feat(imagebuilder): run podman as rootless

Author: duanhongyi

rootfs/Dockerfile

@@ -1,16 +1,26 @@
 FROM docker.io/drycc/base:bullseye
 
+RUN adduser --system \
+  --shell /bin/bash \
+  --disabled-password \
+  --home /workspace \
+  --group drycc
+
 ADD . /
-ENV PODMAN_VERSION="4.0.1" \
+ENV PODMAN_VERSION="4.0.2" \
   MC_VERSION="2022.02.26.03.58.31" \
   CADDY_VERSION="2.4.6" \
-  PACK_VERSION="0.24.0"
+  PACK_VERSION="0.24.0" \
+  GOSU_VERSION="1.14"
 
 RUN install-packages procps psmisc \
   && install-stack podman $PODMAN_VERSION \
   && install-stack mc $MC_VERSION \
   && install-stack caddy $CADDY_VERSION \
   && install-stack pack $PACK_VERSION \
+  && install-stack gosu $GOSU_VERSION \
+  && usermod --add-subuids 200000-201000 --add-subgids 200000-201000 drycc \
+  && chown -R drycc:drycc /opt/drycc/podman \
   && rm -rf \
       /usr/share/doc \
       /usr/share/man \
@@ -31,5 +41,5 @@ ENV HOME /tmp
 ENV XDG_DATA_HOME /tmp
 ENV XDG_CONFIG_HOME /tmp/.config
 
-ENTRYPOINT ["init-stack", "/imagebuilder/build"]
+ENTRYPOINT ["init-stack", "/imagebuilder/prebuild", "/imagebuilder/build"]
 

rootfs/imagebuilder/build

@@ -41,7 +41,7 @@ fi
 
 registries="/etc/imagebuilder/registries.conf"
 if [ -f "${registries}" ]; then
-    cat "${registries}" > /etc/containers/registries.conf
+    cat "${registries}" > /opt/drycc/podman/etc/containers/registries.conf
 fi
 
 podman system service --time 0 tcp:0.0.0.0:${DOCKER_PORT} &

rootfs/imagebuilder/prebuild

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+set -e
+
+mount --make-rshared /
+exec gosu drycc "$@"