From 1671abca1a2650429bdc59c493277ca857494330 Mon Sep 17 00:00:00 2001
From: Federico Vaga <federico.vaga@cern.ch>
Date: Fri, 12 May 2023 10:03:21 +0200
Subject: [PATCH 1/4] docker: add ELBE develop dockerfile

This patch adds a mechanism to have multiple types of ELBE containers
distinguished by tag.

Using this mechanism it adds a new Dockerfile where the ELBE tool in use
will be the one from sources. This will allow to test ELBE changes using
a containerized environment.

Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
---
 contrib/dockerfile/Dockerfile-devel.in | 106 +++++++++++++++++++++++++
 contrib/dockerfile/Makefile            |  21 +++--
 2 files changed, 121 insertions(+), 6 deletions(-)
 create mode 100644 contrib/dockerfile/Dockerfile-devel.in

diff --git a/contrib/dockerfile/Dockerfile-devel.in b/contrib/dockerfile/Dockerfile-devel.in
new file mode 100644
index 0000000000..4565a9707a
--- /dev/null
+++ b/contrib/dockerfile/Dockerfile-devel.in
@@ -0,0 +1,106 @@
+#
+# ELBE - Debian Based Embedded Rootfilesystem Builder
+# Copyright (c) 2014-2015 Silvio Fricke <silvio.fricke@gmail.com>
+# Copyright (c) 2018 Manuel Traut <manut@linutronix.de>
+#
+# SPDX-License-Identifier: GPL-3.0-or-later
+
+# This Dockerfile generate a image for the elbe buildsystem
+FROM debian:bullseye
+
+USER root
+ENV DEBIAN_FRONTEND noninteractive
+
+# use a sources.list including backports and security
+RUN echo "deb http://ftp.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list; \
+    echo "deb http://security.debian.org/ bullseye-security main"   >> /etc/apt/sources.list
+
+# update, upgrade and install elbe runtime-dependencies
+RUN apt-get update -y ;\
+    apt-get install -y --no-install-recommends \
+                    -o Dpkg::Options::="--force-confnew" \
+        systemd \
+        ca-certificates \
+        sudo \
+        vim-nox \
+        elbe-archive-keyring \
+        software-properties-common \
+        gnupg \
+        python3-setuptools \
+        python3-yaml \
+        python3-jsonschema \
+        locales \
+        gcc \
+        g++ \
+        diffstat \
+        texinfo \
+        gawk \
+        chrpath \
+        python3-mako \
+        fuseiso9660 \
+        aptly \
+        debian-archive-keyring \
+        qemu-system-x86
+RUN  apt install -y \
+        wget \
+        cpio \
+        python3 \
+        python3-debian \
+        python3-mako \
+        python3-lxml \
+        python3-apt \
+        python3-gpg \
+        python3-suds \
+        python3-libvirt \
+        qemu-utils \
+        qemu-kvm \
+        p7zip-full \
+        make \
+        python3-passlib \
+        libvirt-clients \
+        libvirt-daemon-system \
+        debian-archive-keyring
+
+RUN rm -rf /var/lib/apt/lists/*
+
+RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && locale-gen
+
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
+
+# create elbe user
+RUN groupadd -g @KVMGID@ -o -r kvm-elbe
+RUN useradd -d /home/elbe -l -U -G kvm-elbe,libvirt -m -s /bin/bash -u @USERID@ elbe
+RUN echo "root:elbe" | chpasswd
+RUN echo "elbe:elbe" | chpasswd
+
+RUN rm -f /lib/systemd/system/multi-user.target.wants/*;\
+    rm -f /etc/systemd/system/*.wants/*;\
+    rm -f /lib/systemd/system/local-fs.target.wants/*; \
+    rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+    rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+    rm -f /lib/systemd/system/basic.target.wants/*;\
+    rm -f /lib/systemd/system/anaconda.target.wants/*;
+
+VOLUME [ "/sys/fs/cgroup" ]
+VOLUME [ "/elbe" ]
+VOLUME [ "/var/cache/elbe" ]
+
+# sudo for elbe
+RUN echo "%elbe  ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/elbegrp
+RUN chmod 0440 /etc/sudoers.d/elbegrp
+
+# run qemu as root
+RUN echo 'user = "root"' >> /etc/libvirt/qemu.conf
+RUN echo 'group = "root"' >> /etc/libvirt/qemu.conf
+
+# run libvirt in systemd on startup
+RUN systemctl enable libvirtd
+
+# install elbe from current sources
+COPY ./ /elbe-tool/
+
+ENV PATH="/elbe-tool:${PATH}"
+
+CMD [ "/lib/systemd/systemd" ]
diff --git a/contrib/dockerfile/Makefile b/contrib/dockerfile/Makefile
index f66de31a61..5a5489d490 100644
--- a/contrib/dockerfile/Makefile
+++ b/contrib/dockerfile/Makefile
@@ -4,11 +4,19 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
+DOCKERFILE ?= Dockerfile
+TAG ?= latest
+ifneq ($(TAG),latest)
+DOCKERFILE = Dockerfile-$(TAG)
+endif
+
 IMAGENAME ?= elbe-devel-image
-CONTAINERNAME ?= elbe-devel
+CONTAINERNAME ?= elbe-devel-$(TAG)
 KVMGID ?= $(shell ls -n /dev/kvm | awk '{ print $$4 }')
 UID ?= $(shell id -u)
 
