From 35186e7039a9abf5256af637dfb9f9a11fa0ffbd Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Thu, 6 Jun 2024 16:25:08 +0200
Subject: [PATCH 1/4] feat: add wolfi-toolbox images

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 .github/workflows/wolfi.yaml | 123 +++++++++++++++++++++++++++++++++++
 wolfi/latest/Containerfile   |  23 +++++++
 wolfi/latest/extra-packages  |  43 ++++++++++++
 3 files changed, 189 insertions(+)
 create mode 100644 .github/workflows/wolfi.yaml
 create mode 100644 wolfi/latest/Containerfile
 create mode 100644 wolfi/latest/extra-packages

diff --git a/.github/workflows/wolfi.yaml b/.github/workflows/wolfi.yaml
new file mode 100644
index 00000000..bf0494f8
--- /dev/null
+++ b/.github/workflows/wolfi.yaml
@@ -0,0 +1,123 @@
+name: "Wolfi Linux: Build and push toolbx images"
+
+permissions: read-all
+
+on:
+  pull_request:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  push:
+    branches:
+      - main
+    paths:
+      - wolfi/**
+      - .github/workflows/wolfi.yaml
+  schedule:
+    - cron:  '0 0 * * MON'
+
+env:
+  distro: 'wolfi'
+  distro_pretty: 'wolfi Linux'
+  latest_release: 'latest'
+  platforms: 'linux/amd64, linux/arm64'
+  registry: 'quay.io/toolbx-images'
+
+# Prevent multiple workflow runs from racing to ensure that pushes are made
+# sequentially for the main branch. Also cancel in progress workflow runs for
+# pull requests only.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  build-push-images:
+    strategy:
+      matrix:
+        release: ['latest']
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU for multi-arch builds
+        shell: bash
+        run: |
+          sudo apt update
+          sudo apt install qemu-user-static
+
+      - name: Build container image
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release != matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }}
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Build container image (latest tag)
+        uses: redhat-actions/buildah-build@v2
+        if: env.latest_release == matrix.release
+        with:
+          platforms: ${{ env.platforms }}
+          context: ${{ env.distro }}/${{ matrix.release }}
+          image: ${{ env.distro }}-toolbox
+          tags: ${{ matrix.release }} latest
+          containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
+          layers: false
+          oci: true
+
+      - name: Push to Container Registry
+        uses: redhat-actions/push-to-registry@v2
+        id: push
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }}
+
+      - name: Push to Container Registry (latest tag)
+        uses: redhat-actions/push-to-registry@v2
+        id: push-latest
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        with:
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+          image: ${{ env.distro }}-toolbox
+          registry: ${{ env.registry }}
+          tags: ${{ matrix.release }} latest
+
+      - name: Login to Container Registry
+        uses: redhat-actions/podman-login@v1
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+        with:
+          registry: ${{ env.registry }}
+          username: ${{ secrets.BOT_USERNAME }}
+          password: ${{ secrets.BOT_SECRET }}
+
+      - uses: sigstore/cosign-installer@v3.3.0
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
+
+      - name: Sign container image
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
+
+      - name: Sign container image (latest)
+        if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
+        run: |
+          cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
+        env:
+          COSIGN_EXPERIMENTAL: false
+          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
diff --git a/wolfi/latest/Containerfile b/wolfi/latest/Containerfile
new file mode 100644
index 00000000..0c850cf2
--- /dev/null
+++ b/wolfi/latest/Containerfile
@@ -0,0 +1,23 @@
+FROM cgr.dev/chainguard/wolfi-base:latest
+
+LABEL com.github.containers.toolbox="true" \
+      name="wolfi-toolbox" \
+      version="latest" \
+      usage="This image is meant to be used with the toolbox or distrobox command" \
+      summary="Base image for creating Wolfi Linux toolbox containers" \
+      maintainer="Luca Di Maio <luca.dimaio1@gmail.com>"
+
+# Install extra packages
+COPY extra-packages /
+RUN apk update && \
+    apk upgrade && \
+    cat /extra-packages | xargs apk add
+RUN rm /extra-packages
+
+# Enable password less sudo
+# using sudoers instead of toolbox filename here, so that in case of rootful
+# distroboxes, the NOPASSWD can be deactivated for security reasons.
+RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers
+
+# Copy the os-release file
+RUN cp -p /etc/os-release /usr/lib/os-release
diff --git a/wolfi/latest/extra-packages b/wolfi/latest/extra-packages
new file mode 100644
index 00000000..efb6a1ea
--- /dev/null
+++ b/wolfi/latest/extra-packages
@@ -0,0 +1,43 @@
+bash
+bc
+busybox
+bzip2
+coreutils
+curl
+diffutils
+findmnt
+findutils
+gnupg
+gnutar
+gpg
+iproute2
+iputils
+keyutils
+less
+libcap
+man-db
+mesa
+mount
+ncurses
+ncurses-terminfo
+net-tools
+openssh-client
+pigz
+posix-libc-utils
+procps
+rsync
+shadow
+sudo
+tcpdump
+tree
+tzdata
+umount
+unzip
+util-linux
+util-linux-login
+util-linux-misc
+vulkan-loader
+wget
+xauth
+xz
+zip

