Initial commit

Dockerfile

@@ -0,0 +1,25 @@
+FROM busybox
+MAINTAINER Julian Ospald <hasufell@posteo.de>
+
+# copy hooks
+COPY ./config/paludis /etc/paludis-new
+
+# This one should be present by running the build.sh script
+COPY bootstrap.sh /
+
+# one step, to make the layer as thin as possible
+# bootstrap.h calls build.sh
+RUN /bootstrap.sh amd64 x86_64
+
+COPY build.sh /
+
+RUN /build.sh
+
+# update etc files... hope this doesn't screw up
+RUN eclectic config accept-all
+
+# don't allow regular sync, because we want to make sure
+# all images deriving from this one have the same state
+RUN sed -i -e 's|^sync|#sync|' /etc/paludis/repositories/*.conf
+
+

README.md

@@ -0,0 +1,59 @@
+## Usage
+
+This image is optimized for size, as such, stuff in the following
+directories is removed:
+```
+/srv/binhost/
+/usr/include/
+/usr/lib64/debug/
+/usr/portage/
+/usr/share/applications/
+/usr/share/doc/
+/usr/share/gtk-doc/
+/usr/share/info/
+/usr/share/man/
+/usr/share/mime/
+/var/cache/paludis/metadata/
+/var/cache/paludis/names/
+/var/tmp/paludis/
+```
+
+When installing something, the hook in `ebuild_preinst_pre/cleanup_files.bash`
+will remove files from the following directories from the package before
+it is merged:
+```
+/usr/include/
+/usr/lib64/debug/
+/usr/share/applications/
+/usr/share/doc/
+/usr/share/gtk-doc/
+/usr/share/info/
+/usr/share/man/
+/usr/share/mime/
+```
+
+When creating a derived image, you have to do the following before
+you can attempt package installation, since the checked out files
+of the main gentoo repositories are removed, while the git repository
+data is still intact:
+```sh
+git -C /usr/portage checkout -- .
+cave sync gentoo
+```
+
+A complete Dockerfile command to install something could look like this:
+```
+RUN chgrp paludisbuild /dev/tty && \
+	git -C /usr/portage checkout -- . && \
+	env-update && \
+	source /etc/profile && \
+	cave sync && \
+	cave resolve <the-package-I-want> -x && \
+	rm -rf /var/cache/paludis/names/* /var/cache/paludis/metadata/* \
+		/var/tmp/paludis/* /usr/portage/* /srv/binhost/*
+```
+
+A few things to note are also:
+* non-binary packages are not allowed, since /usr/include/ files are removed and compilation would probably fail hard (a complete rebuild via `cave resolve -e world -x` would be necessary after removing the `ebuild_preinst_pre/cleanup_files.bash` hook)
+* the same goes for Dockerfiles that do local compilations, they will have to run `cave resolve -e world -x` in order to restore all development files
+* a regular sync does not update the actual repositories, so we have a defined state (files in `/etc/paludis/repositories/*.conf` can be modified to allow that though)

bootstrap.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+set -e
+
+# First param is package tarball, 2nd is the *.DIGEST file
+VerifyShaOfStage3()
+{
+	test_sum=$(awk -v myvar="$1" '$2==myvar {for(i=1; i<=1; i++) { print $1; exit}}' $2)
+	calculated_sum=$(sha1sum $1 | awk '{print $1}' -)
+	if [[ "$test_sum" == "$calculated_sum" ]]; then
+		return 0
+	else
+		return 1
+	fi
+}
+
+suffix=$3 # e.g. -hardened
+arch=$1
+dist="http://dev.exherbo.org/stages/"
+stage3="exherbo-amd64-current.tar.xz"
+
+# Create working directory, keep a copy of busybox handy
+mkdir newWorldOrder; cd newWorldOrder
+cp /bin/busybox .
+
+echo "Downloading and extracting ${stage3}..."
+wget -c "${dist}/${stage3}" "${dist}/sha1sum"
+if VerifyShaOfStage3 $stage3 "sha1sum"; then
+	echo "DIGEST sum is okey";
+else
+	echo "DIGEST sum is NOT okey";
+	return 1;
+fi
+xz -d ${stage3}
+tar --exclude "./etc/hosts" --exclude "./etc/hostname" --exclude "./sys/*" -xf ${stage3%.*}
+/newWorldOrder/busybox rm -f ${stage3%.*}
+
+echo "Installing stage 3"
+/newWorldOrder/busybox rm -rf /lib* /usr /var /bin /sbin /opt /mnt /media /root /home /run /tmp
+/newWorldOrder/busybox cp -fRap lib* /
+/newWorldOrder/busybox cp -fRap bin boot home media mnt opt root run sbin tmp usr var /
+/newWorldOrder/busybox cp -fRap etc/* /etc/
+/newWorldOrder/busybox cp -fRap /etc/paludis-new/* /etc/paludis/
+/newWorldOrder/busybox rm -rf /etc/paludis-new
+
+# Cleaning
+cd /
+/newWorldOrder/busybox rm -rf /newWorldOrder /bootstrap.sh /linuxrc
+
+# Say hello
+echo "Bootstrapped ${stage3} into /:"
+ls --color -lah
+
+# exec /bin/bash -c /build.sh
+

