diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 56bde7e..e32c000 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -9,8 +9,9 @@ on: env: REGISTRY: ghcr.io SERVER_IMAGE_NAME: "supermicro-x10drh" - LAPTOP_IMAGE_NAME: "lenovo-16arh7h" - DESKTOP_IMAGE_NAME: "asrock-x570" + WORKSTATION_BASE_IMAGE_NAME: "workstation-nvidia-base" + LENOVO_IMAGE_NAME: "lenovo-16arh7h" + ASROCK_IMAGE_NAME: "asrock-x570" IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} REGISTRY_USER: ${{ github.actor }} REGISTRY_PASSWORD: ${{ github.token }} @@ -41,7 +42,7 @@ jobs: password: ${{ env.REGISTRY_PASSWORD }} extra-args: | --disable-content-trust - asrock-x570: + workstation-nvidia-base: runs-on: ubuntu-latest steps: - name: Free Disk Space (Ubuntu) @@ -50,7 +51,7 @@ jobs: # this might remove tools that are actually needed, # if set to "true" but frees about 6 GB tool-cache: false - + # all of these default to true, but feel free to set to # "false" if necessary for your workflow android: true @@ -66,15 +67,56 @@ jobs: - name: Build container image uses: redhat-actions/buildah-build@v2.12 with: - containerfiles: Containerfile-${{ env.DESKTOP_IMAGE_NAME }} - image: ${{ env.DESKTOP_IMAGE_NAME }} + containerfiles: Containerfile-${{ env.WORKSTATION_BASE_IMAGE_NAME }} + image: ${{ env.WORKSTATION_BASE_IMAGE_NAME }} layers: false oci: true - name: Push to ghcr.io uses: redhat-actions/push-to-registry@v2.7 with: - image: ${{ env.DESKTOP_IMAGE_NAME }} + image: ${{ env.WORKSTATION_BASE_IMAGE_NAME }} + tags: "latest" + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ env.REGISTRY_USER }} + password: ${{ env.REGISTRY_PASSWORD }} + extra-args: | + --disable-content-trust + asrock-x570: + needs: workstation-nvidia-base + runs-on: ubuntu-latest + steps: + - name: Free Disk Space (Ubuntu) + uses: jlumbroso/free-disk-space@main + with: + # this might remove tools that are actually needed, + # if set to "true" but frees about 6 GB + tool-cache: false + + # all of these default to true, but feel free to set to + # "false" if necessary for your workflow + android: true + dotnet: true + haskell: true + large-packages: true + docker-images: false + swap-storage: true + + - name: Checkout repo + uses: actions/checkout@v3 + + - name: Build container image + uses: redhat-actions/buildah-build@v2.12 + with: + containerfiles: Containerfile-${{ env.ASROCK_IMAGE_NAME }} + image: ${{ env.ASROCK_IMAGE_NAME }} + layers: false + oci: true + + - name: Push to ghcr.io + uses: redhat-actions/push-to-registry@v2.7 + with: + image: ${{ env.ASROCK_IMAGE_NAME }} tags: "latest" registry: ${{ env.IMAGE_REGISTRY }} username: ${{ env.REGISTRY_USER }} @@ -82,7 +124,7 @@ jobs: extra-args: | --disable-content-trust lenovo-16arh7h: - needs: asrock-x570 + needs: workstation-nvidia-base runs-on: ubuntu-latest steps: - name: Free Disk Space (Ubuntu) @@ -91,7 +133,7 @@ jobs: # this might remove tools that are actually needed, # if set to "true" but frees about 6 GB tool-cache: false - + # all of these default to true, but feel free to set to # "false" if necessary for your workflow android: true @@ -107,15 +149,15 @@ jobs: - name: Build container image uses: redhat-actions/buildah-build@v2.12 with: - containerfiles: Containerfile-${{ env.LAPTOP_IMAGE_NAME }} - image: ${{ env.LAPTOP_IMAGE_NAME }} + containerfiles: Containerfile-${{ env.LENOVO_IMAGE_NAME }} + image: ${{ env.LENOVO_IMAGE_NAME }} layers: false oci: true - name: Push to ghcr.io uses: redhat-actions/push-to-registry@v2.7 with: - image: ${{ env.LAPTOP_IMAGE_NAME }} + image: ${{ env.LENOVO_IMAGE_NAME }} tags: "latest" registry: ${{ env.IMAGE_REGISTRY }} username: ${{ env.REGISTRY_USER }} diff --git a/Containerfile-asrock-x570 b/Containerfile-asrock-x570 index acd5dca..cbeed5e 100644 --- a/Containerfile-asrock-x570 +++ b/Containerfile-asrock-x570 @@ -1,62 +1,10 @@ -FROM quay.io/fedora/fedora-budgie-atomic:43 - -COPY gpg-keys/* /keys/ - -RUN wget -O /etc/udev/rules.d/42-logitech-unify-permissions.rules https://raw.githubusercontent.com/pwr-Solaar/Solaar/refs/heads/master/rules.d-uinput/42-logitech-unify-permissions.rules - -RUN rpm --import \ - /keys/public_key_proton.asc \ - /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \ - /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \ - /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \ - rm -rf /keys && \ - dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ - https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \ - https://repo.protonvpn.com/fedora-$(cat /etc/fedora-release | cut -d' ' -f 