diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml index 4c2c6709..88b4266b 100644 --- a/.github/workflows/build-publish-containers.yml +++ b/.github/workflows/build-publish-containers.yml @@ -33,7 +33,7 @@ jobs: contents: read strategy: matrix: - tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13'] + tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26'] platform: [amd64, arm64, riscv64] exclude: # exclude images that don't support RISC-V @@ -43,6 +43,11 @@ jobs: platform: riscv64 - tag: build-node:debian12 platform: riscv64 + # limit the new macOS to arm64 only + - tag: client:ubuntu22.04-macOS-26 + platform: amd64 + - tag: client:ubuntu22.04-macOS-26 + platform: riscv64 steps: - name: Check out the repo @@ -100,7 +105,7 @@ jobs: contents: read strategy: matrix: - tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13'] + tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26'] steps: - name: Login to GitHub Container Registry if: github.event_name != 'pull_request' @@ -114,6 +119,12 @@ jobs: run: | echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV + - name: Create the final image using "docker buildx imagetools create" + if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-26' + run: | + docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \ + ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-arm64 + - name: Create the final image using "docker buildx imagetools create" if: github.event_name != 'pull_request' && matrix.tag == 'build-node:debian13' run: | @@ -123,7 +134,7 @@ jobs: ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-riscv64 - name: Create the final image using "docker buildx imagetools create" - if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' + if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-26' run: | docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \ ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-amd64 \ diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26 b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26 new file mode 100644 index 00000000..841b5005 --- /dev/null +++ b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26 @@ -0,0 +1,49 @@ +FROM ubuntu:22.04 + +ENV DEBIAN_FRONTEND=noninteractive +# These args are designed to match macOS defaults +# macOS typical IDs: +# UID=501 -> first user account +# GID=20 -> "staff" group +# Matching these allows mounted volumes from macOS to be writable +ARG USERNAME=eessi +ARG UID=501 +ARG GID=20 + +RUN set -eux; \ + apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30; \ + apt-get install -y --no-install-recommends \ + ca-certificates \ + wget \ + git \ + curl \ + cpio \ + gnupg2 \ + sudo \ + fuse \ + rpm \ + rpm2cpio; \ + update-ca-certificates; \ + rm -rf /var/lib/apt/lists/* + +RUN useradd --uid ${UID} --gid ${GID} \ + --create-home --shell /bin/bash ${USERNAME} && \ + echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \ + chmod 0440 /etc/sudoers.d/${USERNAME} + +# Install cvmfsexec +ARG CVMFSEXEC_VERSION=v4.51 +RUN git clone --branch ${CVMFSEXEC_VERSION} --depth 1 https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \ + cd /opt/cvmfsexec && \ + ./makedist default && \ + chown -R ${USERNAME} /opt/cvmfsexec + +WORKDIR /home/${USERNAME} + +# Run container as non-root user +USER ${USERNAME} + +ENTRYPOINT ["/bin/sh", "-c", "\ + sudo chown $(id -un) /dev/fuse 2>/dev/null || true; \ + exec /opt/cvmfsexec/cvmfsexec software.eessi.io -- \"$@\" \ +", "--"]