Cleanup

.github/workflows/CI.yml

@@ -10,12 +10,12 @@ jobs:
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checks-out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: true
 
       - name: Enable cache
-        uses: actions/cache@v2.1.1
+        uses: actions/cache@v4
         with:
           path: $GITHUB_WORKSPACE/cache
           key: cache
@@ -50,7 +50,7 @@ jobs:
       - name: test
         run: |
           # Set the path and install the tools
-          export PATH="$GITHUB_WORKSPACE/cache/bin:$PATH"
+          export PATH="$HOME/bin:$PATH"
           ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"

DEVELOP.md

@@ -10,18 +10,18 @@
 
 ### The what
 
-This image is built using: `docker.io/dubodubonduponey/base:builder-bullseye-2022-12-01` 
+This image is built using: `docker.io/dubodubonduponey/base:builder-bookworm-2024-02-20` 
 
-The runtime part is based on: `docker.io/dubodubonduponey/base:runtime-bullseye-2022-12-01`
+The runtime part is based on: `docker.io/dubodubonduponey/base:runtime-bookworm-2024-02-20`
 
-Both these images are built upon: `docker.io/dubodubonduponey/debian:bullseye-2022-12-01`
+Both these images are built upon: `docker.io/dubodubonduponey/debian:bookworm-2024-02-20`
 
 You can find out more here:
 
  * https://github.com/dubo-dubon-duponey/docker-debian for the debootstrapped Debian base
  * https://github.com/dubo-dubon-duponey/docker-base for the builder and runtime images
 
-These images provide very little - they are (mostly) barebone bullseye with some ONBUILD
+These images provide very little - they are (mostly) barebone bookworm with some ONBUILD
 Docker syntactic sugar (metadata, user creation, entrypoint).
 
 Let me repeat: you have very little reason to go and add anything up there.

Dockerfile

@@ -39,8 +39,8 @@ RUN           git clone --recurse-submodules https://"$GIT_REPO" .; git checkout
 ARG           GIT_REPO_REPLACE=github.com/caddyserver/replace-response
 #ARG           GIT_VERSION_REPLACE=8fa6a90
 #ARG           GIT_COMMIT_REPLACE=8fa6a90147d10fa192ad9fd1df2b97c1844ed322
-ARG           GIT_VERSION=d7523f4
-ARG           GIT_COMMIT_REPLACE=d7523f42f84a2fa09d64c957f1e6795ece355425
+ARG           GIT_VERSION=a85d4dd
+ARG           GIT_COMMIT_REPLACE=a85d4ddc11d635c093074205bd32f56d05fc7811
 
 RUN           echo "require $GIT_REPO_REPLACE $GIT_COMMIT_REPLACE" >> go.mod
 

README.md

@@ -2,37 +2,34 @@
 
 Two Docker images for Roon Bridge & Roon Server.
 
-Bonus / extra features:
+Additionally:
  * roon display is served over TLS and announced under mDNS
  * logs are exposed on stdout
 
 ## DISCLAIMER
 
 * this is an UNOFFICIAL image, and is NOT produced, endorsed nor supported by [Roon Labs](https://roonlabs.com/)
-* if you are a newcomer, if you expect any kind of support, or simply any guarantee that Roon will work, do yourself a huge favor: just use one of the [official Roon downloads](https://roonlabs.com/downloads)
-* if you are using this and have an issue with it, you are on your own
-* if you are still here, and plan on using this, and while we try to make this simple to use, you should still have some reasonable understanding and familiarity with:
-  * docker overall
-  * linux sound sub-system
-  * networking
+* most people should just use one of the [official Roon downloads](https://roonlabs.com/downloads)
+* tinkerers, you are welcome
 
