ben/silverblue-images
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

Revising keys for server, attempting to base server on bootc

Browse Source
This commit is contained in:
Ben Radey
2025-11-24 15:22:12 -05:00
parent fca3d78b06
commit 052e71db4d
4 changed files with 110 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Containerfile-supermicro-x10drh
+19 -12
View File
@@ -10,25 +10,28 @@ WORKDIR /gocryptfs
RUN ./build-without-openssl.bash
# ====== Stage 2: Server image ======
FROM quay.io/fedora/fedora-silverblue:43
FROM quay.io/fedora/fedora-bootc:43
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
# Install ZFS repository & build deps & zfs
RUN dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
COPY gpg-keys/* /keys/
# Import keys, install ZFS repository & build deps & zfs
RUN rpm --import \
/keys/OpenZFS \
/keys/Smallstep \
/keys/zrepl-rpm-pkgs \
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
rm -rf /keys && \
dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm && \
dnf5 install -y \
kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
dnf5 install -y zfs && \
dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
dnf5 clean all
# Install zrepl repository
COPY supermicro-x10drh/zrepl.asc /var/roothome/zrepl.asc
RUN rpm --import /var/roothome/zrepl.asc
COPY supermicro-x10drh/zrepl.repo /etc/yum.repos.d/zrepl.repo
# Install smallstep repository
COPY supermicro-x10drh/smallstep.repo /etc/yum.repos.d/smallstep.repo
# Install smallstep & zrepl repository
COPY supermicro-x10drh/*.repo /etc/yum.repos.d/
RUN dnf5 install -y \
ansible \
@@ -67,6 +70,10 @@ RUN dnf5 install -y \
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf
# Cleanup image for linting & verify image is good
RUN rm -rf /var /boot && mkdir /var /boot && \
# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image).
# Any more than that means that dnf automatically added a new one, which is shady!
# Then: cleanup image for linting
# Finally: verify image is good
RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
rm -rf /var /boot && mkdir /var /boot && \
bootc container lint --fatal-warnings --skip baseimage-composefs