Work

.github/workflows/CI.yml

@@ -5,17 +5,17 @@ on: [push, pull_request]
 jobs:
   test:
     # The type of runner that the job will run on
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
       - name: Checks-out repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           submodules: true
 
       - name: Enable cache
-        uses: actions/cache@v2.1.1
+        uses: actions/cache@v4
         with:
           path: $GITHUB_WORKSPACE/cache
           key: cache
@@ -28,11 +28,11 @@ jobs:
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/apt"
           sudo chown -R 2000:root "$GITHUB_WORKSPACE/cache/certs"
           sudo chown -R $(id -u) "$GITHUB_WORKSPACE/cache/bin"
+          sudo chmod g+w "$GITHUB_WORKSPACE/cache"
+          sudo chown $(id -u) "$GITHUB_WORKSPACE/cache"
 
       - name: Start apt proxy
         run: |
-          # Hiding the read-only token base64 to avoid github disabling it...
-          echo OWMyMGVhYzk4N2NhYWQxYmI3MzhmNTZkODNmOGMwOGJjZjlhNDc4YQo= | base64 -d | docker login ghcr.io -u dubo-dubon-duponey --password-stdin
           docker run --rm -d --expose 443 --expose 80 --pull always \
             --name apt-front \
             --read-only \
@@ -47,12 +47,13 @@ jobs:
             --env ADDITIONAL_DOMAINS=*.debian.org \
             --volume "$GITHUB_WORKSPACE/cache/certs":/certs \
             --volume "$GITHUB_WORKSPACE/cache/apt":/data \
-            ghcr.io/dubo-dubon-duponey/aptutil:bullseye-2021-08-01
+            docker.io/dubodubonduponey/aptutil:bullseye-2021-08-01
 
       - name: test
         run: |
           # Set the path and install the tools
-          BIN_LOCATION="$GITHUB_WORKSPACE/cache/bin" source ./hack/helpers/install-tools.sh
+          export PATH="$HOME/bin:$PATH"
+          ./hack/helpers/install-tools.sh
           # Start buildkit
           bkaddr="$(./hack/helpers/start-buildkit.sh 2>/dev/null)"
           # Sanity check

.gitignore

@@ -1,4 +1,4 @@
 .DS_Store
 /.idea
-*/cache/*
-cache
+cache/
+/xxx-*

.gitmodules

@@ -1,3 +1,3 @@
-[submodule "context/debootstrap/debuerreotype"]
-	path = context/debootstrap/debuerreotype
+[submodule "context/debuerreotype"]
+	path = context/debuerreotype
 	url = https://github.com/debuerreotype/debuerreotype

ADVANCED.md

@@ -3,20 +3,20 @@
 ## Acknowledgements
 
 The Dockerfile of this project relies heavily on
- * [debuerreotype](https://github.com/debuerreotype/debuerreotype),
+ * [debuerreotype](https://github.com/debuerreotype/debuerreotype)
  * [debootstrap](https://wiki.debian.org/Debootstrap)
 
 The build toolchain relies on:
- * [qemu](https://www.qemu.org/),
+ * [qemu](https://www.qemu.org/)
  * [cue](https://cuelang.org/)
- * [buildkit](https://github.com/moby/buildkit).
+ * [buildkit](https://github.com/moby/buildkit)
 
 ## Cue environment
 
 The build supports advanced environment control, allowing you to use apt mirrors (or proxy cache), complete with TLS,
 authentication and gpg signing.
 
