-
Notifications
You must be signed in to change notification settings - Fork 8
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
ea73d7a
commit f4cce60
Showing
9 changed files
with
180 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
.sunodo |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,124 @@ | ||
# (c) Cartesi and individual authors (see AUTHORS) | ||
# SPDX-License-Identifier: Apache-2.0 (see LICENSE) | ||
|
||
# syntax=docker.io/docker/dockerfile:1 | ||
ARG IMAGE_REGISTRY | ||
ARG IMAGE_NAMESPACE | ||
ARG IMAGE_NAME | ||
ARG IMAGE_TAG | ||
ARG TARGETARCH | ||
|
||
############################################################################### | ||
# STAGE: base-image | ||
# | ||
# This stage creates a base-image with apt repository cache and ca-certificates | ||
# to be used by later stages. | ||
FROM ${IMAGE_REGISTRY}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:$IMAGE_TAG AS base-image | ||
ARG DEBIAN_FRONTEND=noninteractive | ||
RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates | ||
|
||
|
||
############################################################################### | ||
# STAGE: chisel | ||
# | ||
# Build the chiselled filesystem based on the desired slices. | ||
# This image should have the machine-emulator-tools and crun dependencies | ||
# installed. | ||
# | ||
#FIXME: replace the image with the official one when it's available | ||
# from: docker.io/risv64/ubuntu to: docker.io/library/ubuntu | ||
FROM base-image AS chisel | ||
ARG TARGETARCH | ||
|
||
WORKDIR /rootfs | ||
|
||
# Extract machine-emulator-tools into the chiselled filesystem | ||
ARG MACHINE_EMULATOR_TOOLS_VERSION | ||
ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb / | ||
RUN dpkg -x /machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /rootfs | ||
|
||
# Get chisel binary | ||
ARG CHISEL_VERSION | ||
ADD "https://github.com/canonical/chisel/releases/download/v${CHISEL_VERSION}/chisel_v${CHISEL_VERSION}_linux_${TARGETARCH}.tar.gz" chisel.tar.gz | ||
RUN tar -xvf chisel.tar.gz -C /usr/bin/ | ||
|
||
# Extract crun dependencies into the chiselled filesystem | ||
# FIXME: remove this when crun's dependecies slices are upstream | ||
ADD https://github.com/endersonmaia/chisel-releases.git#0ce6657c093a38267d65e7d9275a45e22b162942 /chisel-22.04 | ||
RUN chisel cut \ | ||
--release /chisel-22.04 \ | ||
--root /rootfs \ | ||
--arch=${TARGETARCH} \ | ||
base-files_base \ | ||
base-files_release-info \ | ||
base-passwd_data \ | ||
busybox-static_bins \ | ||
libc6_libs \ | ||
libcap2_libs \ | ||
libgcc-s1_libs \ | ||
libseccomp2_libs \ | ||
libstdc++6_libs \ | ||
libyajl2_libs \ | ||
uidmap_bins | ||
|
||
# Prepare the chiselled filesystem with the necessary configuration | ||
# some directories, dapp user and root's shell | ||
RUN <<EOF | ||
set -e | ||
ln -s /bin/busybox bin/sh | ||
mkdir -p proc sys dev run/cruntime mnt | ||
echo "dapp:x:1000:1000::/home/dapp:/bin/sh" >> etc/passwd | ||
echo "dapp:x:1000:" >> etc/group | ||
mkdir home/dapp | ||
chown 1000:1000 home/dapp | ||
sed -i '/^root/s/bash/sh/g' etc/passwd | ||
EOF | ||
############################################################################### | ||
# STAGE: crun-builder | ||
# | ||
# Build most recent version of the crun binary to be used at final image. | ||
# | ||
FROM base-image AS crun-builder | ||
ARG DEBIAN_FRONTEND=noninteractive | ||
RUN <<EOF | ||
set -e | ||
apt-get install -y \ | ||
autoconf \ | ||
automake \ | ||
build-essential \ | ||
gcc \ | ||
git \ | ||
go-md2man \ | ||
libcap-dev \ | ||
libprotobuf-c-dev \ | ||
libseccomp-dev \ | ||
libtool \ | ||
libyajl-dev \ | ||
make \ | ||
pkgconf \ | ||
python3 | ||
EOF | ||
|
||
WORKDIR /usr/local/src | ||
# crun:v1.4.4 -> a220ca661ce078f2c37b38c92e66cf66c012d9c1 | ||
ADD --keep-git-dir https://github.com/containers/crun.git#a220ca661ce078f2c37b38c92e66cf66c012d9c1 /usr/local/src | ||
RUN <<EOF | ||
set -e | ||
./autogen.sh | ||
./configure \ | ||
--disable-systemd \ | ||
--disable-criu | ||
make | ||
EOF | ||
|
||
############################################################################### | ||
# STAGE: final image | ||
# | ||
# This stage creates the final image with the crun binary and the chiselled filesystem. | ||
# | ||
FROM scratch | ||
COPY --chown=root:root --chmod=644 skel/etc/subgid /etc/subgid | ||
COPY --chown=root:root --chmod=644 skel/etc/subuid /etc/subuid | ||
COPY --chown=root:root --chmod=755 etc/cartesi-init.d/cruntime-init /etc/cartesi-init.d/cruntime-init | ||
COPY --from=chisel /rootfs / | ||
COPY --from=crun-builder /usr/local/src/crun /usr/bin/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# TBD | ||
|
||
```shell | ||
docker buildx bake --load | ||
sunodo-dev build --from-image sunodo/cruntime:devel | ||
sunodo-dev shell | ||
dapp@cartesi-machine:~$ crun --version | ||
crun version 1.14.4 | ||
commit: a220ca661ce078f2c37b38c92e66cf66c012d9c1 | ||
rundir: /run/crun | ||
spec: 1.0.0 | ||
+SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +YAJL | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
target "docker-metadata-action" {} | ||
|
||
target "default" { | ||
platforms = [ "linux/riscv64"] | ||
inherits = ["docker-metadata-action"] | ||
args = { | ||
IMAGE_REGISTRY="docker.io" | ||
IMAGE_NAMESPACE="riscv64" | ||
IMAGE_NAME="ubuntu" | ||
IMAGE_TAG="22.04" | ||
CHISEL_VERSION="0.9.1" | ||
TARGETARCH="riscv64" | ||
MACHINE_EMULATOR_TOOLS_VERSION="0.15.0" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
target "default" { | ||
tags = ["sunodo/cruntime:devel"] | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
{ | ||
"name": "@sunodo/cruntime", | ||
"private": true, | ||
"version": "0.0.0", | ||
"scripts": { | ||
"build": "docker buildx bake --load" | ||
} | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
#!/bin/busybox sh | ||
|
||
# cgroups2 config | ||
busybox mount -o nosuid,nodev,noexec -t cgroup2 cgroup2 /sys/fs/cgroup | ||
busybox echo "+cpu +pids +memory" > /sys/fs/cgroup/cgroup.subtree_control | ||
|
||
# give user group access to /cruntime | ||
UID=$(busybox id -u ${USER:-dapp}) | ||
GID=$(busybox id -g ${USER:-dapp}) | ||
|
||
[ -d /run ] && busybox mkdir -p /run/crun | ||
[ -d /run ] && busybox mkdir -p /run/cruntime | ||
[ -d /run/crun ] && busybox chown -R $UID:$GID /run/crun | ||
[ -d /run/cruntime ] && busybox chown -R $UID:$GID /run/cruntime |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
dapp:100000:65536 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
dapp:100000:65536 |