 ## Image features
 
  * multi-architecture:
     * [x] linux/amd64
     * [x] linux/arm64 (bridge only)
-    * [x] linux/arm/v7 (bridge only)
  * hardened:
     * [x] image runs read-only
     * [x] image runs with no capabilities
     * [x] process runs as a non-root user, disabled login, no shell
  * lightweight
-    * [x] based on our slim [Debian Bullseye](https://github.com/dubo-dubon-duponey/docker-debian)
+    * [x] based on our slim [Debian Bookworm](https://github.com/dubo-dubon-duponey/docker-debian)
     * [x] simple entrypoint script
-    * [ ] multi-stage build with no installed dependencies for the Bridge runtime image, one dependency for Server (ffmpeg)
+    * [x] multi-stage build with zero packages installed in the runtime image (for the bridge)
+    * [ ] multi-stage build with ~~zero packages~~ `ffmpeg` installed in the runtime image (for the server)
  * observable
     * [ ] healthcheck (server only)
     * [x] log to stdout
+    * [ ] ~~prometheus endpoint~~
 
 ## Run
 
@@ -59,7 +56,8 @@ docker run -d \
 
 ## GOTCHA
 
-Debian by default limits inotify watches to 8192, which might turns out to be too little.
+Debian by default limits inotify watches to 8192, which might turns out to be too little
+for the server.
 
 You probably want to bump that up to prevent your system from crashing / rebooting...
 

context/runtime/boot/entrypoint.sh

@@ -4,11 +4,11 @@ set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)"
 readonly root
 # shellcheck source=/dev/null
-source "$root/helpers.sh"
+. "$root/helpers.sh"
 # shellcheck source=/dev/null
-source "$root/mdns.sh"
+. "$root/mdns.sh"
 # shellcheck source=/dev/null
-source "$root/http.sh"
+. "$root/http.sh"
 
 helpers::dir::writable "/tmp"
 
@@ -18,9 +18,7 @@ helpers::dir::writable "$XDG_DATA_DIRS" create
 helpers::dir::writable "$ROON_ID_DIR" create
 helpers::dir::writable "$ROON_DATAROOT" create
 
-LOG_LEVEL="${LOG_LEVEL:-}"
-normalized_log_level="$(printf "%s" "$LOG_LEVEL" | tr '[:upper:]' '[:lower:]')"
-case "$normalized_log_level" in
+case "$LOG_LEVEL" in
   "debug")
     reg="Trace"
   ;;
@@ -73,7 +71,7 @@ helpers::dir::writable "$XDG_CACHE_HOME" create
   _mdns_port="$([ "${MOD_HTTP_TLS_ENABLED:-}" == true ] && printf "%s" "${ADVANCED_MOD_HTTP_PORT:-443}" || printf "%s" "${ADVANCED_MOD_HTTP_PORT_INSECURE:-80}")"
   [ "${ADVANCED_MOD_MDNS_STATION:-}" != true ] || mdns::records::add "_workstation._tcp" "${MOD_MDNS_HOST}" "${MOD_MDNS_NAME:-}" "$_mdns_port"
   mdns::records::add "$_mdns_type" "${MOD_MDNS_HOST:-}" "${MOD_MDNS_NAME:-}" "$_mdns_port"
-  mdns::start::broadcaster &
+  mdns::start::broadcaster
 }
 
 # TLS and HTTP

context/runtime/boot/helpers.sh

@@ -10,3 +10,23 @@ helpers::dir::writable(){
     exit 1
   }
 }
+
+helpers::log::normalize(){
+  local lower
+  lower="$(printf "%s" "${LOG_LEVEL:-}" | tr '[:upper:]' '[:lower:]')"
+  case "$lower" in
+  "debug")
+  ;;
+  "info")
+  ;;
+  "error")
+  ;;
+  *)
+    lower="warning"
+  ;;
+  esac
+  LOG_LEVEL="$lower"
+  printf "%s" "$LOG_LEVEL"
+}
+
+helpers::log::normalize >/dev/null

context/runtime/boot/mdns.sh

@@ -38,7 +38,7 @@ mdns::records::resolve(){
 mdns::start::broadcaster(){
   [ ! -e "$_default_mod_mdns_configuration_path" ] || mdns::records::load "$_default_mod_mdns_configuration_path"
   local IFS=","
-  goello-server-ng -json "[${_internal_mod_mdns_records[*]}]"
+  goello-server-ng -json "[${_internal_mod_mdns_records[*]}]" &
 }
 