-To access these features, create a cue file, for example `env.cue`, as follow:
+To access these features, create a cue file, for example `env.cue`, as follows:
 
 ```cue
 package cake
@@ -123,9 +123,9 @@ If you experience any issue, please share configuration details.
 
 The `context/cache` folder is part of the build context.
 
-As such, if it grows really big (with many different versions), assembling the final image will become slooooooow.
+As such, if it grows real big (with many different versions), assembling the final image will become slooooooow.
 
-It is recommended to clean-up this folder from older / useless versions from time to time to avoid such adverse side-effects.
+It is recommended to clean up this folder from older / useless versions from time to time to avoid such adverse side-effects.
 
 You may also override the cue `input: context:` and `output: directory` to better control where these artifacts are going.
 

Dockerfile

@@ -1,18 +1,18 @@
-# FROM_REGISTRY controls the base location for the starting image for the debootstrap stage
-# If set to "", the starting image will be scratch instead, and an already built local tarball will be used
-ARG           FROM_REGISTRY=ghcr.io/dubo-dubon-duponey
-# FROM_IMAGE_BUILDER further allow changing the image name, tag and digest for the debootstrap stage
-ARG           FROM_IMAGE_BUILDER=debian@sha256:d17b322f1920dd310d30913dd492cbbd6b800b62598f5b6a12d12684aad82296
-# FROM_IMAGE_RUNTIME allows specifying a starting image for the final debian image (defaults to scratch)
+# If FROM_REGISTRY is set, we will use FROM_REGISTRY/FROM_IMAGE_BUILDER as a starting point.
+# If not set, we will use scratch (and use a local rootfs tarball insteaad)
+ARG           FROM_REGISTRY=docker.io
+# FROM_IMAGE_BUILDER further allows changing the image being used for the first debootstrap
+ARG           FROM_IMAGE_BUILDER=debian:bookworm-20240211-slim
+# FROM_IMAGE_RUNTIME controls what base image we are going to use for the final debian image (defaults to scratch)
 ARG           FROM_IMAGE_RUNTIME=scratch
 
 # Private helper
 ARG           _private_df="${FROM_REGISTRY:+$FROM_REGISTRY/$FROM_IMAGE_BUILDER}"
 
 ########################################################################################################################
-# The debootstrap stage is meant to prepare a Debian rootfs in the form of a tarball.
+# The debootstrap stage is meant to prepare a Debian rootfs tarball.
 # The starting point may be either an online Debian image (as defined by FROM_REGISTRY/FROM_IMAGE_BUILDER),
-# or an already existing local debian rootfs (in case FROM_REGISTRY == "")
+# or an already existing local debian rootfs (if FROM_REGISTRY == "")
 # By default, snapshot.debian.org is being used as a source to debootstrap, for TARGET_SUITE and TARGET_DATE
 # Alternatively, you can build from a private / specific Debian repository by specifying the TARGET_REPOSITORY secret
 # In that case, TARGET_SUITE and TARGET_DATE are no-ops
@@ -23,17 +23,17 @@ FROM          ${_private_df:-scratch}
 SHELL         ["/bin/bash", "-o", "errexit", "-o", "errtrace", "-o", "functrace", "-o", "nounset", "-o", "pipefail", "-c"]
 
 # > If the image is built from snapshot.debian.org (eg: if the TARGET_REPOSITORY secret has NOT been set), this will fetch from that date
-ARG           TARGET_DATE="2021-07-01"
+ARG           TARGET_DATE="2024-03-01"
 # > Which Debian suite to fetch (same as above)
-ARG           TARGET_SUITE="bullseye"
+ARG           TARGET_SUITE="bookworm"
 
 # > This is tricky: repeat ARG, so that we can access the value of FROM_IMAGE_BUILDER below
 ARG           _private_df
-# If _DEBOOTSTRAP_FROM is set, then set the tarball to nonexistent* (glob is here to prevent a hard error with Docker)
-# Now, if there is no _DEBOOTSTRAP_FROM (which happens if FROM_REGISTRY is neutered), then use a bullseye tarball from 2021-07-01
+# If _private_df is set, then set the tarball to .gitkeep (glob is here to prevent a hard error with Docker)
+# Now, if there is no _private_df (which happens if FROM_REGISTRY is ""), then use a bookworm tarball from 2024-03-01
 # (that is expected to have been built)
-ENV           FROM_TARBALL="${_private_df:+nonexistent*}"
-ENV           FROM_TARBALL="${FROM_TARBALL:-bullseye-2021-07-01.tar}"
+ENV           FROM_TARBALL="${_private_df:+.gitkeep}"
+ENV           FROM_TARBALL="${FROM_TARBALL:-bookworm-2024-03-01.tar}"
 
 # > Optionally, the final content to commit to etc/apt/sources.list in the debootstrap
 # If this is not set, /etc/apt/sources.list will point to either snapshot.debian.org or YOURREPO if you were using TARGET_REPOSITORY=TARGET_REPOSITORY/foo
@@ -61,11 +61,14 @@ ENV           CURL_HOME=/run/secrets
 # NOTE: for calls where we do NOT need our overrides (purge, etc), hence where we do not mount the corresponding secrets,
 # apt will issue a warning about not finding the file
 ENV           APT_CONFIG=/run/secrets/APT_CONFIG
+RUN           mkdir -p "$(dirname "$APT_CONFIG")"
 RUN           touch "$APT_CONFIG"
 
 # > STEP 1: install debootstrap
 # Apt downgrades to _apt (uid 100) when doing the actual request
 # NOTE: Using the extension .gpg is required for apt to consider it :s
+# Note: debootstrapping from online non-us image means... we float on the package versions
+# hadolint ignore=DL3008
 RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,uid=100,id=CERTIFICATE \
               --mount=type=secret,uid=100,id=KEY \
@@ -74,17 +77,17 @@ RUN           --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,id=APT_SOURCES \
               --mount=type=secret,id=APT_CONFIG \
               apt-get update -qq && apt-get install -qq --no-install-recommends \
-                debootstrap=1.0.123 \
-                curl=7.74.0-1.2 \
-                xz-utils=5.2.5-2
+                debootstrap \
+                curl \
+                xz-utils
 
 # > STEP 2: add debuerreotype
 COPY          ./debuerreotype/scripts /usr/sbin/
 
-# Copy over our deviation script
+# Copy over our patched scripts
 # See comments inline for reason to have this
 # NOTE: other scripts insist in calling a script in the SAME dir, so /usr/sbin it is
-COPY          ./debuerreotype-chroot  /usr/sbin/
+COPY          ./patch/*  /usr/sbin/
 
 # This is our simplified chroot for use-cases we do control
 COPY          ./dubo-chroot  /usr/sbin/
@@ -186,8 +189,8 @@ FROM          $FROM_IMAGE_RUNTIME
 SHELL         ["/bin/bash", "-o", "errexit", "-o", "errtrace", "-o", "functrace", "-o", "nounset", "-o", "pipefail", "-c"]
 
 # What we want
-ARG           TARGET_SUITE="buster"
-ARG           TARGET_DATE="2020-07-01"
+ARG           TARGET_SUITE="bookworm"
+ARG           TARGET_DATE="2024-03-01"
 ARG           TARGETPLATFORM
 
 # Load it!
@@ -229,14 +232,15 @@ ENV           GNUTLS_FORCE_FIPS_MODE=1
 
 # Little helper for our secrets
 ENV           APT_CONFIG=/run/secrets/APT_CONFIG
+RUN           mkdir -p "$(dirname "$APT_CONFIG")"
 RUN           touch "$APT_CONFIG"
 
 # NOTE: this does not quite work as expected unfortunately - this cannot be overloaded in a dockerfile, but can be --build-arg-ed at build time
 ONBUILD ARG   PRELOAD_PACKAGES=""
 ONBUILD ARG   UNLOAD_PACKAGES=""
 ONBUILD ARG   L3=""
 
-# hadolint ignore=DL3008
+# hadolint ignore=DL3008,SC2086
 ONBUILD RUN   --mount=type=secret,uid=100,id=CA \
               --mount=type=secret,uid=100,id=CERTIFICATE \
               --mount=type=secret,uid=100,id=KEY \

README.md

@@ -13,12 +13,7 @@ Features:
    * resulting images are in the range of 25MB
  * multi-architecture
    * amd64
-   * 386
    * arm64
-   * arm/v7
-   * arm/v6
-   * s390x
-   * ppc64le
 
 ## Important
 
@@ -36,29 +31,40 @@ Build
 
