-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathContainerfile.minimal
More file actions
161 lines (152 loc) · 7.27 KB
/
Containerfile.minimal
File metadata and controls
161 lines (152 loc) · 7.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
# syntax=docker/dockerfile:1.9
#
# Containerfile.minimal — MiOS sibling target on bare Fedora bootc.
#
# Status: STUB / EXPERIMENTAL. Produces a runnable bootc image but does NOT
# reach feature parity with the canonical Containerfile (ucore-hci-rooted).
#
# Why this exists: the canonical Containerfile chains FROM ublue-os/ucore-hci,
# inheriting libvirt + cockpit-machines + ZFS + NVIDIA kmod + ublue MOK +
# ublue's libvirt SELinux workarounds. Operators who don't need the HCI
# surface (no virt host, no GPU passthrough, no Ceph cluster) pay for it
# anyway -- the ucore-rooted image is ~2.5 GB vs ~1.2 GB for bare
# fedora-bootc. This sibling exists so a "MiOS-Lite" tag can be produced
# for those workloads, AND so MiOS can keep tracking direct upstream bootc
# releases without the ucore intermediary lag.
#
# What works:
# - MiOS file overlay (usr/, etc/, automation/lib/packages.sh)
# - AI surface (mios-ai, ollama, MCP, OpenAI v1 manifests)
# - Forgejo + Forgejo Runner self-replication loop
# - Cockpit, greenboot, uupd
# - sealed-image-candidate composefs+fsverity hooks (gap #1 from the
# bootc-comparison.md analysis)
# - All 6 architectural laws enforced by 99-postcheck.sh
#
# What needs follow-up to reach parity with the canonical Containerfile:
# - NVIDIA kmod baking (canonical uses ublue's pre-signed kmod RPMs;
# bare fedora-bootc would need akmod-nvidia + own MOK signing flow,
# ~1 week of work)
# - libvirt + cockpit-machines (ucore baked + ublue's
# ublue-os-libvirt-workarounds.service for SELinux quirks; ~1 day to
# re-derive ourselves if [packages.virt] is added back)
# - ZFS (ucore ships zfs since Jun 2025; bare fedora-bootc needs out-of-
# tree kmod + own signing, ~3 days)
# - Secure Boot MOK (ucore ships a default MOK + secure_boot.der;
# ~2 days to roll our own)
#
# How to build:
# podman build -f Containerfile.minimal -t localhost/mios-minimal:latest .
#
# How to test ephemerally (no install, just verify it boots):
# bcvk run-ephemeral localhost/mios-minimal:latest
#
# How to deploy:
# bootc switch --transport containers-storage localhost/mios-minimal:latest
#
ARG BASE_IMAGE=quay.io/fedora/fedora-bootc:latest
FROM scratch AS ctx
COPY automation/ /ctx/automation/
COPY usr/ /ctx/usr/
COPY etc/ /ctx/etc/
# SSOT: mios.toml [packages.<section>].pkgs (resolved by lib/packages.sh).
# usr/ already carries usr/share/mios/mios.toml -- the COPY above lands it
# at /ctx/usr/share/mios/mios.toml, which is the lowest-precedence default
# the resolver picks up via $MIOS_TOML below.
COPY VERSION /ctx/VERSION
COPY tools/ /ctx/tools/
FROM ${BASE_IMAGE}
ARG MIOS_VERSION=0.2.4
ARG MIOS_VARIANT=minimal
LABEL org.opencontainers.image.title="MiOS-Lite"
LABEL org.opencontainers.image.description="Minimal MiOS variant on bare Fedora bootc (no NVIDIA kmod, no libvirt, no ZFS)"
LABEL org.opencontainers.image.licenses="Apache-2.0"
LABEL org.opencontainers.image.source="https://github.com/mios-dev/MiOS"
LABEL org.opencontainers.image.version="v${MIOS_VERSION}-minimal"
LABEL org.opencontainers.image.variant="minimal"
LABEL containers.bootc="1"
LABEL ostree.bootable="1"
LABEL mios.variant="${MIOS_VARIANT}"
CMD ["/sbin/init"]