 mdns::start::avahi(){
@@ -51,15 +51,17 @@ mdns::start::avahi(){
   # - project is half-dead: https://github.com/lathiat/avahi/issues/388
 
   local args=()
-  local avahisocket="$XDG_STATE_HOME/avahi-daemon/socket"
+  # local avahisocket="$XDG_STATE_HOME/avahi-daemon/socket"
+  # XXX giving up on trying to be fancy with avahi
+  local avahisocket="/run/avahi-daemon/socket"
 
   # Make sure we can write it
   helpers::dir::writable "$(dirname "$avahisocket")" true
 
   # Cleanup leftovers on container restart
   rm -f "$(dirname "$avahisocket")/pid"
 
-  [ "$(printf "%s" "$LOG_LEVEL" | tr '[:upper:]' '[:lower:]')" != "debug" ] || args+=(--debug)
+  [ "$LOG_LEVEL" != "debug" ] || args+=(--debug)
 
   # -D/--daemonize implies -s/--syslog that we do not want, so, just background it
   avahi-daemon -f /config/avahi/main.conf --no-drop-root --no-chroot "${args[@]}" &

cue.mod/pkg/duponey.cloud/buildkit/buildctl/buildctl.cue

@@ -72,7 +72,7 @@ import (
 
 		["--local", "dockerfile=\(dockerfile)"] +
 		["--frontend", frontend] +
-		["--trace", "buildctl.trace.json"] +
+		["--trace", "cache/buildctl.trace.json"] +
 		["--opt", "filename=\(filename)"] +
 
 		["--local", "context=\(context)"] +

cue.mod/pkg/duponey.cloud/scullery/icing.cue

@@ -64,7 +64,7 @@ import (
 #Icing: {
 	// XXX make this type more specific
 	buildkit?: {
-		address?: string | * "docker-container://buildkitd"
+		address?: string | * "docker-container://dbdbdp-buildkit"
 		name?: string
 		ca?: types.#Path
 		cert?: types.#Path

hack/build.sh

@@ -6,7 +6,9 @@ root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 readonly root
 
 # shellcheck source=/dev/null
-BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" . "$root/hack/helpers/install-tools.sh"
+
+rm -f "$root/cache/buildctl.trace.json"
 
 # Build the cue invocation
 params=(cue)
@@ -22,7 +24,7 @@ case "${1:-}" in
   *)
     cd "$root"
     target=image
-    files=("$root/hack/recipe.cue" "$root/hack/cue_tool.cue")
+    files=("$root/hack/recipe.cue" "$root/hack/helpers/cue_tool.cue")
     isparam=
     for i in "$@"; do
       if [ "${i:0:2}" == "--" ]; then

hack/helpers/install-tools.sh

@@ -1,15 +1,15 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export SUITE=bullseye
-export DATE=2021-08-01
+export SUITE=bookworm
+export DATE=2024-02-20
 
 export BIN_LOCATION="${BIN_LOCATION:-$HOME/bin}"
 export PATH="$BIN_LOCATION:$PATH"
 readonly IMAGE_TOOLS="${IMAGE_TOOLS:-dubodubonduponey/tools:$(uname -s | grep -q Darwin && printf "macos" || printf "linux-dev")-$SUITE-$DATE}"
 