+PROJECTDIR ?= $(shell pwd)/../../
+
 # docker commands
 build:
 	test -c /dev/kvm  || ( echo "/dev/kvm not found" && false )
@@ -16,13 +24,14 @@ build:
 	test -n "$(KVMGID)" || ( echo "detecting groupid of /dev/kvm failed" && false )
 	sed -e "s#@KVMGID@#$(KVMGID)#g" \
 	    -e "s#@USERID@#$(UID)#g" \
-	    Dockerfile.in > Dockerfile
+	    $(DOCKERFILE).in > $(DOCKERFILE)
 	docker build --build-arg http_proxy=$(http_proxy) \
 	             --build-arg https_proxy=$(https_proxy) \
 	             --build-arg no_proxy=$(no_proxy) \
 	             --no-cache \
-	             -t $(IMAGENAME) .
-	rm Dockerfile
+	             --file $(DOCKERFILE) \
+	             -t $(IMAGENAME):$(TAG) $(PROJECTDIR)
+	rm $(DOCKERFILE)
 
 start:
 	docker ps | grep $(CONTAINERNAME)$$ || \
@@ -39,7 +48,7 @@ start:
 		--group-add kvm \
 		--device /dev/kvm \
 		--device /dev/fuse \
-		$(IMAGENAME)
+		$(IMAGENAME):$(TAG)
 
 stop:
 	-docker stop $(CONTAINERNAME)
@@ -48,7 +57,7 @@ stoprm: stop
 	-docker rm $(CONTAINERNAME)
 
 clean: stoprm
-	-docker rmi $(IMAGENAME)
+	-docker rmi $(IMAGENAME):$(TAG)
 
 connect: start
 	docker exec -tiu $(UID) $(CONTAINERNAME) /bin/bash

From cf8346242ec354453cb1aa219987852b061b9b1d Mon Sep 17 00:00:00 2001
From: Federico Vaga <federico.vaga@cern.ch>
Date: Tue, 16 May 2023 21:38:59 +0200
Subject: [PATCH 2/4] docker: fix when running on RHEL-like systems

QEMU can't successfully complete when the building process is executed
in a container (podman) on a RHEL system. To make it work is necessary
to disable the "remember_owner" option. It shouldn't harm on other
systems.

https://bugzilla.redhat.com/show_bug.cgi?id=1774373

Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
---
 contrib/dockerfile/Dockerfile-devel.in | 3 +++
 contrib/dockerfile/Dockerfile.in       | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/contrib/dockerfile/Dockerfile-devel.in b/contrib/dockerfile/Dockerfile-devel.in
index 4565a9707a..1d1f29002d 100644
--- a/contrib/dockerfile/Dockerfile-devel.in
+++ b/contrib/dockerfile/Dockerfile-devel.in
@@ -91,6 +91,9 @@ VOLUME [ "/var/cache/elbe" ]
 RUN echo "%elbe  ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/elbegrp
 RUN chmod 0440 /etc/sudoers.d/elbegrp
 
+# necessary since CS8 to have ELBE working (on C8 it was fine)
+# https://bugzilla.redhat.com/show_bug.cgi?id=1774373
+RUN echo 'remember_owner = 0' >> /etc/libvirt/qemu.conf
 # run qemu as root
 RUN echo 'user = "root"' >> /etc/libvirt/qemu.conf
 RUN echo 'group = "root"' >> /etc/libvirt/qemu.conf
diff --git a/contrib/dockerfile/Dockerfile.in b/contrib/dockerfile/Dockerfile.in
index 0920525d92..ba7751fb18 100644
--- a/contrib/dockerfile/Dockerfile.in
+++ b/contrib/dockerfile/Dockerfile.in
@@ -79,6 +79,10 @@ VOLUME [ "/var/cache/elbe" ]
 RUN echo "%elbe  ALL=(ALL:ALL) NOPASSWD: ALL" > /etc/sudoers.d/elbegrp
 RUN chmod 0440 /etc/sudoers.d/elbegrp
 
