From 709c4a08654ff9ecfdd9f5a85c4e699e153078e1 Mon Sep 17 00:00:00 2001
From: Jan De Landtsheer <jan@delandtsheer.eu>
Date: Mon, 25 Aug 2025 09:44:47 +0200
Subject: [PATCH] feat: implement rootless Docker with container management
 support

Docker Infrastructure:
- Added proper user namespace mapping in Dockerfile.alpine
- Created 'builder' user with host UID/GID mapping at build time
- Removed runtime user mapping (now handled in Dockerfile)
- Set up Rust environment for mapped user instead of root
- Fixed config mount consistency (removed :ro flags for real-time sync)

Container Management:
- Added 15 essential cgroup modules to modules-essential.list
- Complete cgroups v1 and v2 support for container orchestration
- Process control: cgroup_pids, cgroup_freezer, cgroup_cpuset
- Memory management: memcg, hugetlb_cgroup
- Network control: net_cls_cgroup, net_prio_cgroup
- Device access: cgroup_device, devices_cgroup
- Advanced features: cgroup_bpf, cgroup_perf_event, cgroup_debug

Environment Updates:
- Updated RFS Dockerfile to Alpine 3.22 for consistency
- Ensured proper /build directory permissions for mapped user

This enables true rootless operation with full container management
capabilities, fixing permission issues and enabling Zero-OS container
orchestration with complete resource control.
---
 build/Dockerfile.alpine        | 23 +++++++++++++++++++++++
 build/docker-compose.yml       | 16 ++++++++++------
 components/rfs/Dockerfile      |  2 +-
 configs/modules-essential.list | 17 +++++++++++++++++
 4 files changed, 51 insertions(+), 7 deletions(-)

diff --git a/build/Dockerfile.alpine b/build/Dockerfile.alpine
index 203b2d7..996c4e7 100644
--- a/build/Dockerfile.alpine
+++ b/build/Dockerfile.alpine
@@ -5,6 +5,9 @@ FROM alpine:3.22
 ARG TARGETARCH=amd64
 ARG BUILDMODE=debug
 ARG MINIMAL_MODE=false
+ARG USER_UID=1000
+ARG USER_GID=1000
+ARG USERNAME=builder
 
 # Set environment variables
 ENV BUILDMODE=${BUILDMODE}
@@ -77,5 +80,25 @@ RUN echo "BUILDMODE=${BUILDMODE}" > /build/build.conf && \
     echo "OUTPUT_DIR=/build/output" >> /build/build.conf && \
     echo "CONFIG_DIR=/build/configs" >> /build/build.conf
 
+# Create user with proper mapping
+RUN addgroup -g ${USER_GID} ${USERNAME} && \
+    adduser -u ${USER_UID} -G ${USERNAME} -D -s /bin/sh ${USERNAME} && \
+    mkdir -p /home/${USERNAME}/.cargo && \
+    chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}
+
+# Switch to the mapped user
+USER ${USERNAME}
+
+# Set up Rust environment for the user
+RUN rustup-init -y --default-toolchain stable && \
+    . ~/.cargo/env && \
+    rustup target add x86_64-unknown-linux-musl
+
+# Set working directory and ensure permissions
+WORKDIR /build
+USER root
+RUN chown -R ${USERNAME}:${USERNAME} /build
+USER ${USERNAME}
+
 # Default command
 CMD ["/build/scripts/build-initramfs.sh"]
\ No newline at end of file
diff --git a/build/docker-compose.yml b/build/docker-compose.yml
index 734393e..998bd8d 100644
--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -9,13 +9,15 @@ services:
         BUILDMODE: "${BUILDMODE:-debug}"
         TARGETARCH: "${TARGETARCH:-amd64}"
         MINIMAL_MODE: "${MINIMAL_MODE:-false}"
+        USER_UID: "${USER_UID:-1000}"
+        USER_GID: "${USER_GID:-1000}"
+        USERNAME: "builder"
     image: zero-os-alpine-builder:cached-${BUILDMODE:-debug}
     container_name: zero-os-alpine-builder-cached
     privileged: true
-    user: "${USER_UID:-1000}:${USER_GID:-1000}"
     volumes:
-      # Mount source configs and scripts (read-only for cache efficiency)
-      - ../configs:/build/configs:ro
+      # Mount source configs and scripts (configs writable for dev, scripts read-only for cache)
+      - ../configs:/build/configs
       - ../scripts:/build/scripts:ro
       # Mount Zero-OS components (writable for cargo build)
       - ../components:/build/components
@@ -43,12 +45,14 @@ services:
         BUILDMODE: "${BUILDMODE:-debug}"
         TARGETARCH: "${TARGETARCH:-amd64}"
         MINIMAL_MODE: "${MINIMAL_MODE:-false}"
+        USER_UID: "${USER_UID:-1000}"
+        USER_GID: "${USER_GID:-1000}"
+        USERNAME: "builder"
     image: zero-os-alpine-builder:legacy
     container_name: zero-os-alpine-builder-legacy
     privileged: true
-    user: "${USER_UID:-1000}:${USER_GID:-1000}"
     volumes:
-      - ../configs:/build/configs:ro
+      - ../configs:/build/configs
       - ../scripts:/build/scripts:ro
       - ../components:/build/components
       - ../output:/build/output
@@ -96,7 +100,7 @@ services:
     extends: builder
     container_name: zero-os-alpine-test
     volumes:
-      - ../configs:/build/configs:ro
+      - ../configs:/build/configs
       - ../scripts:/build/scripts:ro
       - ../components:/build/components
       - ../output:/build/output
diff --git a/components/rfs/Dockerfile b/components/rfs/Dockerfile
index 7993001..8db130c 100644
--- a/components/rfs/Dockerfile
+++ b/components/rfs/Dockerfile
@@ -11,7 +11,7 @@ RUN apt-get update && apt-get install curl build-essential libssl-dev musl-tools
 RUN rustup target add x86_64-unknown-linux-musl
 RUN cargo build --release --target=x86_64-unknown-linux-musl
 
-FROM alpine:3.19
+FROM alpine:3.22
 
 WORKDIR /app
 
diff --git a/configs/modules-essential.list b/configs/modules-essential.list
index 33f69bc..b2dfc2e 100644
--- a/configs/modules-essential.list
+++ b/configs/modules-essential.list
@@ -40,3 +40,20 @@ overlay
 # Storage subsystem (essential only)
 scsi_mod
 sd_mod
+
+# Control Groups (cgroups v1 and v2) - essential for container management
+cgroup_pids
+cgroup_freezer
+cgroup_perf_event
+cgroup_device
+cgroup_cpuset
+cgroup_bpf
+cgroup_debug
+memcg
+blkio_cgroup
+cpu_cgroup
+cpuacct
+hugetlb_cgroup
+net_cls_cgroup
+net_prio_cgroup
+devices_cgroup