Thales Maciel
6083e2dde5
The golden-image Dockerfile + catalog pipeline replaces the entire
manual rootfs-build stack. With that shipped, the per-distro shell
flows are dead code.
Removed:
- scripts/customize.sh, scripts/interactive.sh, scripts/verify.sh
- scripts/make-rootfs{,-void,-alpine}.sh
- scripts/register-{void,alpine}-image.sh
- scripts/make-{void,alpine}-kernel.sh
- internal/imagepreset/ (only consumer was `banger internal packages`,
which fed customize.sh)
- examples/{void,alpine}.config.toml
- Makefile targets: rootfs, rootfs-void, rootfs-alpine, void-kernel,
alpine-kernel, void-register, alpine-register, void-vm, alpine-vm,
verify-void, verify-alpine, plus the ALPINE_RELEASE / *_IMAGE_NAME
/ *_VM_NAME variables
The void-6.12 kernel catalog entry is also gone — golden image pairs
with generic-6.12 and nothing else in the catalog depended on it.
Consolidated: imagemgr now holds the small DebianBasePackages list +
package-hash helper inline, so the `image build --from-image` flow
(still supported) no longer pulls from a separate imagepreset package.
Net: 3,815 lines deleted, 59 added. No runtime functionality removed
beyond the `banger internal packages` subcommand (hidden, used only
by the deleted customize.sh).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
115 lines
5 KiB
Docker
115 lines
5 KiB
Docker
# banger golden image — Debian bookworm sandbox for development + testing.
|
|
#
|
|
# Two sections:
|
|
# 1. ESSENTIAL — what banger's lifecycle requires to boot the guest.
|
|
# 2. OPINION — developer conveniences curated for banger sandboxes.
|
|
#
|
|
# Banger's guest agents (vsock agent, network bootstrap, first-boot unit)
|
|
# are injected at `banger image pull` time, not baked here. Keeping them
|
|
# out means this image stays portable enough to run in other contexts.
|
|
|
|
FROM debian:bookworm-slim
|
|
|
|
ENV DEBIAN_FRONTEND=noninteractive \
|
|
LANG=C.UTF-8 \
|
|
LC_ALL=C.UTF-8
|
|
|
|
# -------- 1. ESSENTIAL --------
|
|
# Banger needs: an init (systemd + udev + dbus), sshd (the only
|
|
# control channel), TLS roots + curl (first-boot installs + mise
|
|
# installer), iproute2 (debugging; `ip` is still useful even when
|
|
# the kernel sets IP via cmdline).
|
|
#
|
|
# udev is a Recommends of the systemd package on Debian. With
|
|
# --no-install-recommends it's skipped — and without it systemd never
|
|
# activates device units, so fstab mounts of /dev/vdb (banger's work
|
|
# disk) hang forever waiting for a device that is already enumerated
|
|
# by the kernel but never "seen" by systemd. dbus gets the same
|
|
# treatment for the same reason (system-bus-ness services wedge
|
|
# without it).
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
systemd systemd-sysv udev dbus \
|
|
openssh-server \
|
|
ca-certificates \
|
|
curl \
|
|
iproute2 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# -------- 2. OPINION --------
|
|
# Developer sandbox conveniences. Language runtimes are deliberately
|
|
# absent — `mise` (below) handles per-repo `.mise.toml`/`.tool-versions`
|
|
# on first `vm run`.
|
|
|
|
# Core CLI + search/nav + build toolchain + lint/debug + editor/session.
|
|
RUN apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
git jq less tree file unzip zip rsync \
|
|
ripgrep fd-find \
|
|
build-essential pkg-config make \
|
|
shellcheck sqlite3 \
|
|
iputils-ping dnsutils \
|
|
vim-tiny tmux htop \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Docker CE (with Compose v2 + buildx) from the official apt repo.
|
|
# Nested-VM docker gives Compose workflows hostname/port isolation
|
|
# per banger VM, which is a big part of the sandbox story.
|
|
RUN install -m 0755 -d /etc/apt/keyrings \
|
|
&& curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc \
|
|
&& chmod a+r /etc/apt/keyrings/docker.asc \
|
|
&& printf 'deb [arch=%s signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable\n' \
|
|
"$(dpkg --print-architecture)" > /etc/apt/sources.list.d/docker.list \
|
|
&& apt-get update \
|
|
&& apt-get install -y --no-install-recommends \
|
|
docker-ce docker-ce-cli containerd.io \
|
|
docker-buildx-plugin docker-compose-plugin \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# mise — per-repo version manager. Installed system-wide so the
|
|
# bashrc activation reaches every shell.
|
|
RUN curl -fsSL https://mise.run | MISE_INSTALL_PATH=/usr/local/bin/mise sh \
|
|
&& chmod 0755 /usr/local/bin/mise \
|
|
&& install -d /etc/profile.d \
|
|
&& printf '%s\n' 'if [ -x /usr/local/bin/mise ]; then eval "$(/usr/local/bin/mise activate bash)"; fi' \
|
|
> /etc/profile.d/mise.sh \
|
|
&& chmod 0644 /etc/profile.d/mise.sh
|
|
|
|
# Default branch for any git init inside the sandbox.
|
|
RUN git config --system init.defaultBranch main
|
|
|
|
# `fd-find` installs as `fdfind` on Debian to avoid a long-standing name
|
|
# clash. Expose the ergonomic name for interactive use.
|
|
RUN ln -s /usr/bin/fdfind /usr/local/bin/fd
|
|
|
|
# Strip per-image identity so every banger VM gets its own.
|
|
# - /etc/machine-id: systemd-firstboot regenerates at boot when empty.
|
|
# - SSH host keys: removed here; a ssh.service drop-in (below) runs
|
|
# `ssh-keygen -A` before sshd so the VM's first boot generates a
|
|
# unique set.
|
|
# - /run/sshd tmpfiles entry: Debian's openssh-server package doesn't
|
|
# ship one, and ssh.service's own `RuntimeDirectory=sshd` fires too
|
|
# late for the ExecStartPre config test, so sshd -t blows up with
|
|
# "Missing privilege separation directory: /run/sshd" before the
|
|
# daemon ever starts. Creating the dir via tmpfiles.d runs early in
|
|
# systemd-tmpfiles-setup, well before ssh.service kicks off.
|
|
RUN : > /etc/machine-id \
|
|
&& rm -f /etc/ssh/ssh_host_*_key /etc/ssh/ssh_host_*_key.pub \
|
|
&& install -d /etc/systemd/system/ssh.service.d \
|
|
&& printf '%s\n' \
|
|
'[Service]' \
|
|
'# Reset main unit ExecStartPre list: Debian ships `sshd -t` as' \
|
|
'# the first ExecStartPre, which fails on missing host keys and' \
|
|
'# short-circuits the service before ours gets a chance to run.' \
|
|
'ExecStartPre=' \
|
|
'ExecStartPre=/usr/bin/mkdir -p /run/sshd' \
|
|
'ExecStartPre=/usr/bin/ssh-keygen -A' \
|
|
'ExecStartPre=/usr/sbin/sshd -t' \
|
|
'StandardOutput=journal+console' \
|
|
'StandardError=journal+console' \
|
|
> /etc/systemd/system/ssh.service.d/banger.conf \
|
|
&& rm -f /etc/systemd/system/ssh.service.d/regen-host-keys.conf \
|
|
&& printf 'd /run/sshd 0755 root root -\n' > /usr/lib/tmpfiles.d/sshd.conf
|
|
|
|
# No CMD / ENTRYPOINT: banger boots this via systemd as PID 1 after
|
|
# first-boot, not via `docker run`.
|