feat: implement rootless Docker with container management support

Docker Infrastructure: - Added proper user namespace mapping in Dockerfile.alpine - Created 'builder' user with host UID/GID mapping at build time - Removed runtime user mapping (now handled in Dockerfile) - Set up Rust environment for mapped user instead of root - Fixed config mount consistency (removed :ro flags for real-time sync) Container Management: - Added 15 essential cgroup modules to modules-essential.list - Complete cgroups v1 and v2 support for container orchestration - Process control: cgroup_pids, cgroup_freezer, cgroup_cpuset - Memory management: memcg, hugetlb_cgroup - Network control: net_cls_cgroup, net_prio_cgroup - Device access: cgroup_device, devices_cgroup - Advanced features: cgroup_bpf, cgroup_perf_event, cgroup_debug Environment Updates: - Updated RFS Dockerfile to Alpine 3.22 for consistency - Ensured proper /build directory permissions for mapped user This enables true rootless operation with full container management capabilities, fixing permission issues and enabling Zero-OS container orchestration with complete resource control.
2025-08-25 09:44:47 +02:00
parent 8a38c372aa
commit 709c4a0865
4 changed files with 51 additions and 7 deletions
--- a/build/Dockerfile.alpine
+++ b/build/Dockerfile.alpine
@@ -5,6 +5,9 @@ FROM alpine:3.22
 ARG TARGETARCH=amd64
 ARG BUILDMODE=debug
 ARG MINIMAL_MODE=false
+ARG USER_UID=1000
+ARG USER_GID=1000
+ARG USERNAME=builder

 # Set environment variables
 ENV BUILDMODE=${BUILDMODE}
@@ -77,5 +80,25 @@ RUN echo "BUILDMODE=${BUILDMODE}" > /build/build.conf && \
    echo "OUTPUT_DIR=/build/output" >> /build/build.conf && \
    echo "CONFIG_DIR=/build/configs" >> /build/build.conf

+# Create user with proper mapping
+RUN addgroup -g ${USER_GID} ${USERNAME} && \
+    adduser -u ${USER_UID} -G ${USERNAME} -D -s /bin/sh ${USERNAME} && \
+    mkdir -p /home/${USERNAME}/.cargo && \
+    chown -R ${USERNAME}:${USERNAME} /home/${USERNAME}
+
+# Switch to the mapped user
+USER ${USERNAME}
+
+# Set up Rust environment for the user
+RUN rustup-init -y --default-toolchain stable && \
+    . ~/.cargo/env && \
+    rustup target add x86_64-unknown-linux-musl
+
+# Set working directory and ensure permissions
+WORKDIR /build
+USER root
+RUN chown -R ${USERNAME}:${USERNAME} /build
+USER ${USERNAME}
+
 # Default command
 CMD ["/build/scripts/build-initramfs.sh"]
--- a/build/docker-compose.yml
+++ b/build/docker-compose.yml
@@ -9,13 +9,15 @@ services:
        BUILDMODE: "${BUILDMODE:-debug}"
        TARGETARCH: "${TARGETARCH:-amd64}"
        MINIMAL_MODE: "${MINIMAL_MODE:-false}"
+        USER_UID: "${USER_UID:-1000}"
+        USER_GID: "${USER_GID:-1000}"
+        USERNAME: "builder"
    image: zero-os-alpine-builder:cached-${BUILDMODE:-debug}
    container_name: zero-os-alpine-builder-cached
    privileged: true
-    user: "${USER_UID:-1000}:${USER_GID:-1000}"
    volumes:
-      # Mount source configs and scripts (read-only for cache efficiency)
-      - ../configs:/build/configs:ro
+      # Mount source configs and scripts (configs writable for dev, scripts read-only for cache)
+      - ../configs:/build/configs
      - ../scripts:/build/scripts:ro
      # Mount Zero-OS components (writable for cargo build)
      - ../components:/build/components
@@ -43,12 +45,14 @@ services:
        BUILDMODE: "${BUILDMODE:-debug}"
        TARGETARCH: "${TARGETARCH:-amd64}"
        MINIMAL_MODE: "${MINIMAL_MODE:-false}"
+        USER_UID: "${USER_UID:-1000}"
+        USER_GID: "${USER_GID:-1000}"
+        USERNAME: "builder"
    image: zero-os-alpine-builder:legacy
    container_name: zero-os-alpine-builder-legacy
    privileged: true
-    user: "${USER_UID:-1000}:${USER_GID:-1000}"
    volumes:
-      - ../configs:/build/configs:ro
+      - ../configs:/build/configs
      - ../scripts:/build/scripts:ro
      - ../components:/build/components
      - ../output:/build/output
@@ -96,7 +100,7 @@ services:
    extends: builder
    container_name: zero-os-alpine-test
    volumes:
-      - ../configs:/build/configs:ro
+      - ../configs:/build/configs
      - ../scripts:/build/scripts:ro
      - ../components:/build/components
      - ../output:/build/output
--- a/components/rfs/Dockerfile
+++ b/components/rfs/Dockerfile
@@ -11,7 +11,7 @@ RUN apt-get update && apt-get install curl build-essential libssl-dev musl-tools
 RUN rustup target add x86_64-unknown-linux-musl
 RUN cargo build --release --target=x86_64-unknown-linux-musl

-FROM alpine:3.19
+FROM alpine:3.22

 WORKDIR /app

--- a/configs/modules-essential.list
+++ b/configs/modules-essential.list
@@ -40,3 +40,20 @@ overlay
 # Storage subsystem (essential only)
 scsi_mod
 sd_mod
+
+# Control Groups (cgroups v1 and v2) - essential for container management
+cgroup_pids
+cgroup_freezer
+cgroup_perf_event
+cgroup_device
+cgroup_cpuset
+cgroup_bpf
+cgroup_debug
+memcg
+blkio_cgroup
+cpu_cgroup
+cpuacct
+hugetlb_cgroup
+net_cls_cgroup
+net_prio_cgroup
+devices_cgroup