d/
+
+# Copy apt preferences
+COPY preferences/trixie/* /etc/apt/preferences.d/
+
+COPY keyrings/all/* /etc/apt/droidian-gpg.d/
+COPY keyrings/amd64/* /etc/apt/droidian-gpg.d/
+
+COPY common/apt.conf.d/* /etc/apt/apt.conf.d/
+
+# Update and install
+RUN apt-get update && apt-get install -y \
+ droidian-apt-config \
+ droidian-archive-keyring \
+ mobian-archive-keyring && \
+ rm -f /etc/apt/sources.list.d/hybris-mobian.list /etc/apt/sources.list.d/mobian.list && \
+ apt-get install -y \
+ init \
+ systemd-sysv \
+ debos \
+ dpkg-dev \
+ parted \
+ dosfstools \
+ udev \
+ bmap-tools \
+ rsync \
+ zip \
+ lvm2 \
+ qemu-user-static \
+ binfmt-support \
+ android-sdk-libsparse-utils \
+ python3-yaml \
+ systemd-container
+
+# Workaround binfmt bug on latest qemu
+RUN \
+ for x in /usr/lib/binfmt.d/qemu-*; do \
+     /bin/bash -c "[[ ${x} == *.conf ]]" || mv ${x} ${x}.conf; \
+ done; \
+ update-binfmts --enable
+
+# Systemd configuration:
+# Credits to Alexander Haase <[email protected]>
+#
+# https://github.com/alehaa/docker-debian-systemd
+
+# Configure systemd.
+#
+# For running systemd inside a Docker container, some additional tweaks are
+# required. Some of them have already been applied above.
+#
+# The 'container' environment variable tells systemd that it's running inside a
+# Docker container environment.
+ENV container docker
+
+# A different stop signal is required, so systemd will initiate a shutdown when
+# running 'docker stop <container>'.
+STOPSIGNAL SIGRTMIN+3
+
+# The host's cgroup filesystem need's to be mounted (read-only) in the
+# container. '/run', '/run/lock' and '/tmp' need to be tmpfs filesystems when
+# running the container without 'CAP_SYS_ADMIN'.
+#
+# NOTE: For running Debian stretch, 'CAP_SYS_ADMIN' still needs to be added, as
+#       stretch's version of systemd is not recent enough. Buster will run just
+#       fine without 'CAP_SYS_ADMIN'.
+VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ]
+
+# As this image should run systemd, the default command will be changed to start
+# the init system. CMD will be preferred in favor of ENTRYPOINT, so one may
+# override it when creating the container to e.g. to run a bash console instead.
+CMD [ "/sbin/init" ]

Dockerfile.arm64_droidian_build_essential_trixie

@@ -0,0 +1,53 @@
+# Pull latest Debian trixie
+ARG ARCH=
+FROM ${ARCH}/debian:trixie
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV DEBCONF_NOWARNINGS yes
+ENV DEBIAN_PRIORITY critical
+
+# Required for https repositories
+RUN apt-get update && apt-get install --yes ca-certificates
+
+# Copy relevant repositories and keyrings
+# Note: .dummy files used to keep the directory hierarchy in git are
+# copied too, see moby/moby#26332
+COPY repositories/trixie/all/* /etc/apt/sources.list.d/
+COPY repositories/trixie/arm64/* /etc/apt/sources.list.d/
+
+# Copy apt preferences
+COPY preferences/trixie/* /etc/apt/preferences.d/
+
+COPY keyrings/all/* /etc/apt/droidian-gpg.d/
+COPY keyrings/arm64/* /etc/apt/droidian-gpg.d/
+
+COPY common/apt.conf.d/* /etc/apt/apt.conf.d/
+
+# Copy deployer for repo.droidian.org
+COPY extra/repo-droidian-deploy.sh /usr/local/bin
+COPY extra/repo-droidian-sign.sh /usr/local/bin
+
+# Add secondary architectures
+RUN dpkg --add-architecture arm64 && dpkg --add-architecture armhf && dpkg --add-architecture i386
+
+# Update and install
+RUN apt-get update && apt-get install -y --allow-downgrades \
+ build-essential \
+ devscripts \
+ equivs \
+ wget \
+ openssh-client \
+ rsync \
+ releng-tools \
+ droidian-apt-config \
+ droidian-archive-keyring \
+ mobian-archive-keyring && \
+ rm -f /etc/apt/sources.list.d/hybris-mobian.list /etc/apt/sources.list.d/mobian.list && \
+ apt-get dist-upgrade -y --allow-downgrades
+
+# Patch dpkg-perl's Patch.pm to avoid overzealous checks
+RUN \
+	sed -i \
+		"s|error(g_('diff %s modifies file %s through a symlink: %s')|warning(g_('diff %s modifies file %s through a symlink: %s')|" \
+		/usr/share/perl5/Dpkg/Source/Patch.pm && \
+	echo "libdpkg-perl hold" | dpkg --set-selections

