Merge pull request #127 from 89luca89/feat/wolfi_toolbox

feat: add wolfi-toolbox images
toolbx-images · Jun 7, 2024 · 658f5e1 · 658f5e1
2 parents 68eb902 + e06c5e7
commit 658f5e1
Show file tree

Hide file tree

Showing 4 changed files with 201 additions and 0 deletions.
diff --git a/.github/workflows/wolfi.yaml b/.github/workflows/wolfi.yaml
@@ -0,0 +1,123 @@
+name: "Wolfi Linux: Build and push toolbx images"
+
+permissions: read-all
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  push:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  schedule:
+    - cron:  '0 0 * * MON'
+
+env:
+  distro: 'wolfi'
+  distro_pretty: 'wolfi Linux'
+  latest_release: 'latest'
+  platforms: 'linux/amd64, linux/arm64'
+  registry: 'quay.io/toolbx-images'
+
+# Prevent multiple workflow runs from racing to ensure that pushes are made
+# sequentially for the main branch. Also cancel in progress workflow runs for
+# pull requests only.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  build-push-images:
+    strategy:
+      matrix:
+        release: ['latest']
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU for multi-arch builds
+        shell: bash
+        run: |
+          sudo apt update
+          sudo apt install qemu-user-static
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release != matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }}
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Build container image (latest tag)
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release == matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }} latest
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Push to Container Registry
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }}
+
+      - name: Push to Container Registry (latest tag)
+        uses: redhat-actions/push-to-registry@v2
+        id: push-latest
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }} latest
+
+      - name: Login to Container Registry
+        uses: redhat-actions/podman-login@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+        with:
+          registry: ${{ env.registry }}
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+
+      - uses: sigstore/cosign-installer@v3.3.0
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+
+      - name: Sign container image
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+
+      - name: Sign container image (latest)
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
diff --git a/README.md b/README.md
@@ -175,6 +175,12 @@ directly use the commands below:
   $ toolbox enter ubuntu-toolbox-16.04
   ```
 
+- [Wolfi]:
+  ```
+  $ toolbox create --image quay.io/toolbx-images/wolfi-toolbox:latest
+  $ toolbox enter wolfi-toolbox-latest
+  ```
+
 ## Verifying sigstore container signatures with podman
 
 How to configure sigstore signature verification in podman:
@@ -246,3 +252,4 @@ See [COPYING](COPYING).
 [Rocky Linux]: https://hub.docker.com/_/rockylinux
 [Ubuntu]: https://hub.docker.com/_/ubuntu
 [openSUSE]: https://registry.opensuse.org/cgi-bin/cooverview?srch_term=project%3D%5EopenSUSE%3AContainers%3A+container%3Dtoolbox
+[Wolfi]: cgr.dev/chainguard/
diff --git a/wolfi/latest/Containerfile b/wolfi/latest/Containerfile
@@ -0,0 +1,26 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+LABEL com.github.containers.toolbox="true" \
+      name="wolfi-toolbox" \
+      version="latest" \
+      usage="This image is meant to be used with the toolbox or distrobox command" \
+      summary="Base image for creating Wolfi Linux toolbox containers" \
+      maintainer="Luca Di Maio <luca.dimaio1@gmail.com>"
+
+# Install extra packages
+COPY extra-packages /
+RUN apk update && \
+    apk upgrade && \
+    cat /extra-packages | xargs apk add
+RUN rm /extra-packages
+
+# Enable password less sudo
+# using sudoers instead of toolbox filename here, so that in case of rootful
+# distroboxes, the NOPASSWD can be deactivated for security reasons.
+RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers
+
+# Copy the os-release file
+RUN cp -p /etc/os-release /usr/lib/os-release
+
+# Clear out /home
+RUN rm -rf /home/* && mkdir /media
diff --git a/wolfi/latest/extra-packages b/wolfi/latest/extra-packages
@@ -0,0 +1,45 @@
+bash
+bc
+busybox
+bzip2
+coreutils
+curl
+diffutils
+findmnt
+findutils
+gnupg
+gnutar
+gpg
+iproute2
+iputils
+keyutils
+less
+libcap
+libcap-utils
+locate
+man-db
+mesa
+mount
+ncurses
+ncurses-terminfo
+net-tools
+openssh-client
+pigz
+posix-libc-utils
+procps
+rsync
+shadow
+sudo
+tcpdump
+tree
+tzdata
+umount
+unzip
+util-linux
+util-linux-login
+util-linux-misc
+vulkan-loader
+wget
+xauth
+xz
+zip