WiP

examples/allinone/Containerfile

@@ -0,0 +1,42 @@
+FROM registry.redhat.io/rhel9/rhel-bootc:9.4
+
+ARG ADMIN_USERNAME=demo \
+    ADMIN_PASSWORD=redhat
+
+RUN <<EOF
+set -Eeuo pipefail
+
+# Enable EPEL repos
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+
+# Install packages
+dnf install -y mkpasswd podman skopeo flightctl-agent cockpit cockpit-podman cockpit-files \
+               cockpit-ostree cockpit-pcp cockpit-system greenboot greenboot-default-health-checks \
+               stress-ng yq podman-compose tmux tcpdump htop iptraf-ng
+dnf clean all
+
+# Create admin user if specified
+if [ -n "$ADMIN_USERNAME" ]; then
+  useradd -m -G wheel -p "$(echo -n "$ADMIN_PASSWORD" | mkpasswd -m bcrypt --stdin)" "$ADMIN_USERNAME"
+fi
+
+# Pull physically-bound images (see https://docs.fedoraproject.org/en-US/bootc/embedding-containers/)
+/usr/local/bin/embed_image.sh docker.io/library/helloworld:latest
+EOF
+
+ADD --chown=root:root root /
+
+RUN <<EOF
+set -Eeuo pipefail
+
+# Enable systemd services and sockets
+systemctl enable cockpit.socket
+
+# Set proper ownership and SELinux context on SSH authorized keys
+if [ -n "$ADMIN_USERNAME" -a -f "/etc/ssh/authorized_keys/$ADMIN_USERNAME.keys" ]; then
+  chown "$ADMIN_USERNAME:$ADMIN_USERNAME" "/etc/ssh/authorized_keys/$ADMIN_USERNAME.keys"
+fi
+semanage fcontext -a -t ssh_home_t "/etc/ssh/authorized_keys(/.*)?"
+restorecon -Rf /etc/ssh/authorized_keys
+
+EOF

examples/allinone/root/etc/containers/systemd/helloworld.container

@@ -0,0 +1,16 @@
+[Unit]
+Description=Hello, World!
+Require=copy-embedded-images.service
+After=copy-embedded-images.service
+
+[Container]
+Image=docker.io/library/helloworld:latest
+Pull=never
+
+[Service]
+# Containers performs action and then stops gracefully
+Type=oneshot
+
+[Install]
+# Start by default on boot
+WantedBy=multi-user.target default.target

examples/allinone/root/etc/ssh/sshd_config.d/00-authorized_keys.conf

@@ -0,0 +1,3 @@
+AuthorizedKeysFile /etc/ssh/authorized_keys/%u.keys .ssh/authorized_keys
+PermitRootLogin prohibit-password
+#LogLevel DEBUG

examples/allinone/root/etc/sudoers

@@ -0,0 +1,13 @@
+Defaults   !visiblepw
+Defaults    always_set_home
+Defaults    match_group_by_gid
+Defaults    always_query_group_plugin
+Defaults    env_reset
+Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
+Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
+Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
+Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
+Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
+Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
+root    ALL=(ALL)       NOPASSWD: ALL
+%wheel  ALL=(ALL)       NOPASSWD: ALL

examples/allinone/root/etc/systemd/system/copy-embedded-images.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Copy embedded images to podman local storage
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/copy_embedded_images.sh
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

examples/allinone/root/etc/vconsole.conf

@@ -0,0 +1,2 @@
+KEYMAP="fr-oss"
+FONT="eurlatgr"

examples/allinone/root/usr/lib/bootc/kargs.d/00-console.toml

@@ -0,0 +1,2 @@
+kargs = ["console=tty0", "console=ttyS0"]
+match-architectures = ["x86_64"]

examples/allinone/root/usr/local/bin/copy_embedded_images.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -euxo pipefail
+
+while IFS="," read -r image sha
+do
+	skopeo copy --preserve-digests dir:/usr/lib/containers-image-cache/$sha containers-storage:$image
+done < /usr/lib/containers-image-cache/mapping.txt

examples/allinone/root/usr/local/bin/embed_image.sh

@@ -0,0 +1,13 @@
+#!/bin/bash
+
+# See https://gitlab.com/fedora/bootc/examples/-/blob/main/physically-bound-images/README.md
+
+set -euxo pipefail
+
+image=$1
+additional_copy_args=${2:-""}
+
+mkdir -p /usr/lib/containers-image-cache
+sha=$(echo "$image" | sha256sum | awk '{ print $1 }')
+skopeo copy $additional_copy_args --preserve-digests docker://$image dir:/usr/lib/containers-image-cache/$sha
+echo "$image,$sha" >> /usr/lib/containers-image-cache/mapping.txt