-export SHELLCHECK_VERSION=0.7.2
-export HADOLINT_VERSION=2.7.0
+export SHELLCHECK_VERSION=0.10.0
+export HADOLINT_VERSION=2.12.0
 
 setup::tools(){
   local location="$1"

hack/helpers/start-buildkit.sh

@@ -1,25 +1,24 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-export SUITE=bullseye
-export DATE=2021-08-01
-
-readonly IMAGE_BLDKT="${IMAGE_BLDKT:-docker.io/dubodubonduponey/buildkit:$SUITE-$DATE}"
+export TAG=latest
+readonly IMAGE_BLDKT="${IMAGE_BLDKT:-docker.io/dubodubonduponey/buildkit:$TAG}"
 
 setup::buildkit() {
   [ "$(docker container inspect -f '{{.State.Running}}' dbdbdp-buildkit 2>/dev/null)" == "true" ]  || {
     docker run --pull always --rm -d \
       -p 4242:4242 \
       --network host \
       --name dbdbdp-buildkit \
-      --env MDNS_ENABLED=true \
-      --env MDNS_HOST=buildkit-machina \
-      --env MDNS_NAME="Dubo Buildkit on la machina" \
+      --env MOD_MDNS_ENABLED=true \
+      --env MOD_MDNS_HOST=buildkit-machina \
+      --env MOD_MDNS_NAME="Dubo Buildkit on la machina" \
       --entrypoint buildkitd \
       --user root \
       --privileged \
       "$IMAGE_BLDKT"
     docker exec --env QEMU_BINARY_PATH=/boot/bin/ dbdbdp-buildkit binfmt --install all
+    docker exec dbdbdp-buildkit mkdir /tmp/runtime
   }
 }
 

hack/lint.sh

@@ -1,12 +1,11 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-# shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
 readonly root
 
 # shellcheck source=/dev/null
-BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" source "$root/hack/helpers/install-tools.sh"
+BIN_LOCATION="${BIN_LOCATION:-$root/cache/bin}" . "$root/hack/helpers/install-tools.sh"
 
 # Ignore some hadolint warnings that do not make much sense
 # DL3006 is about "dO nOT UsE --platform", which is really ludicrous
@@ -24,4 +23,6 @@ if ! hadolint "${hadolint_ignore[@]}" "$root"/*Dockerfile*; then
   exit 1
 fi
 
-find "$root" -iname "*.sh" -not -path "*debuerreotype*" -not -path "*cache*" -exec shellcheck {} \;
+while read -r line; do
+  shellcheck "$line"
+done < <(find "$root" -iname "*.sh" -not -path "*debuerreotype*" -not -path "*cache*" -not -path "*xxx*" 2>/dev/null || true)

hack/recipe.cue

@@ -68,8 +68,8 @@ cakes: {
 }
 
 injectors: {
-	suite: * "bullseye" | =~ "^(?:bullseye|bookworm|trixie|sid)$" @tag(suite, type=string)
-	date: * "2022-12-01" | =~ "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" @tag(date, type=string)
+	suite: * "bookworm" | =~ "^(?:bullseye|bookworm|trixie|sid)$" @tag(suite, type=string)
+	date: * "2024-02-20" | =~ "^[0-9]{4}-[0-9]{2}-[0-9]{2}$" @tag(date, type=string)
 	platforms: string @tag(platforms, type=string)
 	registry: * "registry.local" | string @tag(registry, type=string)
 }

hack/test.sh

@@ -1,17 +1,17 @@
 #!/usr/bin/env bash
 set -o errexit -o errtrace -o functrace -o nounset -o pipefail
 
-# shellcheck source=/dev/null
 root="$(cd "$(dirname "${BASH_SOURCE[0]:-$PWD}")" 2>/dev/null 1>&2 && pwd)/../"
+readonly root
 
 # Simple no-thrill build tester
 # XXX Currently reduced to a single architecture to avoid using all disk space until we figure out our space efficiency problem (likely the fat builder image getting duplicated over and over)
 # Solution would probably be to do like buildkit and fetch with a lightweight go image while build mount from the previous stage instead of inheriting - annoying but probably the only way
 if ! "$root/hack/build.sh" \
     --inject registry="docker.io/dubodubonduponey" \
     --inject progress=plain \
-	  --inject date=2022-12-01 \
-	  --inject suite=bullseye \
+	  --inject date=2024-02-20 \
+	  --inject suite=bookworm \
     --inject platforms=linux/arm64 \
   	"image" "$@"; then
   printf >&2 "Failed building\n"