build.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+set -e
+
+source /etc/profile
+eclectic env update
+
+# set timezone
+ln -s /usr/share/zoneinfo/Europe/Berlin /etc/localtime
+
+# set locale
+export LANG=en_US.utf8
+export LANGUAGE=en_US:en
+export LC_ALL=en_US.utf8
+cat << EOF > /etc/locale.gen
+en_US ISO-8859-1
+en_US.UTF-8 UTF-8
+EOF
+localedef -i en_US -f ISO-8859-1 en_US
+localedef -i en_US -f UTF-8 en_US.utf8
+echo LANG="en_US.UTF-8" > /etc/env.d/99locale
+
+# update
+sed -i -e 's#^SCM_REPOSITORY=.*$#SCM_REPOSITORY="https://galileo.mailstation.de/gerrit/paludis"#' \
+	/var/db/paludis/repositories/arbor/packages/sys-apps/paludis/paludis-scm.exheres-0
+chgrp paludisbuild /dev/tty
+cave sync
+cave resolve -z -1 dev-libs/libressl sys-apps/paludis -U dev-libs/openssl -D dev-libs/openssl -f -x
+cave resolve -z \!dev-libs/openssl -u '*/*' -x
+cave resolve -z -1 dev-libs/libressl -x
+cave resolve -z -1 net-misc/wget net-misc/curl -x
+cave fix-linkage -x -- --without sys-apps/paludis
+cave resolve -z \!sys-apps/systemd -u '*/*' -x
+cave resolve -c world -x
+cave purge -x
+cave fix-linkage -x
+

config/paludis/bashrc

@@ -0,0 +1,10 @@
+CHOST="x86_64-pc-linux-gnu"
+x86_64_pc_linux_gnu_CFLAGS="-march=native -pipe -O2"
+x86_64_pc_linux_gnu_CXXFLAGS="-march=native -pipe -O2"
+x86_64_pc_linux_gnu_LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
+i686_pc_linux_gnu_CFLAGS="-march=native -pipe -O2"
+i686_pc_linux_gnu_CXXFLAGS="-march=native -pipe -O2"
+i686_pc_linux_gnu_LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,--hash-style=gnu"
+
+[[ -e /etc/paludis/hooks/setup_pkg_env.bash ]] && . /etc/paludis/hooks/setup_pkg_env.bash
+

config/paludis/env.conf.d/O3.conf

@@ -0,0 +1,6 @@
+add-options CFLAGS -O3
+add-options x86_64_pc_linux_gnu_CFLAGS -O3
+add-options i686_pc_linux_gnu_CFLAGS -O3
+add-options CXXFLAGS -O3
+add-options x86_64_pc_linux_gnu_CXXFLAGS -O3
+add-options i686_pc_linux_gnu_CXXFLAGS -O3

config/paludis/env.conf.d/clang-lto.conf

@@ -0,0 +1,14 @@
+CC='clang'
+CXX='clang++'
+CFLAGS="${CFLAGS} -O3 -flto"
+x86_64_pc_linux_gnu_CFLAGS="${x86_64_pc_linux_gnu_CFLAGS} -O3 -flto"
+i686_pc_linux_gnu_CFLAGS="${i686_pc_linux_gnu_CFLAGS} -O3 -flto"
+CXXFLAGS="${CXXFLAGS} -O3 -flto"
+x86_64_pc_linux_gnu_CXXFLAGS="${x86_64_pc_linux_gnu_CXXFLAGS} -O3 -flto"
+i686_pc_linux_gnu_CXXFLAGS="${i686_pc_linux_gnu_CXXFLAGS} -O3 -flto"
+LDFLAGS="${LDFLAGS} -O3 -flto -Wl,-plugin,/usr/lib64/LLVMgold.so"
+x86_64_pc_linux_gnu_LDFLAGS="${x86_64_pc_linux_gnu_LDFLAGS} -O3 -flto -Wl,-plugin,/usr/lib64/LLVMgold.so"
+i686_pc_linux_gnu_LDFLAGS="${i686_pc_linux_gnu_LDFLAGS} -O3 -flto -Wl,-plugin,/usr/lib64/LLVMgold.so"
+AR='/usr/local/bin/clang-ar'
+RANLIB=':'
+NM='nm --plugin /usr/lib64/LLVMgold.so'