+
+# On RHEL family, the following option is necessary since CentOS Stream 8
+# https://bugzilla.redhat.com/show_bug.cgi?id=1774373
+RUN echo 'remember_owner = 0' >> /etc/libvirt/qemu.conf
 # run qemu as root
 RUN echo 'user = "root"' >> /etc/libvirt/qemu.conf
 RUN echo 'group = "root"' >> /etc/libvirt/qemu.conf

From 91f30862a2a02eb3f25826db1797003aac798653 Mon Sep 17 00:00:00 2001
From: Federico Vaga <federico.vaga@cern.ch>
Date: Wed, 17 May 2023 13:33:40 +0200
Subject: [PATCH 3/4] docker: use full path to image

This would avoid problems in environments where dockerhub is not
configured as default repository.

Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
---
 contrib/dockerfile/Dockerfile-devel.in | 4 ++--
 contrib/dockerfile/Dockerfile.in       | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/contrib/dockerfile/Dockerfile-devel.in b/contrib/dockerfile/Dockerfile-devel.in
index 1d1f29002d..fd7614caaf 100644
--- a/contrib/dockerfile/Dockerfile-devel.in
+++ b/contrib/dockerfile/Dockerfile-devel.in
@@ -5,8 +5,8 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# This Dockerfile generate a image for the elbe buildsystem
-FROM debian:bullseye
+# This Dockefile generate a image for the elbe buildsystem
+FROM registry.hub.docker.com/library/debian:bullseye
 
 USER root
 ENV DEBIAN_FRONTEND noninteractive
diff --git a/contrib/dockerfile/Dockerfile.in b/contrib/dockerfile/Dockerfile.in
index ba7751fb18..2c22922f84 100644
--- a/contrib/dockerfile/Dockerfile.in
+++ b/contrib/dockerfile/Dockerfile.in
@@ -5,8 +5,8 @@
 #
 # SPDX-License-Identifier: GPL-3.0-or-later
 
-# This Dockerfile generate a image for the elbe buildsystem
-FROM debian:bullseye
+# This Dockefile generate a image for the elbe buildsystem
+FROM registry.hub.docker.com/library/debian:bullseye
 
 USER root
 ENV DEBIAN_FRONTEND noninteractive

From a5df92e93a1f226aff4b573dfcd50b24c803dc65 Mon Sep 17 00:00:00 2001
From: Federico Vaga <federico.vaga@cern.ch>
Date: Wed, 10 May 2023 12:08:39 +0200
Subject: [PATCH 4/4] docker: use low UID and GID

Signed-off-by: Federico Vaga <federico.vaga@cern.ch>
---
 contrib/dockerfile/Dockerfile-devel.in | 5 +++++
 contrib/dockerfile/Dockerfile.in       | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/contrib/dockerfile/Dockerfile-devel.in b/contrib/dockerfile/Dockerfile-devel.in
index fd7614caaf..d4e118502e 100644
--- a/contrib/dockerfile/Dockerfile-devel.in
+++ b/contrib/dockerfile/Dockerfile-devel.in
@@ -11,6 +11,11 @@ FROM registry.hub.docker.com/library/debian:bullseye
 USER root
 ENV DEBIAN_FRONTEND noninteractive
 
+RUN groupmod -g 1000 nogroup
+RUN groupadd -g 1001 libvirt-qemu
+RUN usermod -u 1000 -g nogroup nobody
+RUN useradd -u 1001 -g libvirt-qemu libvirt-qemu
+
 # use a sources.list including backports and security
 RUN echo "deb http://ftp.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list; \
     echo "deb http://security.debian.org/ bullseye-security main"   >> /etc/apt/sources.list
diff --git a/contrib/dockerfile/Dockerfile.in b/contrib/dockerfile/Dockerfile.in
index 2c22922f84..c01103d3fc 100644
--- a/contrib/dockerfile/Dockerfile.in
+++ b/contrib/dockerfile/Dockerfile.in
@@ -11,6 +11,11 @@ FROM registry.hub.docker.com/library/debian:bullseye
 USER root
 ENV DEBIAN_FRONTEND noninteractive
 
+RUN groupmod -g 1000 nogroup
+RUN groupadd -g 1001 libvirt-qemu
+RUN usermod -u 1000 -g nogroup nobody
+RUN useradd -u 1001 -g libvirt-qemu libvirt-qemu
+
 # use a sources.list including backports and security
 RUN echo "deb http://ftp.debian.org/debian bullseye-backports main" >> /etc/apt/sources.list; \
     echo "deb http://security.debian.org/ bullseye-security main"   >> /etc/apt/sources.list