ARG MIOS_USER=mios
ARG MIOS_HOSTNAME=mios
# Empty bake list by default -- minimal track does first-boot pull instead
# of build-time bake (smaller image, slower first boot).
ARG MIOS_AI_MODEL=qwen2.5-coder:7b
ARG MIOS_AI_EMBED_MODEL=nomic-embed-text
ARG MIOS_OLLAMA_BAKE_MODELS=
# Curated phase set for the minimal track. The canonical build.sh runs
# 50+ phases that assume ucore-hci's prebakes; this RUN invokes only the
# phases that work cleanly on bare fedora-bootc.
RUN --mount=type=bind,from=ctx,source=/ctx,target=/ctx,ro \
--mount=type=cache,dst=/var/cache/libdnf5,sharing=locked \
--mount=type=cache,dst=/var/cache/dnf,sharing=locked \
set -ex; \
install -d -m 0755 /tmp/build; \
cp -a /ctx/automation /ctx/usr /ctx/etc /ctx/VERSION /ctx/tools /tmp/build/; \
# Same defensive CRLF normalization as the canonical Containerfile.
find /tmp/build -type f \
\( -name "*.sh" -o -name "*.toml" -o -name "*.conf" \
-o -name "*.yaml" -o -name "*.yml" -o -name "*.json" \
-o -name "*.md" -o -name "*.service" -o -name "*.socket" \
-o -name "*.timer" -o -name "*.target" -o -name "*.preset" \
-o -name "*.container" -o -name "*.image" -o -name "*.kube" \
-o -name "*.volume" -o -name "*.repo" -o -name "*.policy" \
-o -name "*.rules" \) \
-exec sed -i 's/\r$//' {} +; \
export MIOS_TOML=/tmp/build/usr/share/mios/mios.toml; \
export MIOS_VARIANT=minimal; \
source /tmp/build/automation/lib/packages.sh; \
${DNF_BIN:-dnf5} clean metadata 2>/dev/null || true; \
# Curated package sections for minimal -- the canonical install pulls
# everything in mios.toml's [packages].sections; this pulls only the
# core operator/dev/AI/cockpit set. Operators graduating to full-stack
# add sections back via /etc/mios/mios.toml [packages].sections.
install_packages_strict base; \
install_packages_strict containers; \
install_packages_strict ai; \
install_packages_strict cockpit; \
install_packages_strict self-build; \
install_packages_strict updater; \
install_packages_strict sbom-tools; \
install_packages_strict utils; \
install_packages_strict security; \
bash /tmp/build/automation/08-system-files-overlay.sh; \
chmod +x /tmp/build/automation/*.sh 2>/dev/null || true; \
# Curated phase set:
# 42-cosign-policy — supply-chain policy.json (sealed-track)
# 43-uupd-installer — day-2 update daemon
# 46-greenboot — health-check rollback
# 47-hardening — minimal kargs + sysctl hardening
# 49-finalize — symlinks, perms, motd
# 50-enable-log-copy-service — preserve build logs into /var/log/mios
# 99-cleanup — strip build cruft
# 99-postcheck — invariants validation (LAW 1-6)
# SKIPPED: 02-kernel, 09-fonts, 10-gnome, 11-hardware, 12-virt,
# 13-ceph-k3s, 18-26 GNOME/freeipa/firewall extras, 34-37 GPU stack,
# 36-akmod-guards, 38-39 desktop polish, 40-flatpak-bake,
# 41-gpu-cdi-toolkits, 44-podman-machine-compat, 45-nvidia-cdi-refresh,
# 52-53 kvmfr/lookingglass, 91-strip-build-toolchain, 98-boot-config.
for phase in \
42-cosign-policy.sh \
43-uupd-installer.sh \
46-greenboot.sh \
47-hardening.sh \
49-finalize.sh \
50-enable-log-copy-service.sh \
99-cleanup.sh \
99-postcheck.sh \
; do \
script="/tmp/build/automation/${phase}"; \
[ -x "$script" ] || continue; \
echo "[minimal-build] running ${phase}"; \
bash "$script" || { echo "[minimal-build] ABORT: ${phase} failed"; exit 1; }; \
done; \
dnf clean all; \
rm -rf /tmp/build; \
find /var -mindepth 1 -maxdepth 1 ! -name tmp ! -name cache -exec rm -rf {} +; \
find /run -mindepth 1 -maxdepth 1 ! -name "secrets" -exec rm -rf {} + 2>/dev/null || true
RUN bootc completion bash > /etc/bash_completion.d/bootc
RUN ostree container commit
# bootc container lint MUST be the final instruction (LAW 4).
RUN bootc container lint