devenv: Add a c10s version (#37)

cgwalters · web-flow · commit d76fbe66f987 · 2025-11-04T11:57:38.000-08:00
Let's make this one a possible option too.

Signed-off-by: Colin Walters &lt;walters@verbum.org&gt;
diff --git a/.github/workflows/build-devcontainer.yml b/.github/workflows/build-devcontainer.yml
@@ -11,7 +11,6 @@ on:
 
 env:
   REGISTRY: ghcr.io
-  IMAGE_NAME: ${{ github.repository_owner }}/devenv-debian
 
 jobs:
   validate-devcontainer:
@@ -33,13 +32,20 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
+        os: [debian, c10s]
         include:
           - runner: ubuntu-latest
             platform: linux/amd64
             arch: amd64
           - runner: ubuntu-24.04-arm
             platform: linux/arm64
             arch: arm64
+          - os: debian
+            containerfile: Containerfile.debian
+            image_name: devenv-debian
+          - os: c10s
+            containerfile: Containerfile.c10s
+            image_name: devenv-c10s
     
     steps:
       - name: Checkout
@@ -59,17 +65,17 @@ jobs:
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}
       
       - name: Build and push by digest
         id: build
         uses: docker/build-push-action@v6
         with:
           context: devenv
-          file: devenv/Containerfile
+          file: devenv/${{ matrix.containerfile }}
           platforms: ${{ matrix.platform }}
           labels: ${{ steps.meta.outputs.labels }}
-          outputs: type=image,name=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
+          outputs: type=image,name=${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }},push-by-digest=true,name-canonical=true,push=${{ github.event_name != 'pull_request' }}
       
       - name: Export digest
         run: |
@@ -80,7 +86,7 @@ jobs:
       - name: Upload digest
         uses: actions/upload-artifact@v4
         with:
-          name: digests-${{ matrix.arch }}
+          name: digests-${{ matrix.os }}-${{ matrix.arch }}
           path: /tmp/digests/*
           if-no-files-found: error
           retention-days: 1
@@ -89,43 +95,51 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     if: github.event_name != 'pull_request'
+    strategy:
+      matrix:
+        os: [debian, c10s]
+        include:
+          - os: debian
+            image_name: devenv-debian
+          - os: c10s
+            image_name: devenv-c10s
     steps:
       - name: Download digests
         uses: actions/download-artifact@v4
         with:
           path: /tmp/digests
-          pattern: digests-*
+          pattern: digests-${{ matrix.os }}-*
           merge-multiple: true
-      
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-      
+
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@v5
         with:
-          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}
           tags: |
             type=raw,value=latest,enable={{is_default_branch}}
             type=sha,prefix={{branch}}-,format=short
             type=sha,prefix={{branch}}-,format=long
             type=ref,event=pr
             type=ref,event=tag
-      
+
       - name: Log in to Container Registry
         uses: docker/login-action@v3
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
-      
+
       - name: Create manifest list and push
         working-directory: /tmp/digests
         run: |
           docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
-      
+            $(printf '${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}@sha256:%s ' *)
+
       - name: Inspect image
         run: |
-          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+          docker buildx imagetools inspect ${{ env.REGISTRY }}/${{ github.repository_owner }}/${{ matrix.image_name }}:${{ steps.meta.outputs.version }}
 
diff --git a/Justfile b/Justfile
@@ -2,6 +2,13 @@
 devcontainer-validate:
 	npx --yes @devcontainers/cli read-configuration --workspace-folder .
 
