Publish images to ghcr.io

Change-type: patch Signed-off-by: Kyle Harding <[email protected]>
balena-io-experimental · Oct 12, 2023 · 2d7ede8 · 2d7ede8
1 parent 9d90b77
commit 2d7ede8
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 10 deletions.
diff --git a/.github/workflows/flowzone.yml b/.github/workflows/flowzone.yml
@@ -26,5 +26,8 @@ jobs:
     with:
       docker_runs_on: >
         {
-          "linux/amd64": ["self-hosted","distro:jammy","X64"]
+          "linux/amd64": ["self-hosted","X64"],
+          "linux/arm64": ["self-hosted","ARM64"]
         }
+      docker_images: >
+        ghcr.io/balena-io-experimental/ctr-jailer
diff --git a/README.md b/README.md
@@ -6,6 +6,21 @@ Append a build stage to your containers and run them as microVMs with Firecracke
 
 [Firecracker](https://firecracker-microvm.github.io/) is an open source virtualization technology that is purpose-built for creating and managing secure, multi-tenant container and function-based services that provide serverless operational models. Firecracker runs workloads in lightweight virtual machines, called microVMs, which combine the security and isolation properties provided by hardware virtualization technology with the speed and flexibility of containers.
 
+## Benefits
+
+- Privileged containers can be run in an isolated virtual environment
+- Container root filesystem is truly ephemeral and [recreated on each restart](#filesystem)
+- Container networks are segmented with one TAP/TUN interface per VM
+- Allows for runtime secrets by deleting environment files after use
+- Ideal for services exposed to the public, without risking the host OS
+
+## Caveats
+
+- The guest container OS must follow [some guidelines](#guest-container)
+- Environment variables need to be read from a file, and [are not exported by default](#environment-variables)
+- Only one persistent volume is supported right now, and [it needs to be mounted](filesystem)
+- Ports can not be exposed without custom iptables rules (TBD)
+
 ## Requirements
 
 ### Kernel Modules
@@ -49,9 +64,9 @@ Add the following lines to the end of your existing Dockerfile for publishing.
 # The rest of your docker instructions up here AS my-rootfs
 
 # Include firecracker wrapper and scripts
-FROM ghcr.io/balena-io/ctr-jailer AS runtime
+FROM ghcr.io/balena-io-experimental/ctr-jailer
 
-# Copy the root file system from your container final stage
+# Copy the root file system from your existing final stage
 COPY --from=my-rootfs / /usr/src/app/rootfs
 
 # Provide your desired command to exec after init.
@@ -119,7 +134,9 @@ Resources like virtual CPUs and Memory can be overprovisioned and adjusted via t
 
 The default is the maximum available on the host.
 
-### Persistent Storage
+The [jailer](https://github.com/firecracker-microvm/firecracker/blob/main/docs/jailer.md) also allows for resource slicing, but that implementation is TBD.
+
+### Filesystem
 
 The root filesystem is recreated on every run, so anything written to the root partition will not persist restarts and
 is considered ephemeral similar to container layers.

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -0,0 +1,7 @@
+target "default" {
+  platforms = [
+    "linux/amd64",
+    "linux/arm64"
+  ]
+  target = "jailer"
+}
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
@@ -2,7 +2,7 @@ version: "2.4"
 
 services:
   sut:
-    image: docker:stable
+    image: alpine:3.18
     environment:
       DOCKER_HOST: unix:///var/run/docker.sock
       COMPOSE_PROJECT_NAME: ${COMPOSE_PROJECT_NAME:-ctr-jailer}
@@ -19,16 +19,27 @@ services:
       - /bin/sh
       - -c
       - |
-        set -e
-        apk add --no-cache docker-compose
+        set -ex
+        apk add --no-cache docker-cli-compose
 
         count=0
-        while [ "$$(docker-compose logs | grep "touch /mnt/data/healthy" | wc -l)" -lt 3 ]; do
+        while true; do
+
           if [ $$count -gt 10 ]; then
-            echo "Timed out waiting for 3 passed healthchecks"
+            echo "Timed out waiting for healthchecks to pass"
             exit 1
           fi
-          sleep 5
+
+          count=$$(($$count + 1))
+
+          sleep 3
+          
+          docker compose logs --no-color alpine-test | grep "touch /mnt/data/healthy" || continue
+          docker compose logs --no-color debian-test | grep "touch /mnt/data/healthy" || continue
+          docker compose logs --no-color ubuntu-test | grep "touch /mnt/data/healthy" || continue
+
+          break
+
         done
 
   alpine-test: