-
Notifications
You must be signed in to change notification settings - Fork 14
Expand file tree
/
Copy pathAlpine-base.Dockerfile
More file actions
168 lines (145 loc) · 4.95 KB
/
Alpine-base.Dockerfile
File metadata and controls
168 lines (145 loc) · 4.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# Dockerfile (Alpine Linux Base)
# Stage 1: Build and customize the rootfs for development (Base - Alpine Linux)
ARG TARGETPLATFORM
FROM alpine:3.23 AS customizer
# Install key packages
RUN apk update && apk upgrade && \
apk add \
# Core utilities
bash \
coreutils \
file \
findutils \
grep \
sed \
gawk \
curl \
wget \
ca-certificates \
tzdata \
bash-completion \
shadow \
sudo \
# System tools
htop \
vim \
nano \
git \
sudo \
openssh \
net-tools \
iptables-legacy \
iputils \
iproute2 \
procps \
fastfetch \
kmod \
# Development tools
build-base \
cmake \
clang \
llvm \
valgrind \
strace \
ltrace \
# Python
python3 \
py3-pip \
# Docker
docker \
# DHCP client + openrc
dhcpcd \
openrc \
busybox-extras \
&& rm -rf /var/cache/apk/*
# Copy custom scripts
COPY scripts/bashrc.sh /etc/profile.d/ds-aliases.sh
# Make scripts executable
RUN chmod +x /etc/profile.d/ds-aliases.sh
# Configure environment
RUN mkdir -p /var/run/sshd && \
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config && \
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config
# Apply Android compatibility fixes
RUN <<EOF_RUN
# --- 1. General Fixes ---
# Android network group setup (required for socket access on Android kernels)
grep -q '^aid_inet:' /etc/group || echo 'aid_inet:x:3003:' >> /etc/group
grep -q '^aid_net_raw:' /etc/group || echo 'aid_net_raw:x:3004:' >> /etc/group
grep -q '^aid_net_admin:' /etc/group || echo 'aid_net_admin:x:3005:' >> /etc/group
# Root permissions for Android hardware access
usermod -a -G aid_inet,aid_net_raw,input,video,tty root || true
# Configure legacy iptables (MANDATORY for Android compatibility)
ln -sf /usr/sbin/iptables-legacy /usr/sbin/iptables && \
ln -sf /usr/sbin/ip6tables-legacy /usr/sbin/ip6tables && \
ln -sf /usr/sbin/arptables-legacy /usr/sbin/arptables && \
ln -sf /usr/sbin/ebtables-legacy /usr/sbin/ebtables
# Tell OpenRC it's in an LXC-style container.
# This suppresses the hwdrivers/machine-id "needs dev" warnings without
# disabling anything useful. In hw-access mode, devtmpfs/sys are mounted
# by Droidspaces before init runs, so OpenRC never tries to manage them
# anyway - rc_sys="lxc" just stops it from complaining about their absence.
sed -i 's/^#\?rc_sys=.*/rc_sys="lxc"/' /etc/rc.conf
# Remove "dev" dependency from machine-id init script to prevent boot warnings
if [ -f /etc/init.d/machine-id ]; then
sed -i 's/need root dev/need root/' /etc/init.d/machine-id
fi
# Fix inittab:
# 1. Remove useless tty1-6 (no VTs in a container)
# 2. Add console getty for the Droidspaces foreground console
# 3. Add console to securetty so root login is allowed
sed -i '/^tty[1-6]::/d' /etc/inittab
grep -q 'console::respawn' /etc/inittab || \
echo 'console::respawn:/sbin/getty 38400 console' >> /etc/inittab
grep -q '^console$' /etc/securetty || echo 'console' >> /etc/securetty
# Wire up dhcpcd to the default runlevel by creating the symlink manually
# (rc-update can't run inside a Dockerfile build - no /run/openrc yet)
mkdir -p /etc/runlevels/default
ln -sf /etc/init.d/dhcpcd /etc/runlevels/default/dhcpcd
# Same for sshd if we want it on boot
ln -sf /etc/init.d/sshd /etc/runlevels/default/sshd
# Wire up containerd and docker to the default runlevel
ln -sf /etc/init.d/containerd /etc/runlevels/default/containerd
ln -sf /etc/init.d/docker /etc/runlevels/default/docker
# Replace dhcpcd init script to only start in NAT network mode
# This is the OpenRC equivalent of systemd's ExecCondition - if the container
# is running in host network mode, dhcpcd is cleanly skipped at boot to prevent
# cellular network breakage and kernel panics on Android interfaces.
cat > /etc/init.d/dhcpcd << 'INITEOF'
#!/sbin/openrc-run
description="DHCP Client Daemon"
command="/sbin/dhcpcd"
command_args="-q -B ${command_args:-}"
command_background="true"
pidfile="/run/dhcpcd/pid"
depend() {
provide net
need localmount
use logger network
after bootmisc modules
before dns
}
start_pre() {
# Only start in NAT mode - prevents cellular network breakage in host network mode
if ! grep -q 'net_mode=nat' /run/droidspaces/container.config 2>/dev/null; then
einfo "Skipping dhcpcd: not in NAT network mode"
return 1
fi
checkpath -d /run/dhcpcd
}
INITEOF
chmod +x /etc/init.d/dhcpcd
# Additionally whitelist only container veth interfaces (eth*) in dhcpcd.conf
# as defense-in-depth against Android-internal interfaces (rmnet*, dit*, epdg*, etc.)
if [ -f /etc/dhcpcd.conf ]; then
echo "allowinterfaces eth*" >> /etc/dhcpcd.conf
fi
# Mark fixes as completed
echo "Post-extraction fixes applied on $(date)" > /etc/droidspaces
EOF_RUN
# Final cleanup
RUN rm -rf /var/cache/apk/*
# Stage 2: Export to scratch for extraction
FROM scratch AS export
# Copy the entire filesystem from the customizer stage
COPY --from=customizer / /