3)-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.3-1.noarch.rpm && \ - dnf5 install -y \ - adobe-source-code-pro-fonts \ - akmods \ - android-tools \ - ansible \ - blueman \ - blueman-nemo \ - cinnamon \ - distrobox \ - fuse-sshfs \ - geany \ - git \ - gnome-terminal \ - htop \ - iftop \ - iotop \ - libva-nvidia-driver \ - libva-utils \ - numlockx \ - nvtop \ - steam \ - syncthing \ - vdpauinfo \ - vim \ - virt-manager \ - vulkan-tools && \ - dnf5 swap -y ffmpeg-free ffmpeg --allowerasing && \ - dnf5 swap -y mesa-va-drivers mesa-va-drivers-freeworld && \ - dnf5 swap -y mesa-vdpau-drivers mesa-vdpau-drivers-freeworld && \ - dnf5 clean all - -# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero -RUN dnf5 install -y \ - akmod-nvidia \ - xorg-x11-drv-nvidia-cuda \ - proton-vpn-gnome-desktop || true -# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build -RUN rpm -q akmod-nvidia && \ - rpm -q xorg-x11-drv-nvidia-cuda && \ - rpm -q proton-vpn-gnome-desktop +FROM ghcr.io/benradey/workstation-nvidia-base:latest +# Build nvidia akmod with flag that produces proprietary kernal driver for older hardware +RUN sudo sh -c 'echo "%_without_kmod_nvidia_detect 1" > /etc/rpm/macros.nvidia-kmod' RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" -# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones manually imported above). +# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones from the base image). # Any more than that means that dnf automatically added a new one, which is shady! # Then: cleanup image for linting # Finally: verify image is good diff --git a/Containerfile-desktop-nvidia-base b/Containerfile-desktop-nvidia-base new file mode 100644 index 0000000..07eb713 --- /dev/null +++ b/Containerfile-desktop-nvidia-base @@ -0,0 +1,67 @@ +FROM quay.io/fedora/fedora-budgie-atomic:43 + +COPY gpg-keys/* /keys/ + +RUN wget -O /etc/udev/rules.d/42-logitech-unify-permissions.rules https://raw.githubusercontent.com/pwr-Solaar/Solaar/refs/heads/master/rules.d-uinput/42-logitech-unify-permissions.rules + +RUN rpm --import \ + /keys/public_key_proton.asc \ + /keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \ + /keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \ + /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \ + rm -rf /keys && \ + dnf5 install -y https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \ + https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm \ + https://repo.protonvpn.com/fedora-$(cat /etc/fedora-release | cut -d' ' -f 3)-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.3-1.noarch.rpm && \ + dnf5 install -y \ + adobe-source-code-pro-fonts \ + akmods \ + android-tools \ + ansible \ + blueman \ + blueman-nemo \ + cinnamon \ + distrobox \ + fuse-sshfs \ + geany \ + git \ + gnome-terminal \ + htop \ + iftop \ + iotop \ + libva-nvidia-driver \ + libva-utils \ + numlockx \ + nvidia-vaapi-driver \ + nvtop \ + steam \ + syncthing \ + vdpauinfo \ + vim \ + virt-manager \ + vulkan-tools && \ + dnf5 swap -y ffmpeg-free ffmpeg --allowerasing && \ + dnf5 swap -y mesa-va-drivers mesa-va-drivers-freeworld && \ + dnf5 swap -y mesa-vdpau-drivers mesa-vdpau-drivers-freeworld && \ + dnf5 clean all + +# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero +RUN dnf5 install -y \ + akmod-nvidia \ + xorg-x11-drv-nvidia-cuda \ + proton-vpn-gnome-desktop || true +# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build +RUN rpm -q akmod-nvidia && \ + rpm -q xorg-x11-drv-nvidia-cuda && \ + rpm -q proton-vpn-gnome-desktop + +RUN sudo sh -c 'echo "%_with_kmod_nvidia_open 0" > /etc/rpm/macros.nvidia-kmod' +RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" + +# The first check makes sure that we have exactly 4 gpg pubkeys trusted in the rpmdb (the ones manually imported above). +# Any more than that means that dnf automatically added a new one, which is shady! +# Then: cleanup image for linting +# Finally: verify image is good +RUN [[ 4 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \ + rm -rf /var /boot && mkdir /var /boot && \ + bootc container lint --fatal-warnings --skip baseimage-composefs diff --git a/Containerfile-lenovo-16arh7h b/Containerfile-lenovo-16arh7h index dddbbf4..a6c041e 100644 --- a/Containerfile-lenovo-16arh7h +++ b/Containerfile-lenovo-16arh7h @@ -1,4 +1,7 @@ -FROM ghcr.io/benradey/asrock-x570:latest +FROM ghcr.io/benradey/workstation-nvidia-base:latest + +# Build nvidia akmod with no special arguments - defaults to open kernel driver for newer hardware +RUN /usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')" RUN dnf5 install -y \ dkms \