Skip to content

Commit

Permalink
build container for f41 container
Browse files Browse the repository at this point in the history
  • Loading branch information
karuboniru committed Aug 31, 2024
1 parent bc14d08 commit 62b4a00
Show file tree
Hide file tree
Showing 19 changed files with 776 additions and 2 deletions.
53 changes: 53 additions & 0 deletions .github/workflows/docker-publish.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
name: Build Ostree Container Image

# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

on:
schedule:
- cron: '00 9 * * 1'
push:
branches: [ '*' ]

env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}

jobs:
build:
runs-on: ubuntu-latest
container:
image: fedora:latest
options: --privileged
permissions:
contents: read
packages: write
id-token: write

steps:
- name: Checkout repository
uses: actions/checkout@v3

- name: Build
env:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
image: ${{ env.IMAGE_NAME }}
tag: ${{ github.ref_name }}
composefile: server.yaml
run: |
dnf -y install rpm-ostree skopeo selinux-policy-targeted --enablerepo=updates-testing
skopeo login -u $username -p $password $registry
mkdir -p repo cache
ostree init --repo=repo --mode=archive
rpm-ostree compose image --initialize-mode=if-not-exists \
--format registry --layer-repo repo --cachedir=cache \
$composefile \
$registry/$image:$tag
25 changes: 25 additions & 0 deletions cils/adguardhome.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
(block adguardhome
(blockinherit container)
(blockinherit restricted_net_container)
(allow process process ( capability ( net_bind_service )))

(allow process dns_port_t ( tcp_socket ( name_bind )))
(allow process dns_port_t ( udp_socket ( name_bind )))
(allow process dhcpd_port_t ( udp_socket ( name_bind )))
(allow process dhcpc_port_t ( udp_socket ( name_bind )))
(allow process http_port_t ( tcp_socket ( name_bind )))
(allow process http_port_t ( tcp_socket ( name_bind )))
(allow process reserved_port_t ( udp_socket ( name_bind )))
(allow process hi_reserved_port_t ( udp_socket ( name_bind )))
(allow process ntop_port_t ( tcp_socket ( name_bind )))
(allow process ntop_port_t ( udp_socket ( name_bind )))
(allow process unreserved_port_t ( tcp_socket ( name_bind )))
(allow process unreserved_port_t ( udp_socket ( name_bind )))

(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg )))
(allow process port_type ( udp_socket ( recv_msg send_msg )))

(allow process cert_t ( dir ( watch getattr open read search )))
(allow process cert_t ( file ( watch getattr open read )))
(allow process cert_t ( lnk_file ( read )))
)
11 changes: 11 additions & 0 deletions cils/cloudflare_with_socket_access.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
(block cloudflare_with_socket_access
(blockinherit container)
(blockinherit net_container)

(allow process node_t ( icmp_socket ( node_bind )))

(allow process var_run_t ( sock_file ( write )))
(allow process comiclib.process ( unix_stream_socket ( connectto )))
(allow process cockpit_ws_t ( unix_stream_socket ( connectto )))
(allow process container_caddy.process ( unix_stream_socket ( connectto )))
)
8 changes: 8 additions & 0 deletions cils/comiclib.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
(block comiclib
(blockinherit container)

(allow process user_home_t ( dir ( watch getattr ioctl lock open read search )))
(allow process user_home_t ( file ( watch getattr ioctl lock open read )))

(dontaudit process node_t ( tcp_socket ( node_bind ) ) )
)
10 changes: 10 additions & 0 deletions cils/container_alist.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
(block container_alist
(blockinherit container)
(blockinherit restricted_net_container)

(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write )))

(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg )))
(allow process port_type ( udp_socket ( recv_msg send_msg )))
)
10 changes: 10 additions & 0 deletions cils/container_caddy.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
(block container_caddy
(blockinherit container)
(blockinherit net_container)
(allow process process ( capability ( net_bind_service )))

(allow process var_run_t ( sock_file ( write )))
(allow process cockpit_ws_t ( unix_stream_socket ( connectto )))
(allow process container_alist.process ( unix_stream_socket ( connectto )))
(allow process comiclib.process ( unix_stream_socket ( connectto )))
)
14 changes: 14 additions & 0 deletions cils/container_hath.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
(block container_hath
(blockinherit container)
(blockinherit restricted_net_container)
(allow process process ( capability ( net_bind_service )))

(allow process port_type ( tcp_socket ( name_connect recv_msg send_msg )))
(allow process port_type ( udp_socket ( recv_msg send_msg )))

(allow process http_port_t ( tcp_socket ( name_bind )))

(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write )))

)
9 changes: 9 additions & 0 deletions cils/container_jellyfin.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
(block container_jellyfin
(blockinherit container)
(blockinherit net_container)

(allow process user_home_t ( dir ( watch getattr ioctl lock open read search )))
(allow process user_home_t ( file ( watch getattr ioctl lock open read )))

(allow process tmpfs_t (file (execute map)))
)
7 changes: 7 additions & 0 deletions cils/container_rohome_allbind.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
(block container_rohome_allbind
(blockinherit container)
(blockinherit net_container)

(allow process user_home_t ( dir ( watch getattr ioctl lock open read search )))
(allow process user_home_t ( file ( watch getattr ioctl lock open read )))
)
7 changes: 7 additions & 0 deletions cils/container_rwhome_allbind.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
(block container_rwhome_allbind
(blockinherit container)
(blockinherit net_container)

(allow process user_home_t ( dir ( watch add_name create getattr ioctl lock open read remove_name rmdir search setattr write )))
(allow process user_home_t ( file ( watch append create getattr ioctl lock map open read rename setattr unlink write )))
)
8 changes: 8 additions & 0 deletions cils/container_wireguard.cil
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
(block container_wireguard
(blockinherit container)
(allow process process ( capability ( net_admin )))

(allow process container_wireguard.process ( netlink_route_socket ( nlmsg_write )))

(dontaudit process cgroup_t (dir (write) ))
)
4 changes: 2 additions & 2 deletions common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ container-cmd:

include:
# Packages common to all variants
- common-packages.yaml
# - common-packages.yaml
# See: https://gitlab.com/fedora/ostree/sig/-/issues/1
- bootupd.yaml
# Dracut configuration for the initramfs
Expand Down Expand Up @@ -164,4 +164,4 @@ postprocess:
# Fix triggerin for samba-client in cups package (not supported by rpm-ostree yet)
# https://github.com/fedora-silverblue/issue-tracker/issues/532
ln -snf /usr/libexec/samba/cups_backend_smb /usr/lib/cups/backend/smb
# ln -snf /usr/libexec/samba/cups_backend_smb /usr/lib/cups/backend/smb
4 changes: 4 additions & 0 deletions etc/containers/containers.conf
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
[containers]
userns = "auto"


23 changes: 23 additions & 0 deletions etc/containers/networks/podman.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
{
"name": "podman",
"id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
"driver": "bridge",
"network_interface": "podman0",
"created": "2022-08-27T13:25:16.808341191+08:00",
"subnets": [
{
"subnet": "10.88.0.0/16",
"gateway": "10.88.0.1"
},
{
"subnet": "fccc::/64",
"gateway": "fccc::1"
}
],
"ipv6_enabled": true,
"internal": false,
"dns_enabled": true,
"ipam_options": {
"driver": "host-local"
}
}
Loading

0 comments on commit 62b4a00

Please sign in to comment.