docker: Switch to fedora and mkosi based binaries

Switch to fedora base image with systemd and reuse the binaries
generated for mkosi based builds.
The docker image is inspired from Kind node image

Signed-off-by: Pradipta Banerjee <pradipta.banerjee@gmail.com>

src/cloud-api-adaptor/docker/README.md

@@ -27,26 +27,21 @@ export CLOUD_PROVIDER=docker
 
 - Build the required pod VM binaries
 
+The same binaries built for the mkosi image is used for the podvm docker image
+
 ```bash
-cd src/cloud-api-adaptor/docker/image
-make
+cd src/cloud-api-adaptor/podvm-mkosi
+make container
 ```
 
 This will build the required binaries inside a container and place
-it under `resources/binaries-tree`
-
-- Build the pod VM image
-
-```bash
-make image
-cd ../../
-```
+it under `resources/binaries-tree` and also build the pod VM container image
 
-This will build the podvm docker image. By default the image is named `quay.io/confidential-containers/podvm-docker-image`.
+By default the image is named `quay.io/confidential-containers/podvm-docker-image`.
 
 For quick changes you can just build the binaries of podvm components and
 update `./resources/binaries-tree/usr/local/bin` with the new components and
-run `make image` to build a new podvm image.
+run `make image-container` to build a new podvm container image.
 
 You can download a ready-to-use image on your worker node.
 
@@ -252,4 +247,4 @@ or
 
 ```sh
 docker exec -it peer-pods-worker bash
-```
+```

src/cloud-api-adaptor/podvm-mkosi/Dockerfile.podvm

@@ -0,0 +1,44 @@
+# Adapted from https://github.com/kubernetes-sigs/kind/blob/main/images/base/Dockerfile
+
+ARG BASE_IMAGE=registry.fedoraproject.org/fedora:39
+FROM $BASE_IMAGE AS base
+
+RUN echo "Installing Packages ..." \
+    && dnf install -y \
+      systemd \
+      conntrack iptables nftables iproute ethtool util-linux kmod \
+      libseccomp pigz fuse-overlayfs \
+      nfs-utils which systemd-pam \
+      bash ca-certificates curl jq procps \
+    && find /lib/systemd/system/sysinit.target.wants/ -name "systemd-tmpfiles-setup.service" -delete \
+    && rm -f /lib/systemd/system/multi-user.target.wants/* \
+    && rm -f /etc/systemd/system/*.wants/* \
+    && rm -f /lib/systemd/system/local-fs.target.wants/* \
+    && rm -f /lib/systemd/system/sockets.target.wants/*udev* \
+    && rm -f /lib/systemd/system/sockets.target.wants/*initctl* \
+    && rm -f /lib/systemd/system/basic.target.wants/* \
+    && echo "ReadKMsg=no" >> /etc/systemd/journald.conf
+
+RUN echo "Enabling / Disabling services ... " \
+    && systemctl mask systemd-binfmt.service \
+    && systemctl enable systemd-logind dbus.socket
+
+
+# Add podvm resources
+COPY ./resources/binaries-tree/etc/ /etc/
+COPY ./resources/binaries-tree/usr/ /usr/
+COPY ./resources/binaries-tree/pause_bundle/ /pause_bundle/
+
+RUN curl -LO https://raw.githubusercontent.com/confidential-containers/cloud-api-adaptor/main/src/cloud-api-adaptor/podvm/qcow2/misc-settings.sh
+
+RUN PODVM_DISTRO=ubuntu CLOUD_PROVIDER=generic DISABLE_CLOUD_CONFIG=true bash ./misc-settings.sh
+
+COPY --chmod=0755 entrypoint.sh  /usr/local/bin/
+
+# https://systemd.io/CONTAINER_INTERFACE/
+ENV container=docker
+
+# systemd exits on SIGRTMIN+3, not SIGTERM (which re-executes it)
+# https://bugzilla.redhat.com/show_bug.cgi?id=1201657
+STOPSIGNAL SIGRTMIN+3
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh", "/sbin/init" ]

src/cloud-api-adaptor/podvm-mkosi/Makefile

@@ -9,6 +9,7 @@ REGISTRY ?= quay.io/confidential-containers
 PODVM_DISTRO ?= fedora
 PODVM_TAG ?= $(VERSIONS_HASH)
 PODVM_NAME ?= $(REGISTRY)/podvm-generic-$(PODVM_DISTRO)-$(ARCH)
+PODVM_CONTAINER_NAME ?= $(REGISTRY)/podvm-docker-image
 
 .DEFAULT_GOAL := all
 .PHONY: all
@@ -17,6 +18,9 @@ all: fedora-binaries-builder binaries image
 .PHONY: debug
 debug: fedora-binaries-builder binaries image-debug
 
+.PHONY: container
+container: fedora-binaries-builder binaries image-container
+
 PHONY: fedora-binaries-builder
 fedora-binaries-builder:
 	@echo "Building $(BUILDER) image..."
@@ -85,6 +89,15 @@ else
 	nix develop ..#podvm-mkosi --command mkosi --environment=VARIANT_ID=debug
 endif
 
+PHONY: image-container
+image-container:
+	@echo "Building podvm container image..."
+	docker buildx build \
+		-t $(PODVM_CONTAINER_NAME):$(PODVM_TAG) \
+		-t $(PODVM_CONTAINER_NAME):latest \
+		-f Dockerfile.podvm .
+
+
 PHONY: push-image
 push-image:
 	@echo "Push podvm image to remote repository..."
@@ -96,6 +109,12 @@ ifeq ($(ARCH),s390x)
 		-f ../podvm/Dockerfile.podvm.fedora .
 endif
 
+PHONY: push-image-container
+push-image-container:
+	@echo "Push podvm container image to remote repository..."
+	docker push $(PODVM_CONTAINER_NAME):$(PODVM_TAG)
+	docker push $(PODVM_CONTAINER_NAME):latest
+
 PHONY: clean
 clean:
 	rm -rf resources/buildDebugImage

src/cloud-api-adaptor/podvm-mkosi/entrypoint.sh

@@ -0,0 +1,39 @@
+#!/bin/bash
+
+# Adapted from https://github.com/kubernetes-sigs/kind/blob/main/images/base/files/usr/local/bin/entrypoint
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+
+set_machine_id() {
+  # Deletes the machine-id embedded in the podvm image and generates a new one.
+  echo "clearing and regenerating /etc/machine-id"
+  rm -f /etc/machine-id
+  systemd-machine-id-setup
+}
+
+
+set_product_uuid() {
+  # The system UUID is usually read from DMI via sysfs, Fake it so that 
+  # each podvm(container) have a different uuid
+  mkdir -p /podvm
+  [[ ! -f /podvm/product_uuid ]] && cat /proc/sys/kernel/random/uuid > /podvm/product_uuid
+  if [[ -f /sys/class/dmi/id/product_uuid ]]; then
+    echo  "faking /sys/class/dmi/id/product_uuid to be random"
+    mount -o ro,bind /podvm/product_uuid /sys/class/dmi/id/product_uuid
+  fi
+  if [[ -f /sys/devices/virtual/dmi/id/product_uuid ]]; then
+    echo "faking /sys/devices/virtual/dmi/id/product_uuid as well"
+    mount -o ro,bind /podvm/product_uuid /sys/devices/virtual/dmi/id/product_uuid
+  fi
+}
+
+
+set_machine_id
+set_product_uuid
+
+# we want systemd to be PID1, so exec to it
+echo "starting init"
+exec "$@"