tfgrid/zosbuilder
11
0
Fork 1
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement rootless Docker with container management support

Browse Source 
Docker Infrastructure:
- Added proper user namespace mapping in Dockerfile.alpine
- Created 'builder' user with host UID/GID mapping at build time
- Removed runtime user mapping (now handled in Dockerfile)
- Set up Rust environment for mapped user instead of root
- Fixed config mount consistency (removed :ro flags for real-time sync)

Container Management:
- Added 15 essential cgroup modules to modules-essential.list
- Complete cgroups v1 and v2 support for container orchestration
- Process control: cgroup_pids, cgroup_freezer, cgroup_cpuset
- Memory management: memcg, hugetlb_cgroup
- Network control: net_cls_cgroup, net_prio_cgroup
- Device access: cgroup_device, devices_cgroup
- Advanced features: cgroup_bpf, cgroup_perf_event, cgroup_debug

Environment Updates:
- Updated RFS Dockerfile to Alpine 3.22 for consistency
- Ensured proper /build directory permissions for mapped user

This enables true rootless operation with full container management
capabilities, fixing permission issues and enabling Zero-OS container
orchestration with complete resource control.
This commit is contained in:
Jan De Landtsheer
2025-08-25 09:44:47 +02:00
parent 8a38c372aa
commit 709c4a0865
4 changed files with 51 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
build/Dockerfile.alpine
View File

@@ -5,6 +5,9 @@ FROM alpine:3.22
ARG TARGETARCH=amd64 ARG TARGETARCH=amd64
ARG BUILDMODE=debug ARG BUILDMODE=debug
ARG MINIMAL_MODE=false ARG MINIMAL_MODE=false
ARG USER_UID=1000
ARG USER_GID=1000
ARG USERNAME=builder
# Set environment variables # Set environment variables
ENV BUILDMODE=${BUILDMODE} ENV BUILDMODE=${BUILDMODE}
@@ -77,5 +80,25 @@ RUN echo "BUILDMODE=${BUILDMODE}" > /build/build.conf && \
echo "OUTPUT_DIR=/build/output" >> /build/build.conf && \ echo "OUTPUT_DIR=/build/output" >> /build/build.conf && \
echo "CONFIG_DIR=/build/configs" >> /build/build.conf echo "CONFIG_DIR=/build/configs" >> /build/build.conf
# Create user with proper mapping
RUN addgroup -g ${USER_GID} ${USERNAME} && \
adduser -u ${USER_UID} -G ${USERNAME} -D -s /bin/sh ${USERNAME} && \
mkdir -p /home/${USERNAME}/.cargo && \
chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}
# Switch to the mapped user
USER ${USERNAME}
# Set up Rust environment for the user
RUN rustup-init -y --default-toolchain stable && \
. ~/.cargo/env && \
rustup target add x86_64-unknown-linux-musl
# Set working directory and ensure permissions
WORKDIR /build
USER root
RUN chown -R ${USERNAME}:${USERNAME} /build
USER ${USERNAME}
# Default command # Default command
CMD ["/build/scripts/build-initramfs.sh"] CMD ["/build/scripts/build-initramfs.sh"]

16
build/docker-compose.yml
View File

@@ -9,13 +9,15 @@ services:
BUILDMODE: "${BUILDMODE:-debug}" BUILDMODE: "${BUILDMODE:-debug}"
TARGETARCH: "${TARGETARCH:-amd64}" TARGETARCH: "${TARGETARCH:-amd64}"
MINIMAL_MODE: "${MINIMAL_MODE:-false}" MINIMAL_MODE: "${MINIMAL_MODE:-false}"
USER_UID: "${USER_UID:-1000}"
USER_GID: "${USER_GID:-1000}"
USERNAME: "builder"
image: zero-os-alpine-builder:cached-${BUILDMODE:-debug} image: zero-os-alpine-builder:cached-${BUILDMODE:-debug}
container_name: zero-os-alpine-builder-cached container_name: zero-os-alpine-builder-cached
privileged: true privileged: true
user: "${USER_UID:-1000}:${USER_GID:-1000}"
volumes: volumes:
# Mount source configs and scripts (read-only for cache efficiency) # Mount source configs and scripts (configs writable for dev, scripts read-only for cache)
- ../configs:/build/configs:ro - ../configs:/build/configs
- ../scripts:/build/scripts:ro - ../scripts:/build/scripts:ro
# Mount Zero-OS components (writable for cargo build) # Mount Zero-OS components (writable for cargo build)
- ../components:/build/components - ../components:/build/components
@@ -43,12 +45,14 @@ services:
BUILDMODE: "${BUILDMODE:-debug}" BUILDMODE: "${BUILDMODE:-debug}"
TARGETARCH: "${TARGETARCH:-amd64}" TARGETARCH: "${TARGETARCH:-amd64}"
MINIMAL_MODE: "${MINIMAL_MODE:-false}" MINIMAL_MODE: "${MINIMAL_MODE:-false}"
USER_UID: "${USER_UID:-1000}"
USER_GID: "${USER_GID:-1000}"
USERNAME: "builder"
image: zero-os-alpine-builder:legacy image: zero-os-alpine-builder:legacy
container_name: zero-os-alpine-builder-legacy container_name: zero-os-alpine-builder-legacy
privileged: true privileged: true
user: "${USER_UID:-1000}:${USER_GID:-1000}"
volumes: volumes:
- ../configs:/build/configs:ro - ../configs:/build/configs
- ../scripts:/build/scripts:ro - ../scripts:/build/scripts:ro
- ../components:/build/components - ../components:/build/components
- ../output:/build/output - ../output:/build/output
@@ -96,7 +100,7 @@ services:
extends: builder extends: builder
container_name: zero-os-alpine-test container_name: zero-os-alpine-test
volumes: volumes:
- ../configs:/build/configs:ro - ../configs:/build/configs
- ../scripts:/build/scripts:ro - ../scripts:/build/scripts:ro
- ../components:/build/components - ../components:/build/components
- ../output:/build/output - ../output:/build/output

2
components/rfs/Dockerfile
View File

@@ -11,7 +11,7 @@ RUN apt-get update && apt-get install curl build-essential libssl-dev musl-tools
RUN rustup target add x86_64-unknown-linux-musl RUN rustup target add x86_64-unknown-linux-musl
RUN cargo build --release --target=x86_64-unknown-linux-musl RUN cargo build --release --target=x86_64-unknown-linux-musl
FROM alpine:3.19 FROM alpine:3.22
WORKDIR /app WORKDIR /app

17
configs/modules-essential.list
View File

@@ -40,3 +40,20 @@ overlay
# Storage subsystem (essential only) # Storage subsystem (essential only)
scsi_mod scsi_mod
sd_mod sd_mod
# Control Groups (cgroups v1 and v2) - essential for container management
cgroup_pids
cgroup_freezer
cgroup_perf_event
cgroup_device
cgroup_cpuset
cgroup_bpf
cgroup_debug
memcg
blkio_cgroup
cpu_cgroup
cpuacct
hugetlb_cgroup
net_cls_cgroup
net_prio_cgroup
devices_cgroup