-# Build devenv image with local tag
-devenv-build:
-	cd devenv && podman build --jobs=4 -t localhost/bootc-devenv-debian .
+# Build devenv Debian image with local tag
+devenv-build-debian:
+	cd devenv && podman build --jobs=4 -f Containerfile.debian -t localhost/bootc-devenv-debian .
+
+# Build devenv CentOS Stream 10 image with local tag
+devenv-build-c10s:
+	cd devenv && podman build --jobs=4 -f Containerfile.c10s -t localhost/bootc-devenv-c10s .
+
+# Build devenv image with local tag (defaults to Debian)
+devenv-build: devenv-build-debian
diff --git a/devenv/.dockerignore b/devenv/.dockerignore
@@ -4,5 +4,10 @@
 *
 # And explicit includes
 !packages.txt
+!packages-common.txt
+!packages-debian.txt
+!packages-c10s.txt
 !build-deps.txt
+!build-deps-debian.txt
+!build-deps-c10s.txt
 !devenv-init.sh
diff --git a/devenv/Containerfile.c10s b/devenv/Containerfile.c10s
@@ -0,0 +1,109 @@
+# These aren't packages, just low-dependency binaries dropped in /usr/local/bin
+# so we can fetch them independently in a separate build.
+ARG base=quay.io/centos/centos:stream10
+FROM $base as base
+# Life is too short to care about dash
+RUN ln -sfr /bin/bash /bin/sh
+RUN <<EORUN
+set -xeuo pipefail
+
+# Initialize basic packages and enable repositories
+dnf -y install curl time bzip2 dnf-plugins-core epel-release
+dnf config-manager --set-enabled crb
+
+# Enable gh CLI repository
+cat > /etc/yum.repos.d/gh-cli.repo <<'EOREPO'
+[gh-cli]
+name=GitHub CLI
+baseurl=https://cli.github.com/packages/rpm
+enabled=1
+gpgcheck=1
+gpgkey=https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x23F3D4EA75716059
+EOREPO
+
+# Update after adding repositories
+dnf -y makecache
+EORUN
+
+FROM base as tools
+# renovate: datasource=github-releases depName=block/goose
+ARG gooseversion=v1.11.1
+# renovate: datasource=github-releases depName=bootc-dev/bcvk
+ARG bcvkversion=v0.5.3
+RUN <<EORUN
+set -xeuo pipefail
+arch=$(arch)
+
+rm -vrf /usr/local/bin/*
+
+# goose for local AI
+target=goose-${arch}-unknown-linux-gnu.tar.bz2
+/bin/time -f '%E %C' curl -fLO https://github.com/block/goose/releases/download/$gooseversion/$target
+tar xvjf $target
+mv goose /usr/local/bin/goose
+
+# bcvk
+if test "${arch}" = x86_64; then
+  td=$(mktemp -d)
+  (
+    cd $td
+    target=bcvk-${arch}-unknown-linux-gnu
+    /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
+    tar xvzf $target.tar.gz
+    mv $target /usr/local/bin/bcvk
+  )
+  rm -rf $td
+else
+  echo bcvk unavailable for $arch
+fi
+EORUN
+
+FROM base as rust
+RUN <<EORUN
+set -xeuo pipefail
+# Setup rust; the idea here though is we install system-wide into /usr/local
+# as if it was packaged.
+export RUSTUP_HOME=/usr/local/rustup
+export CARGO_HOME=/usr/local/cargo
+# Install Rust system-wide
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
+# Move binaries to /usr/local/bin (system-managed, root-owned)
+mv /usr/local/cargo/bin/* /usr/local/bin/
+# Nothing really left here
+rm -vrf /usr/local/cargo/bin
+EORUN
+
+# This builds the image.
+# Build this using `just devenv-build-c10s` from the root of the repository.
+FROM base
+COPY packages-common.txt packages-c10s.txt build-deps-c10s.txt /run/src/
+WORKDIR /run/src
+RUN <<EORUN
+set -xeuo pipefail
+grep -hEve '^#' packages-common.txt packages-c10s.txt | /bin/time -f '%E %C' xargs dnf -y install
+grep -vEe '^#' build-deps-c10s.txt | /bin/time -f '%E %C' xargs dnf -y builddep
+dnf clean all
+EORUN
+
+# Copy in the binaries from our tools container image
+COPY --from=tools /usr/local/bin/* /usr/local/bin/
+COPY --from=rust /usr/local/bin/* /usr/local/bin/
+COPY --from=rust /usr/local/rustup /usr/local/rustup
+# Point rustup at the system-wide installation, but let CARGO_HOME default to ~/.cargo
+ENV RUSTUP_HOME=/usr/local/rustup
+# Setup for codespaces
+COPY devenv-init.sh /usr/local/bin/
+
+WORKDIR /
+# Create user before declaring volumes so home directory has correct ownership
+RUN <<EORUN
+set -xeuo pipefail
+useradd -m devenv -s /bin/bash
+# This needs to be precreated and owned by the devenv user
+mkdir -p ~devenv/.local/share/containers
+chown -R -h devenv: ~devenv/.local
+echo 'devenv ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/devenv && chmod 0440 /etc/sudoers.d/devenv
+EORUN
+# To avoid overlay-on-overlay with nested containers
+VOLUME [ "/var/lib/containers", "/home/devenv/.local/share/containers/" ]
+USER devenv
diff --git a/devenv/Containerfile.debian b/devenv/Containerfile.debian
@@ -0,0 +1,109 @@
