Ben Radey
106 lines
3.5 KiB
Plaintext
106 lines
3.5 KiB
Plaintext
# ====== Stage 1: Builder image ======
|
|
FROM fedora:latest AS builder
|
|
|
|
RUN dnf5 update -y && dnf install -y git golang
|
|
|
|
RUN git clone https://github.com/rfjakob/gocryptfs.git
|
|
|
|
WORKDIR /gocryptfs
|
|
|
|
RUN ./build-without-openssl.bash
|
|
|
|
# ====== Stage 2: Server image ======
|
|
FROM quay.io/fedora/fedora-silverblue:43
|
|
|
|
COPY --from=builder /gocryptfs/gocryptfs /usr/bin/gocryptfs
|
|
|
|
COPY gpg-keys/* /keys/
|
|
|
|
# Import keys, install ZFS repository & build deps & zfs
|
|
RUN rpm --import \
|
|
/keys/nvidia-gpgkey \
|
|
/keys/OpenZFS \
|
|
/keys/Smallstep \
|
|
/keys/zrepl-rpm-pkgs \
|
|
/keys/RPM-GPG-KEY-rpmfusion-free-fedora-2020 \
|
|
/keys/RPM-GPG-KEY-rpmfusion-nonfree-fedora-2020 \
|
|
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-43-x86_64 && \
|
|
rm -rf /keys && \
|
|
dnf5 install -y https://github.com/zfsonlinux/zfsonlinux.github.com/raw/master/fedora/zfs-release-3-0$(rpm --eval "%{dist}").noarch.rpm \
|
|
https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm \
|
|
https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm && \
|
|
dnf5 install -y \
|
|
kernel-devel kernel-devel-matched kernel-headers kernel-srpm-macros && \
|
|
dnf5 install -y zfs && \
|
|
dkms autoinstall -k $(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}') && \
|
|
dnf5 clean all
|
|
|
|
# Install smallstep, nvidia & zrepl repository
|
|
COPY supermicro-x10drh/*.repo /etc/yum.repos.d/
|
|
|
|
RUN dnf5 install -y \
|
|
akmods \
|
|
ansible \
|
|
borgbackup \
|
|
certbot \
|
|
distrobox \
|
|
fail2ban \
|
|
fuse-encfs \
|
|
fuse-sshfs \
|
|
hddtemp \
|
|
htop \
|
|
iftop \
|
|
igt-gpu-tools \
|
|
iotop \
|
|
ipmitool \
|
|
libnvidia-container-tools \
|
|
libnvidia-container1 \
|
|
libvirt \
|
|
lm_sensors \
|
|
net-tools \
|
|
netcat \
|
|
nginx \
|
|
nut \
|
|
nvidia-container-toolkit \
|
|
nvidia-container-toolkit-base \
|
|
nvtop \
|
|
pv \
|
|
python3-certbot-nginx \
|
|
qemu-kvm \
|
|
rclone \
|
|
screen \
|
|
smartmontools \
|
|
step-cli \
|
|
strace \
|
|
stress-ng \
|
|
telnet \
|
|
vim \
|
|
zrepl-v0.6.0-1.x86_64 && \
|
|
dnf5 clean all
|
|
|
|
# TODO: Remove this `|| true` hack once post scriptlets no longer make dnf exit with non-zero
|
|
RUN dnf5 install -y \
|
|
akmod-nvidia \
|
|
xorg-x11-drv-nvidia-cuda || true && \
|
|
dnf5 clean all
|
|
# TODO: Remove these unnecessary checks to make sure the packages above actually got installed. rpm exits non-zero if the package is not installed and aborts the Containerfile build
|
|
RUN rpm -q akmod-nvidia && \
|
|
rpm -q xorg-x11-drv-nvidia-cuda
|
|
|
|
# Build nvidia akmod with no special arguments - defaults to open kernel driver for newer hardware
|
|
RUN mkdir -p /var/log/akmods /var/cache/akmods/nvidia /var/tmp && \
|
|
chmod 777 /var/tmp && \
|
|
/usr/sbin/akmods --force --kernels "$(rpm -qa kernel --queryformat '%{VERSION}-%{RELEASE}.%{ARCH}')"
|
|
|
|
# Cleanup image for linting
|
|
RUN test -f /usr/lib/sysusers.d/libvirt.conf || echo -e 'g libvirt 963' > /usr/lib/sysusers.d/libvirt.conf && \
|
|
test -f /usr/lib/sysusers.d/qat.conf || echo -e 'g qat 995' > /usr/lib/sysusers.d/qat.conf
|
|
|
|
# The first check makes sure that we have exactly 7 gpg pubkeys trusted in the rpmdb (the ones from the base image).
|
|
# Any more than that means that dnf automatically added a new one, which is shady!
|
|
# Then: cleanup image for linting
|
|
# Finally: verify image is good
|
|
RUN [[ 7 -eq $(rpm -qa gpg-pubkey* | wc -l) ]] && \
|
|
rm -rf /var /boot && mkdir /var /boot && \
|
|
bootc container lint --fatal-warnings --skip baseimage-composefs
|