Merge pull request #266 from TopRichard/macOS-Tahoe-Ubuntu-22.04

boegel · web-flow · commit 72c01b6b733e · 2026-03-13T09:13:53.000+01:00
Add EESSI client container for macOS-26.x
diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
@@ -33,7 +33,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26']
         platform: [amd64, arm64, riscv64]
         exclude:
           # exclude images that don't support RISC-V
@@ -43,6 +43,11 @@ jobs:
             platform: riscv64
           - tag: build-node:debian12
             platform: riscv64
+          # limit the new macOS to arm64 only
+          - tag: client:ubuntu22.04-macOS-26
+            platform: amd64
+          - tag: client:ubuntu22.04-macOS-26
+            platform: riscv64
 
     steps:
       - name: Check out the repo
@@ -100,7 +105,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26']
     steps:
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
@@ -114,6 +119,12 @@ jobs:
         run: |
           echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
+      - name: Create the final image using  "docker buildx imagetools create"
+        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-26'
+        run: |
+          docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
+            ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-arm64
+
       - name: Create the final image using  "docker buildx imagetools create"
         if: github.event_name != 'pull_request' && matrix.tag == 'build-node:debian13'
         run: |
@@ -123,7 +134,7 @@ jobs:
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-riscv64
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13'
+        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-26'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-amd64 \
diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26 b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26
@@ -0,0 +1,49 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+# These args are designed to match macOS defaults
+# macOS typical IDs:
+# UID=501  -> first user account
+# GID=20   -> "staff" group
+# Matching these allows mounted volumes from macOS to be writable
+ARG USERNAME=eessi
+ARG UID=501
+ARG GID=20
+
+RUN set -eux; \
+    apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+        git \
+        curl \
+        cpio \
+        gnupg2 \
+        sudo \
+        fuse \
+        rpm \
+        rpm2cpio; \
+    update-ca-certificates; \
+    rm -rf /var/lib/apt/lists/*
+
+RUN useradd  --uid ${UID} --gid ${GID} \
+             --create-home --shell /bin/bash ${USERNAME} && \
+    echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \
+    chmod 0440 /etc/sudoers.d/${USERNAME}
+
+# Install cvmfsexec
+ARG CVMFSEXEC_VERSION=v4.51
+RUN git clone --branch ${CVMFSEXEC_VERSION} --depth 1 https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
+    cd /opt/cvmfsexec && \
+    ./makedist default && \
+    chown -R ${USERNAME} /opt/cvmfsexec
+
+WORKDIR /home/${USERNAME}
+
+# Run container as non-root user
+USER ${USERNAME}
+
+ENTRYPOINT ["/bin/sh", "-c", "\
+    sudo chown $(id -un) /dev/fuse 2>/dev/null || true; \
+    exec /opt/cvmfsexec/cvmfsexec software.eessi.io -- \"$@\" \
+", "--"]