From 97162991d6ec279c9a9a3861c00149ac2798072d Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Fri, 7 Jun 2024 09:06:59 +0200
Subject: [PATCH 2/4] fix: toolbx needs empty /home and having /media

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 wolfi/latest/Containerfile | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/wolfi/latest/Containerfile b/wolfi/latest/Containerfile
index 0c850cf2..f3cc86a0 100644
--- a/wolfi/latest/Containerfile
+++ b/wolfi/latest/Containerfile
@@ -21,3 +21,6 @@ RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers
 
 # Copy the os-release file
 RUN cp -p /etc/os-release /usr/lib/os-release
+
+# Clear out /home
+RUN rm -rf /home/* && mkdir /media

From 359999f8099dc73c94f78402fcb03bf9eec53588 Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Fri, 7 Jun 2024 09:07:20 +0200
Subject: [PATCH 3/4] fix: toolbx needs capsh, add missing packages

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 wolfi/latest/extra-packages | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wolfi/latest/extra-packages b/wolfi/latest/extra-packages
index efb6a1ea..b8186c00 100644
--- a/wolfi/latest/extra-packages
+++ b/wolfi/latest/extra-packages
@@ -15,6 +15,8 @@ iputils
 keyutils
 less
 libcap
+libcap-utils
+locate
 man-db
 mesa
 mount

From e06c5e7da8f6a2e88fa265e4e35ddf3d661e8184 Mon Sep 17 00:00:00 2001
From: Luca Di Maio <luca.dimaio1@gmail.com>
Date: Fri, 7 Jun 2024 13:46:47 +0200
Subject: [PATCH 4/4] docs: add Wolfi to readme

Signed-off-by: Luca Di Maio <luca.dimaio1@gmail.com>
---
 README.md | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/README.md b/README.md
index 3c49267a..44fde516 100644
--- a/README.md
+++ b/README.md
@@ -172,6 +172,12 @@ directly use the commands below:
   $ toolbox enter ubuntu-toolbox-16.04
   ```
 
+- [Wolfi]:
+  ```
+  $ toolbox create --image quay.io/toolbx-images/wolfi-toolbox:latest
+  $ toolbox enter wolfi-toolbox-latest
+  ```
+
 ## Verifying sigstore container signatures with podman
 
 How to configure sigstore signature verification in podman:
@@ -243,3 +249,4 @@ See [COPYING](COPYING).
 [Rocky Linux]: https://hub.docker.com/_/rockylinux
 [Ubuntu]: https://hub.docker.com/_/ubuntu
 [openSUSE]: https://registry.opensuse.org/cgi-bin/cooverview?srch_term=project%3D%5EopenSUSE%3AContainers%3A+container%3Dtoolbox
+[Wolfi]: cgr.dev/chainguard/