From 1bfa532b16504002302bedc994b7bb5ed8c3113b Mon Sep 17 00:00:00 2001
From: Richard Top <richard.topouchian@uib.no>
Date: Tue, 10 Mar 2026 12:40:09 +0100
Subject: [PATCH 1/4] Add client container for macOS Tahoe

---
 .../workflows/build-publish-containers.yml    | 17 ++++++--
 ...rfile.EESSI-client-ubuntu22.04-macOS-Tahoe | 42 +++++++++++++++++++
 2 files changed, 56 insertions(+), 3 deletions(-)
 create mode 100644 containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe

diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
index 4c2c6709..189465cd 100644
--- a/.github/workflows/build-publish-containers.yml
+++ b/.github/workflows/build-publish-containers.yml
@@ -33,7 +33,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-Tahoe']
         platform: [amd64, arm64, riscv64]
         exclude:
           # exclude images that don't support RISC-V
@@ -43,6 +43,11 @@ jobs:
             platform: riscv64
           - tag: build-node:debian12
             platform: riscv64
+          # limit the new macOS to arm64 only
+          - tag: client:ubuntu22.04-macOS-Tahoe
+            platform: amd64
+          - tag: client:ubuntu22.04-macOS-Tahoe
+            platform: riscv64
 
     steps:
       - name: Check out the repo
@@ -100,7 +105,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-Tahoe']
     steps:
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
@@ -114,6 +119,12 @@ jobs:
         run: |
           echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
+      - name: Create the final image using  "docker buildx imagetools create"
+        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-Tahoe'
+        run: |
+          docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
+            ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-arm64
+
       - name: Create the final image using  "docker buildx imagetools create"
         if: github.event_name != 'pull_request' && matrix.tag == 'build-node:debian13'
         run: |
@@ -123,7 +134,7 @@ jobs:
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-riscv64
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13'
+        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-Tahoe'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-amd64 \
diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
new file mode 100644
index 00000000..49889373
--- /dev/null
+++ b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
@@ -0,0 +1,42 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ARG USERNAME=eessi
+ARG UID=501
+ARG GID=20
+
+RUN set -eux; \
+    apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+        git \
+        curl \
+        cpio \
+        gnupg2 \
+        sudo \
+        fuse \
+        rpm \
+        rpm2cpio; \
+    update-ca-certificates; \
+    rm -rf /var/lib/apt/lists/*
+
+
+RUN useradd  --uid ${UID} --gid ${GID} \
+             --create-home --shell /bin/bash ${USERNAME} && \
+    echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \
+    chmod 0440 /etc/sudoers.d/${USERNAME}
+
+
+RUN git clone https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
+    cd /opt/cvmfsexec && \
+    ./makedist default && \
+    chown -R ${USERNAME} /opt/cvmfsexec
+
+WORKDIR /home/${USERNAME}
+USER ${USERNAME}
+
+ENTRYPOINT ["/bin/sh", "-c", "\
+    sudo chown $(id -un) /dev/fuse 2>/dev/null || true; \
+    exec /opt/cvmfsexec/cvmfsexec software.eessi.io -- \"$@\" \
+", "--"]

From 9581d16541b32205a29e2c49e111c688ee9817c3 Mon Sep 17 00:00:00 2001
From: Richard Top <richard.topouchian@uib.no>
Date: Wed, 11 Mar 2026 09:24:51 +0100
Subject: [PATCH 2/4] added enhancement

---
 .github/workflows/build-publish-containers.yml      | 12 ++++++------
 .../Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe | 13 ++++++++++---
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
index 189465cd..fd582337 100644
--- a/.github/workflows/build-publish-containers.yml
+++ b/.github/workflows/build-publish-containers.yml
@@ -33,7 +33,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-Tahoe']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26.x']
         platform: [amd64, arm64, riscv64]
         exclude:
           # exclude images that don't support RISC-V
@@ -44,9 +44,9 @@ jobs:
           - tag: build-node:debian12
             platform: riscv64
           # limit the new macOS to arm64 only
-          - tag: client:ubuntu22.04-macOS-Tahoe
+          - tag: client:ubuntu22.04-macOS-26.x
             platform: amd64
-          - tag: client:ubuntu22.04-macOS-Tahoe
+          - tag: client:ubuntu22.04-macOS-26.x
             platform: riscv64
 
     steps:
@@ -105,7 +105,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-Tahoe']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26.x']
     steps:
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
@@ -120,7 +120,7 @@ jobs:
           echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-Tahoe'
+        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-26.x'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-arm64
@@ -134,7 +134,7 @@ jobs:
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-riscv64
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-Tahoe'
+        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-26.x'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-amd64 \
diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
index 49889373..841b5005 100644
--- a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
+++ b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
@@ -1,6 +1,11 @@
 FROM ubuntu:22.04
 