+# These aren't packages, just low-dependency binaries dropped in /usr/local/bin
+# so we can fetch them independently in a separate build.
+ARG base=docker.io/library/debian:sid
+FROM $base as base
+# Life is too short to care about dash
+RUN ln -sfr /bin/bash /bin/sh
+RUN <<EORUN
+set -xeuo pipefail
+
+# Initialize some basic packages
+apt -y update && apt -y install curl time bzip2
+
+# Enable deb-src repositories for build-dep
+sed -i "s/^deb /deb [arch=$(dpkg --print-architecture)] /" /etc/apt/sources.list.d/debian.sources
+sed -i 's/^Types: deb$/Types: deb deb-src/' /etc/apt/sources.list.d/debian.sources
+
+# Enable gh CLI repository
+mkdir -p -m 755 /etc/apt/keyrings
+curl -fLo /etc/apt/keyrings/githubcli-archive-keyring.gpg https://cli.github.com/packages/githubcli-archive-keyring.gpg
+chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg
+mkdir -p -m 755 /etc/apt/sources.list.d
+echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list
+
+# And re-update after we've fetched repos
+apt -y update
+EORUN
+
+FROM base as tools
+# renovate: datasource=github-releases depName=block/goose
+ARG gooseversion=v1.11.1
+# renovate: datasource=github-releases depName=bootc-dev/bcvk
+ARG bcvkversion=v0.5.3
+RUN <<EORUN
+set -xeuo pipefail
+arch=$(arch)
+
+rm -vrf /usr/local/bin/*
+
+# goose for local AI
+target=goose-${arch}-unknown-linux-gnu.tar.bz2
+/bin/time -f '%E %C' curl -fLO https://github.com/block/goose/releases/download/$gooseversion/$target
+tar xvjf $target
+mv goose /usr/local/bin/goose
+
+# bcvk
+if test "${arch}" = x86_64; then
+  td=$(mktemp -d)
+  (
+    cd $td
+    target=bcvk-${arch}-unknown-linux-gnu
+    /bin/time -f '%E %C' curl -fLO https://github.com/bootc-dev/bcvk/releases/download/$bcvkversion/${target}.tar.gz
+    tar xvzf $target.tar.gz
+    mv $target /usr/local/bin/bcvk
+  )
+  rm -rf $td
+else
+  echo bcvk unavailable for $arch
+fi
+EORUN
+
+FROM base as rust
+RUN <<EORUN
+set -xeuo pipefail
+# Setup rust; the idea here though is we install system-wide into /usr/local
+# as if it was packaged.
+export RUSTUP_HOME=/usr/local/rustup
+export CARGO_HOME=/usr/local/cargo
+# Install Rust system-wide
+curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable --profile default
+# Move binaries to /usr/local/bin (system-managed, root-owned)
+mv /usr/local/cargo/bin/* /usr/local/bin/
+# Nothing really left here
+rm -vrf /usr/local/cargo/bin
+EORUN
+
+# This builds the image.
+# Build this using `just devenv-build-debian` from the root of the repository.
+FROM base
+COPY packages-common.txt packages-debian.txt build-deps-debian.txt /run/src/
+WORKDIR /run/src
+RUN <<EORUN
+set -xeuo pipefail
+grep -hEve '^#' packages-common.txt packages-debian.txt | /bin/time -f '%E %C' xargs apt -y install
+grep -vEe '^#' build-deps-debian.txt | /bin/time -f '%E %C' xargs apt -y build-dep
+apt clean && rm -rf /var/lib/apt/lists/*
+EORUN
+
+# Copy in the binaries from our tools container image
+COPY --from=tools /usr/local/bin/* /usr/local/bin/
+COPY --from=rust /usr/local/bin/* /usr/local/bin/
+COPY --from=rust /usr/local/rustup /usr/local/rustup
+# Point rustup at the system-wide installation, but let CARGO_HOME default to ~/.cargo
+ENV RUSTUP_HOME=/usr/local/rustup
+# Setup for codespaces
+COPY devenv-init.sh /usr/local/bin/
+
+WORKDIR /
+# Create user before declaring volumes so home directory has correct ownership
+RUN <<EORUN
+set -xeuo pipefail
+useradd -m devenv -s /bin/bash
+# This needs to be precreated and owned by the devenv user
+mkdir -p ~devenv/.local/share/containers
+chown -R -h devenv: ~devenv/.local
+echo 'devenv ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/devenv && chmod 0440 /etc/sudoers.d/devenv
+EORUN
+# To avoid overlay-on-overlay with nested containers
+VOLUME [ "/var/lib/containers", "/home/devenv/.local/share/containers/" ]
+USER devenv
diff --git a/devenv/build-deps-c10s.txt b/devenv/build-deps-c10s.txt
@@ -0,0 +1 @@
+ostree
diff --git a/devenv/build-deps-debian.txt b/devenv/build-deps-debian.txt
@@ -0,0 +1 @@
+ostree
diff --git a/devenv/packages-c10s.txt b/devenv/packages-c10s.txt
@@ -0,0 +1,16 @@
+# CentOS Stream 10 specific package names
+# Common packages are in packages-common.txt
+
+# General build env
+clang-tools-extra
+krb5-devel
+libvirt-devel
+ostree-devel
+
+# Runtime virt
+xorriso
+qemu-img
+libvirt-daemon-kvm
+
+# TUI editors
+vim-enhanced
diff --git a/devenv/packages-common.txt b/devenv/packages-common.txt
diff --git a/devenv/packages-debian.txt b/devenv/packages-debian.txt