 ```bash
 ./hack/build.sh debootstrap \
-  --inject date="2021-08-01" \
-  --inject suite="bullseye"
+  --inject date="2024-03-01" \
+  --inject suite="bookworm"
 ```
 
-Assemble and push
+Assemble and push 
 
 ```bash
 ./hack/build.sh debian \
-  --inject date="2021-08-01" \
-  --inject suite="bullseye" \
-  --inject tags=registry.com/name/image:tag
+  --inject date="2024-03-01" \
+  --inject suite="bookworm" \
 ```
 
+Note that the above will by default try to push to `docker.io/dubodubonduponey/debian`.
+Edit `recipe.cue`, or better, use an `env.cue` file (see [advanced](ADVANCED.md) for that) to control
+the push destination.
+
 ## Configuration
 
 You can control additional aspects of the build passing arguments:
 
+Building a subset of architectures:
+```bash
+./hack/build.sh debootstrap \
+  --inject date="2024-03-01" \
+  --inject suite="bookworm" \
+  --inject platforms="linux/arm64"
+```
+
+Building from a private debian repository instead:
 ```bash
-# Building a subset of architectures
 ./hack/build.sh debootstrap \
-  --inject date="2021-08-01" \
-  --inject suite="bullseye" \
-  --inject platforms="linux/arm/v6"
+  --inject date="2024-03-01" \
+  --inject suite="bookworm" \
+  --inject repository="https://private.deb.repo/debian/foo/bar"
 ```
 
 Building offline:
@@ -69,8 +75,8 @@ Building offline:
 
 # Now, you can build without access to a registry
 ./hack/build.sh debootstrap \
-  --inject date="2021-08-01" \
-  --inject suite="bullseye" \
+  --inject date="2024-03-01" \
+  --inject suite="bookworm" \
   --inject registry=""
 
 # You can further control networking and other build aspect through a cue environment (see ADVANCED)