 ENV DEBIAN_FRONTEND=noninteractive
+# These args are designed to match macOS defaults
+# macOS typical IDs:
+# UID=501  -> first user account
+# GID=20   -> "staff" group
+# Matching these allows mounted volumes from macOS to be writable
 ARG USERNAME=eessi
 ARG UID=501
 ARG GID=20
@@ -21,19 +26,21 @@ RUN set -eux; \
     update-ca-certificates; \
     rm -rf /var/lib/apt/lists/*
 
-
 RUN useradd  --uid ${UID} --gid ${GID} \
              --create-home --shell /bin/bash ${USERNAME} && \
     echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \
     chmod 0440 /etc/sudoers.d/${USERNAME}
 
-
-RUN git clone https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
+# Install cvmfsexec
+ARG CVMFSEXEC_VERSION=v4.51
+RUN git clone --branch ${CVMFSEXEC_VERSION} --depth 1 https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
     cd /opt/cvmfsexec && \
     ./makedist default && \
     chown -R ${USERNAME} /opt/cvmfsexec
 
 WORKDIR /home/${USERNAME}
+
+# Run container as non-root user
 USER ${USERNAME}
 
 ENTRYPOINT ["/bin/sh", "-c", "\

From 852b7ed5e80f1c00e80a6be16d8c9266ece8498a Mon Sep 17 00:00:00 2001
From: Richard Top <richard.topouchian@uib.no>
Date: Fri, 13 Mar 2026 08:26:37 +0100
Subject: [PATCH 3/4] renamed to macOS-26

---
 .../workflows/build-publish-containers.yml    | 12 ++---
 ...rfile.EESSI-client-ubuntu22.04-macOS-Tahoe | 49 -------------------
 2 files changed, 6 insertions(+), 55 deletions(-)
 delete mode 100644 containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe

diff --git a/.github/workflows/build-publish-containers.yml b/.github/workflows/build-publish-containers.yml
index fd582337..88b4266b 100644
--- a/.github/workflows/build-publish-containers.yml
+++ b/.github/workflows/build-publish-containers.yml
@@ -33,7 +33,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26.x']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26']
         platform: [amd64, arm64, riscv64]
         exclude:
           # exclude images that don't support RISC-V
@@ -44,9 +44,9 @@ jobs:
           - tag: build-node:debian12
             platform: riscv64
           # limit the new macOS to arm64 only
-          - tag: client:ubuntu22.04-macOS-26.x
+          - tag: client:ubuntu22.04-macOS-26
             platform: amd64
-          - tag: client:ubuntu22.04-macOS-26.x
+          - tag: client:ubuntu22.04-macOS-26
             platform: riscv64
 
     steps:
@@ -105,7 +105,7 @@ jobs:
       contents: read
     strategy:
       matrix:
-        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26.x']
+        tag: ['client:rocky8', 'build-node:debian11', 'build-node:debian12', 'build-node:debian13', 'client:ubuntu22.04-macOS-26']
     steps:
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
@@ -120,7 +120,7 @@ jobs:
           echo REPOSITORY_OWNER=$(echo ${{ github.repository_owner }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-26.x'
+        if: github.event_name != 'pull_request' && matrix.tag == 'client:ubuntu22.04-macOS-26'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-arm64
@@ -134,7 +134,7 @@ jobs:
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-riscv64
 
