Store rootfs out-of-tree
Storing the rootfs (archlinux.tar.xz
) in Git does not scale. It is probably a better solution to store them somewhere else (ex on the mirrors?).
ADD
can download a file from a HTTP server, but we probably want to verify the file. That can be done with a multistage build (maybe we should just store the sha256sum in-tree?):
FROM archlinux
RUN gpg --batch --keyserver keys.openpgp.org --recv-key DB650286BD9EAE39890D3FE6FE3DC1668CB24956 && \
curl --remote-name-all https://dl.klausen.dk/arch/docker/archlinux.tar.xz{,.sig} && \
gpg --batch --verify archlinux.tar.xz{.sig,} && \
echo "c9e0306774497614e9b1254a9654ddbbdff2020b3e5f12bb46314759412dd80b archlinux.tar.xz" | sha256sum -c && \
mkdir /rootfs && \
tar -C /rootfs --extract --file archlinux.tar.xz
FROM scratch
COPY --from=0 /rootfs/ /
# manually run all alpm hooks that can't be run inside the fakechroot
RUN ldconfig && update-ca-trust && locale-gen
RUN sh -c 'ls usr/lib/sysusers.d/*.conf | /usr/share/libalpm/scripts/systemd-hook sysusers '
# update /etc/os-release
RUN ln -s /usr/lib/os-release /etc/os-release
# initialize the archilnux keyring, but discard any private key that may be shipped.
RUN pacman-key --init && pacman-key --populate archlinux
RUN rm -rf etc/pacman.d/gnupg/{openpgp-revocs.d/,private-keys-v1.d/,pugring.gpg~,gnupg.S.}*
ENV LANG=en_US.UTF-8
CMD ["/usr/bin/bash"]
Edited by Kristian Klausen