config/paludis/env.conf.d/debug.conf

@@ -0,0 +1,6 @@
+add-options CFLAGS -Wall -g
+add-options x86_64_pc_linux_gnu_CFLAGS -Wall -g
+add-options i686_pc_linux_gnu_CFLAGS -Wall -g
+add-options CXXFLAGS -Wall -g
+add-options x86_64_pc_linux_gnu_CXXFLAGS -Wall -g
+add-options i686_pc_linux_gnu_CXXFLAGS -Wall -g

config/paludis/env.conf.d/fpermissive.conf

@@ -0,0 +1,6 @@
+add-options CFLAGS -fpermissive
+add-options x86_64_pc_linux_gnu_CFLAGS -fpermissive
+add-options i686_pc_linux_gnu_CFLAGS -fpermissive
+add-options CXXFLAGS -fpermissive
+add-options x86_64_pc_linux_gnu_CXXFLAGS -fpermissive
+add-options i686_pc_linux_gnu_CXXFLAGS -fpermissive

config/paludis/env.conf.d/full-debug.conf

@@ -0,0 +1,6 @@
+add-options CFLAGS -Wall -g -O0
+add-options x86_64_pc_linux_gnu_CFLAGS -Wall -g -O0
+add-options i686_pc_linux_gnu_CFLAGS -Wall -g -O0
+add-options CXXFLAGS -Wall -g -O0
+add-options x86_64_pc_linux_gnu_CXXFLAGS -Wall -g -O0
+add-options i686_pc_linux_gnu_CXXFLAGS -Wall -g -O0

config/paludis/env.conf.d/gcc.conf

@@ -0,0 +1,9 @@
+CC=x86_64-pc-linux-gnu-gcc
+CXX=x86_64-pc-linux-gnu-g++
+
+remove-options CFLAGS -Qunused-arguments -fcolor-diagnostics
+remove-options x86_64_pc_linux_gnu_CFLAGS -Qunused-arguments -fcolor-diagnostics
+remove-options i686_pc_linux_gnu_CFLAGS -Qunused-arguments -fcolor-diagnostics
+remove-options CXXFLAGS -Qunused-arguments -fcolor-diagnostics
+remove-options x86_64_pc_linux_gnu_CXXFLAGS -Qunused-arguments -fcolor-diagnostics
+remove-options i686_pc_linux_gnu_CXXFLAGS -Qunused-arguments -fcolor-diagnostics

config/paludis/env.conf.d/no-O3.conf

@@ -0,0 +1,6 @@
+remove-options CFLAGS -O3
+remove-options x86_64_pc_linux_gnu_CFLAGS -O3
+remove-options i686_pc_linux_gnu_CFLAGS -O3
+remove-options CXXFLAGS -O3
+remove-options x86_64_pc_linux_gnu_CXXFLAGS -O3
+remove-options i686_pc_linux_gnu_CXXFLAGS -O3

config/paludis/env.conf.d/no-as-needed.conf

@@ -0,0 +1,3 @@
+remove-options LDFLAGS -Wl,--as-needed
+remove-options x86_64_pc_linux_gnu_LDFLAGS -Wl,--as-needed
+remove-options i686_pc_linux_gnu_LDFLAGS -Wl,--as-needed

config/paludis/env.conf.d/no-debug.conf

@@ -0,0 +1,6 @@
+add-options CFLAGS -g0
+add-options x86_64_pc_linux_gnu_CFLAGS -g0
+add-options i686_pc_linux_gnu_CFLAGS -g0
+add-options CXXFLAGS -g0
+add-options x86_64_pc_linux_gnu_CXXFLAGS -g0
+add-options i686_pc_linux_gnu_CXXFLAGS -g0

config/paludis/env.conf.d/no-ninja.conf

@@ -0,0 +1 @@
+CMAKE_MAKEFILE_GENERATOR="emake"

config/paludis/env.conf.d/no-parallel-build.conf

@@ -0,0 +1 @@
+MAKEOPTS="-j1"

config/paludis/options.conf

@@ -0,0 +1,27 @@
+# system, general, other
+*/* -X -cups -gtk -gnutls -acpi -bash-completion
+
+# linguas
+*/* LINGUAS: en
+
+# build options
+*/* build_options: symbols=strip work=remove jobs=8 -optional_tests -recommended_tests -expensive_tests
+
+# targets
+*/* targets: -* x86_64-pc-linux-gnu
+
+# SSL
+*/* providers: -gnutls -openssl libressl
+dev-libs/glib-networking providers: gnutls
+
+# jpeg
+*/* providers: -ijg-jpeg jpeg-turbo
+
+# no systemd
+*/* providers: -systemd eudev rsyslog
+*/* -systemd
+*/* providers: -runit -sinit sysvinit
+
+# paludis
+sys-apps/paludis pbin search-index
+

config/paludis/output.conf

@@ -0,0 +1,4 @@
+# always_keep_output_logs may be set to 'true' to always keep output logs, even
+# if a build succeeds.
+always_keep_output_logs = false
+