Dockerfile.arm64_droidian_rootfs_builder_trixie

@@ -0,0 +1,87 @@
+# Pull latest Debian trixie
+ARG ARCH=
+FROM ${ARCH}/debian:trixie
+
+ENV DEBIAN_FRONTEND noninteractive
+ENV DEBCONF_NOWARNINGS yes
+ENV DEBIAN_PRIORITY critical
+
+# Required for https repositories
+RUN apt-get update && apt-get install --yes ca-certificates
+
+# Copy relevant repositories and keyrings
+# Note: .dummy files used to keep the directory hierarchy in git are
+# copied too, see moby/moby#26332
+COPY repositories/trixie/all/* /etc/apt/sources.list.d/
+COPY repositories/trixie/arm64/* /etc/apt/sources.list.d/
+
+# Copy apt preferences
+COPY preferences/trixie/* /etc/apt/preferences.d/
+
+COPY keyrings/all/* /etc/apt/droidian-gpg.d/
+COPY keyrings/arm64/* /etc/apt/droidian-gpg.d/
+
+COPY common/apt.conf.d/* /etc/apt/apt.conf.d/
+
+# Update and install
+RUN apt-get update && apt-get install -y \
+ droidian-apt-config \
+ droidian-archive-keyring \
+ mobian-archive-keyring && \
+ rm -f /etc/apt/sources.list.d/hybris-mobian.list /etc/apt/sources.list.d/mobian.list && \
+ apt-get install -y \
+ init \
+ systemd-sysv \
+ debos \
+ dpkg-dev \
+ parted \
+ dosfstools \
+ udev \
+ bmap-tools \
+ rsync \
+ zip \
+ lvm2 \
+ qemu-user-static \
+ binfmt-support \
+ android-sdk-libsparse-utils \
+ python3-yaml \
+ systemd-container
+
+# Workaround binfmt bug on latest qemu
+RUN \
+ for x in /usr/lib/binfmt.d/qemu-*; do \
+     /bin/bash -c "[[ ${x} == *.conf ]]" || mv ${x} ${x}.conf; \
+ done; \
+ update-binfmts --enable
+
+# Systemd configuration:
+# Credits to Alexander Haase <[email protected]>
+#
+# https://github.com/alehaa/docker-debian-systemd
+
+# Configure systemd.
+#
+# For running systemd inside a Docker container, some additional tweaks are
+# required. Some of them have already been applied above.
+#
+# The 'container' environment variable tells systemd that it's running inside a
+# Docker container environment.
+ENV container docker
+
+# A different stop signal is required, so systemd will initiate a shutdown when
+# running 'docker stop <container>'.
+STOPSIGNAL SIGRTMIN+3
+
+# The host's cgroup filesystem need's to be mounted (read-only) in the
+# container. '/run', '/run/lock' and '/tmp' need to be tmpfs filesystems when
+# running the container without 'CAP_SYS_ADMIN'.
+#
+# NOTE: For running Debian stretch, 'CAP_SYS_ADMIN' still needs to be added, as
+#       stretch's version of systemd is not recent enough. Buster will run just
+#       fine without 'CAP_SYS_ADMIN'.
+VOLUME [ "/sys/fs/cgroup", "/run", "/run/lock", "/tmp" ]
+
+# As this image should run systemd, the default command will be changed to start
+# the init system. CMD will be preferred in favor of ENTRYPOINT, so one may
+# override it when creating the container to e.g. to run a bash console instead.
+CMD [ "/sbin/init" ]