From 8184946754883d8a70a23a29e8b837fc7d1eb312 Mon Sep 17 00:00:00 2001
From: Stephen Kitt <skitt@redhat.com>
Date: Thu, 31 Oct 2024 17:45:12 +0100
Subject: [PATCH] Set up a base distribution in the images

This adds the minimum subset of packages required for Fedora, allowing
scanners to understand the image and process them correctly (in
exchange for a small size increase).

Signed-off-by: Stephen Kitt <skitt@redhat.com>
---
 package/Dockerfile.lighthouse-agent   | 12 ++++++
 package/Dockerfile.lighthouse-coredns | 12 ++++++
 package/dnf_install                   | 62 +++++++++++++++++++++++++++
 3 files changed, 86 insertions(+)
 create mode 100755 package/dnf_install

diff --git a/package/Dockerfile.lighthouse-agent b/package/Dockerfile.lighthouse-agent
index a96659aaa..7d9cb24cd 100644
--- a/package/Dockerfile.lighthouse-agent
+++ b/package/Dockerfile.lighthouse-agent
@@ -1,4 +1,5 @@
 ARG BASE_BRANCH
+ARG FEDORA_VERSION=40
 ARG SOURCE=/go/src/github.com/submariner-io/lighthouse
 
 FROM --platform=${BUILDPLATFORM} quay.io/submariner/shipyard-dapper-base:${BASE_BRANCH} AS builder
@@ -9,12 +10,23 @@ COPY . ${SOURCE}
 
 RUN make -C ${SOURCE} LOCAL_BUILD=1 bin/${TARGETPLATFORM}/lighthouse-agent
 
+FROM --platform=${BUILDPLATFORM} fedora:${FEDORA_VERSION} AS base
+ARG FEDORA_VERSION
+ARG SOURCE
+ARG TARGETPLATFORM
+
+COPY package/dnf_install /
+
+RUN /dnf_install -a ${TARGETPLATFORM} -v ${FEDORA_VERSION} -r /output/lighthouse-agent \
+    setup
+
 FROM --platform=${TARGETPLATFORM} scratch
 ARG SOURCE
 ARG TARGETPLATFORM
 
 WORKDIR /var/submariner
 
+COPY --from=base /output/lighthouse-agent /
 COPY --from=builder ${SOURCE}/bin/${TARGETPLATFORM}/lighthouse-agent /usr/local/bin/
 
 ENTRYPOINT ["/usr/local/bin/lighthouse-agent", "-alsologtostderr"]
diff --git a/package/Dockerfile.lighthouse-coredns b/package/Dockerfile.lighthouse-coredns
index 9a1c2fb1d..71fd0042e 100644
--- a/package/Dockerfile.lighthouse-coredns
+++ b/package/Dockerfile.lighthouse-coredns
@@ -1,4 +1,5 @@
 ARG BASE_BRANCH
+ARG FEDORA_VERSION=40
 ARG SOURCE=/go/src/github.com/submariner-io/lighthouse
 
 FROM --platform=${BUILDPLATFORM} quay.io/submariner/shipyard-dapper-base:${BASE_BRANCH} AS builder
@@ -9,6 +10,16 @@ COPY . ${SOURCE}
 
 RUN make -C ${SOURCE} LOCAL_BUILD=1 bin/${TARGETPLATFORM}/lighthouse-coredns
 
+FROM --platform=${BUILDPLATFORM} fedora:${FEDORA_VERSION} AS base
+ARG FEDORA_VERSION
+ARG SOURCE
+ARG TARGETPLATFORM
+
+COPY package/dnf_install /
+
+RUN /dnf_install -a ${TARGETPLATFORM} -v ${FEDORA_VERSION} -r /output/lighthouse-coredns \
+    setup
+
 FROM --platform=${TARGETPLATFORM} debian:stable-slim AS certificates
 ARG SOURCE
 ARG TARGETPLATFORM
@@ -19,6 +30,7 @@ FROM --platform=${TARGETPLATFORM} scratch
 ARG SOURCE
 ARG TARGETPLATFORM
 
+COPY --from=base /output/lighthouse-coredns /
 COPY --from=certificates /etc/ssl/certs /etc/ssl/certs
 COPY --from=builder ${SOURCE}/bin/${TARGETPLATFORM}/lighthouse-coredns /usr/local/bin/
 
diff --git a/package/dnf_install b/package/dnf_install
new file mode 100755
index 000000000..fc5a7b8be
--- /dev/null
+++ b/package/dnf_install
@@ -0,0 +1,62 @@
+#!/bin/bash
+
+# Installs packages using dnf to a named root:
+# -a arch - use arch instead of the native arch
+# -k      - keep the package cache
+# -r root - install to the named root instead of /output/base
+# -v ver  - use the given Fedora version (required)
+#
+# %arch in the package references will be replaced with the chosen arch
+
+INSTALL_ROOT=/output/base
+
+# Limit the number of files so that dnf doesn't spend ages processing fds
+ulimit -n 1048576
+
+while getopts a:kr:v: o
+do
+    case "$o" in
+    a)
+        ARCH="$OPTARG"
+        ;;
+    k)
+        KEEP_CACHE=true
+        ;;
+    r)
+        INSTALL_ROOT="$OPTARG"
+        ;;
+    v)
+        FEDORA_VERSION="$OPTARG"
+        ;;
+    *)
+        echo "$0 doesn't support $o" >&2
+        exit 1
+        ;;
+    esac
+done
+shift $((OPTIND - 1))
+
+if [[ -n "${ARCH}" ]]; then
+    # Convert container arch to Fedora arch
+    ARCH="${ARCH##*/}"
+    case "${ARCH}" in
+        amd64) ARCH=x86_64;;
+        arm64) ARCH=aarch64;;
+    esac
+    arch_args="--forcearch ${ARCH}"
+else
+    # This will be used later, but we won't force
+    ARCH="$(rpm -q --qf "%{arch}" rpm)"
+fi
+
+[[ -z "${FEDORA_VERSION}" ]] && echo I need to know which version of Fedora to install, specify it with -v >&2 && exit 1
+
+if [[ "${INSTALL_ROOT}" != /output/base ]] && [[ ! -d "${INSTALL_ROOT}" ]] && [[ -d /output/base ]]; then
+    cp -a /output/base "${INSTALL_ROOT}"
+fi
+
+dnf -y --setopt=install_weak_deps=0 --nodocs ${arch_args} \
+    --installroot "${INSTALL_ROOT}" --releasever "${FEDORA_VERSION}" \
+    install "${@//\%arch/${ARCH}}"
+
+[[ "${KEEP_CACHE}" == true ]] || dnf -y ${arch_args} --installroot "${INSTALL_ROOT}" --releasever "${FEDORA_VERSION}" clean all