       - name: Create the final image using  "docker buildx imagetools create"
-        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-26.x'
+        if: github.event_name != 'pull_request' && matrix.tag != 'build-node:debian13' && matrix.tag != 'client:ubuntu22.04-macOS-26'
         run: |
           docker buildx imagetools create -t ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }} \
             ghcr.io/${{ env.REPOSITORY_OWNER }}/${{ matrix.tag }}-amd64 \
diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
deleted file mode 100644
index 841b5005..00000000
--- a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-Tahoe
+++ /dev/null
@@ -1,49 +0,0 @@
-FROM ubuntu:22.04
-
-ENV DEBIAN_FRONTEND=noninteractive
-# These args are designed to match macOS defaults
-# macOS typical IDs:
-# UID=501  -> first user account
-# GID=20   -> "staff" group
-# Matching these allows mounted volumes from macOS to be writable
-ARG USERNAME=eessi
-ARG UID=501
-ARG GID=20
-
-RUN set -eux; \
-    apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30; \
-    apt-get install -y --no-install-recommends \
-        ca-certificates \
-        wget \
-        git \
-        curl \
-        cpio \
-        gnupg2 \
-        sudo \
-        fuse \
-        rpm \
-        rpm2cpio; \
-    update-ca-certificates; \
-    rm -rf /var/lib/apt/lists/*
-
-RUN useradd  --uid ${UID} --gid ${GID} \
-             --create-home --shell /bin/bash ${USERNAME} && \
-    echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \
-    chmod 0440 /etc/sudoers.d/${USERNAME}
-
-# Install cvmfsexec
-ARG CVMFSEXEC_VERSION=v4.51
-RUN git clone --branch ${CVMFSEXEC_VERSION} --depth 1 https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
-    cd /opt/cvmfsexec && \
-    ./makedist default && \
-    chown -R ${USERNAME} /opt/cvmfsexec
-
-WORKDIR /home/${USERNAME}
-
-# Run container as non-root user
-USER ${USERNAME}
-
-ENTRYPOINT ["/bin/sh", "-c", "\
-    sudo chown $(id -un) /dev/fuse 2>/dev/null || true; \
-    exec /opt/cvmfsexec/cvmfsexec software.eessi.io -- \"$@\" \
-", "--"]

From 60fd7d2d8467f871669ddbb252fad24256572264 Mon Sep 17 00:00:00 2001
From: Richard Top <richard.topouchian@uib.no>
Date: Fri, 13 Mar 2026 08:28:13 +0100
Subject: [PATCH 4/4] renamed Dockerfile

---
 ...ckerfile.EESSI-client-ubuntu22.04-macOS-26 | 49 +++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26

diff --git a/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26 b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26
new file mode 100644
index 00000000..841b5005
--- /dev/null
+++ b/containers/Dockerfile.EESSI-client-ubuntu22.04-macOS-26
@@ -0,0 +1,49 @@
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+# These args are designed to match macOS defaults
+# macOS typical IDs:
+# UID=501  -> first user account
+# GID=20   -> "staff" group
+# Matching these allows mounted volumes from macOS to be writable
+ARG USERNAME=eessi
+ARG UID=501
+ARG GID=20
+
+RUN set -eux; \
+    apt-get update -o Acquire::Retries=5 -o Acquire::http::Timeout=30; \
+    apt-get install -y --no-install-recommends \
+        ca-certificates \
+        wget \
+        git \
+        curl \
+        cpio \
+        gnupg2 \
+        sudo \
+        fuse \
+        rpm \
+        rpm2cpio; \
+    update-ca-certificates; \
+    rm -rf /var/lib/apt/lists/*
+
+RUN useradd  --uid ${UID} --gid ${GID} \
+             --create-home --shell /bin/bash ${USERNAME} && \
+    echo "${USERNAME} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/${USERNAME} && \
+    chmod 0440 /etc/sudoers.d/${USERNAME}
+
+# Install cvmfsexec
+ARG CVMFSEXEC_VERSION=v4.51
+RUN git clone --branch ${CVMFSEXEC_VERSION} --depth 1 https://github.com/cvmfs/cvmfsexec.git /opt/cvmfsexec && \
+    cd /opt/cvmfsexec && \
+    ./makedist default && \
+    chown -R ${USERNAME} /opt/cvmfsexec
+
+WORKDIR /home/${USERNAME}
+
+# Run container as non-root user
+USER ${USERNAME}
+
+ENTRYPOINT ["/bin/sh", "-c", "\
+    sudo chown $(id -un) /dev/fuse 2>/dev/null || true; \
+    exec /opt/cvmfsexec/cvmfsexec software.eessi.io -- \"$@\" \
+", "--"]