Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add wolfi-toolbox images #127

Merged
merged 4 commits into from
Jun 7, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
123 changes: 123 additions & 0 deletions .github/workflows/wolfi.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,123 @@
name: "Wolfi Linux: Build and push toolbx images"

permissions: read-all

on:
pull_request:
branches:
- main
paths:
- wolfi/**
- .github/workflows/wolfi.yaml
push:
branches:
- main
paths:
- wolfi/**
- .github/workflows/wolfi.yaml
schedule:
- cron: '0 0 * * MON'

env:
distro: 'wolfi'
distro_pretty: 'wolfi Linux'
latest_release: 'latest'
platforms: 'linux/amd64, linux/arm64'
registry: 'quay.io/toolbx-images'

# Prevent multiple workflow runs from racing to ensure that pushes are made
# sequentially for the main branch. Also cancel in progress workflow runs for
# pull requests only.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}

jobs:
build-push-images:
strategy:
matrix:
release: ['latest']

runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up QEMU for multi-arch builds
shell: bash
run: |
sudo apt update
sudo apt install qemu-user-static

- name: Build container image
uses: redhat-actions/buildah-build@v2
if: env.latest_release != matrix.release
with:
platforms: ${{ env.platforms }}
context: ${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }}
containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true

- name: Build container image (latest tag)
uses: redhat-actions/buildah-build@v2
if: env.latest_release == matrix.release
with:
platforms: ${{ env.platforms }}
context: ${{ env.distro }}/${{ matrix.release }}
image: ${{ env.distro }}-toolbox
tags: ${{ matrix.release }} latest
containerfiles: ${{ env.distro }}/${{ matrix.release }}/Containerfile
layers: false
oci: true

- name: Push to Container Registry
uses: redhat-actions/push-to-registry@v2
id: push
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
with:
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }}

- name: Push to Container Registry (latest tag)
uses: redhat-actions/push-to-registry@v2
id: push-latest
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
with:
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}
image: ${{ env.distro }}-toolbox
registry: ${{ env.registry }}
tags: ${{ matrix.release }} latest

- name: Login to Container Registry
uses: redhat-actions/podman-login@v1
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'
with:
registry: ${{ env.registry }}
username: ${{ secrets.BOT_USERNAME }}
password: ${{ secrets.BOT_SECRET }}

- uses: sigstore/[email protected]
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main'

- name: Sign container image
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release != matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

- name: Sign container image (latest)
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/main' && env.latest_release == matrix.release
run: |
cosign sign -y --recursive --key env://COSIGN_PRIVATE_KEY ${{ env.registry }}/${{ env.distro }}-toolbox@${{ steps.push-latest.outputs.digest }}
env:
COSIGN_EXPERIMENTAL: false
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
7 changes: 7 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,12 @@ directly use the commands below:
$ toolbox enter ubuntu-toolbox-16.04
```

- [Wolfi]:
```
$ toolbox create --image quay.io/toolbx-images/wolfi-toolbox:latest
$ toolbox enter wolfi-toolbox-latest
```

## Verifying sigstore container signatures with podman

How to configure sigstore signature verification in podman:
Expand Down Expand Up @@ -243,3 +249,4 @@ See [COPYING](COPYING).
[Rocky Linux]: https://hub.docker.com/_/rockylinux
[Ubuntu]: https://hub.docker.com/_/ubuntu
[openSUSE]: https://registry.opensuse.org/cgi-bin/cooverview?srch_term=project%3D%5EopenSUSE%3AContainers%3A+container%3Dtoolbox
[Wolfi]: cgr.dev/chainguard/
26 changes: 26 additions & 0 deletions wolfi/latest/Containerfile
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
FROM cgr.dev/chainguard/wolfi-base:latest

LABEL com.github.containers.toolbox="true" \
name="wolfi-toolbox" \
version="latest" \
usage="This image is meant to be used with the toolbox or distrobox command" \
summary="Base image for creating Wolfi Linux toolbox containers" \
maintainer="Luca Di Maio <[email protected]>"

# Install extra packages
COPY extra-packages /
RUN apk update && \
apk upgrade && \
cat /extra-packages | xargs apk add
RUN rm /extra-packages

# Enable password less sudo
# using sudoers instead of toolbox filename here, so that in case of rootful
# distroboxes, the NOPASSWD can be deactivated for security reasons.
RUN echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/sudoers

# Copy the os-release file
RUN cp -p /etc/os-release /usr/lib/os-release

# Clear out /home
RUN rm -rf /home/* && mkdir /media
45 changes: 45 additions & 0 deletions wolfi/latest/extra-packages
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
bash
bc
busybox
bzip2
coreutils
curl
diffutils
findmnt
findutils
gnupg
gnutar
gpg
iproute2
iputils
keyutils
less
libcap
libcap-utils
locate
man-db
mesa
mount
ncurses
ncurses-terminfo
net-tools
openssh-client
pigz
posix-libc-utils
procps
rsync
shadow
sudo
tcpdump
tree
tzdata
umount
unzip
util-linux
util-linux-login
util-linux-misc
vulkan-loader
wget
xauth
xz
zip