feat: distroless image

Dockerfile

@@ -7,7 +7,7 @@ ARG APT_UPDATE_SNAPSHOT=${NOBLE_DATE}T030400Z
 
 ################################################################################
 # cross base stage
-FROM ubuntu:noble-${NOBLE_DATE} AS base-build-stage
+FROM --platform=$BUILDPLATFORM ubuntu:noble-${NOBLE_DATE} AS base-build-stage
 
 ARG APT_UPDATE_SNAPSHOT
 ARG DEBIAN_FRONTEND=noninteractive
@@ -20,7 +20,7 @@ EOF
 
 ################################################################################
 # riscv64 base stage
-FROM --platform=linux/riscv64 ubuntu:noble-${NOBLE_DATE} AS base-target-stage
+FROM --platform=$TARGETPLATFORM ubuntu:noble-${NOBLE_DATE} AS base-target-stage
 
 ARG APT_UPDATE_SNAPSHOT
 ARG DEBIAN_FRONTEND=noninteractive
@@ -31,6 +31,7 @@ apt install -y --no-install-recommends ca-certificates
 apt update --snapshot=${APT_UPDATE_SNAPSHOT}
 EOF
 
+
 ################################################################################
 # cross build stage
 FROM base-build-stage AS build-stage
@@ -110,43 +111,64 @@ make LDFLAGS=-static
 EOF
 
 ################################################################################
-# runtime stage: produces final image that will be executed
-FROM base-target-stage
+# generate chiselled rootfs
+FROM base-build-stage AS chiselled-rootfs
+WORKDIR /rootfs
 
-LABEL io.cartesi.sdk_version=0.9.0
-LABEL io.cartesi.rollups.ram_size=128Mi
-LABEL io.cartesi.rollups.data_size=128Mb
+ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
+ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /
+RUN dpkg -x /machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /rootfs
+
+# Get chisel binary
+ARG CHISEL_VERSION=0.10.0
+ADD "https://github.com/canonical/chisel/releases/download/v${CHISEL_VERSION}/chisel_v${CHISEL_VERSION}_linux_riscv64.tar.gz" chisel.tar.gz
+RUN tar -xvf chisel.tar.gz -C /usr/bin/
+
+ADD "https://github.com/cartesi/chisel-releases.git#24.04/bug-buster-dependencies" /chisel-24.04
+RUN chisel cut \
+    --release /chisel-24.04 \
+    --root /rootfs \
+    --arch=riscv64 \
+    # base rootfs dependencies
+    base-files_base \
+    base-files_release-info \
+    base-passwd_data \
+    # machine-emulator-tools dependencies
+    libgcc-s1_libs \
+    busybox-static_bins \
+    # bug-buster
+    libasan6_libs \
+    libasan8_libs \
+    xz-utils_bins
 
-ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
-set -eu
-apt-get install -y --no-install-recommends \
-    busybox-static \
-    libasan6 \
-    libasan8 \
-    xz-utils
-rm -rf /var/lib/apt/lists/*
+set -e
+mkdir -p /rootfs/proc
+mkdir -p /rootfs/sys
+mkdir -p /rootfs/dev
+ln -s /usr/bin/busybox bin/sh
+sed -i '/^root/s/bash/sh/g' etc/passwd
 EOF
 
-# install machine-emulator-tools
-ARG MACHINE_EMULATOR_TOOLS_VERSION=0.14.1
-ADD https://github.com/cartesi/machine-emulator-tools/releases/download/v${MACHINE_EMULATOR_TOOLS_VERSION}/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb /tmp
-RUN dpkg -i /tmp/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb \
-  && rm /tmp/machine-emulator-tools-v${MACHINE_EMULATOR_TOOLS_VERSION}.deb
+################################################################################
+# runtime stage: produces final image that will be executed
+FROM scratch
+
+LABEL io.cartesi.sdk_version=0.9.0
+LABEL io.cartesi.rollups.ram_size=128Mi
+LABEL io.cartesi.rollups.data_size=128Mb
 
 COPY --from=riscv64-build-stage /opt/build/bubblewrap/bwrap /usr/bin/bwrap
 COPY --from=riscv64-build-stage /opt/build/bwrapbox/bwrapbox /usr/bin/bwrapbox
 COPY --from=riscv64-build-stage /opt/build/bwrapbox/seccomp-filter.bpf /usr/lib/bwrapbox/seccomp-filter.bpf
 
-RUN useradd --home-dir /bounty bounty
-RUN mkdir -p /bounties /bounties/examples /bounty
-RUN chown bounty:bounty /bounty
-
 ENV PATH="/opt/cartesi/bin:${PATH}"
 
 WORKDIR /opt/cartesi/dapp
+COPY --from=chiselled-rootfs /rootfs /
 COPY --from=build-stage /opt/build/dapp .
 COPY --chmod=755 skel/cartesi-init /usr/sbin/cartesi-init
+COPY --chmod=755 skel/bounty-home /usr/sbin/cartesi-init.d/bounty-home
 COPY --chmod=755 skel/bounty-run /usr/bin/bounty-run
 COPY --chmod=644 tests/bounties/**/*-bounty_riscv64.tar.xz /bounties/examples
 

skel/bounty-home

@@ -0,0 +1,5 @@
+#!/bin/busybox sh
+
+busybox adduser -h /bounty bounty
+busybox mkdir -p /bounties /bounties/examples /bounty
+busybox chown bounty:bounty /bounty

skel/cartesi-init

@@ -29,6 +29,9 @@ if busybox grep -Fq cgroup2 /proc/filesystems; then
     echo "+cpu +pids +memory" > /sys/fs/cgroup/cgroup.subtree_control
 fi
 
+# execute scripts in cartesi-init.d
+[ -d /etc/cartesi-init.d ] && for f in /etc/cartesi-init.d/*; do [ -x $f ] && . $f; done
+
 # execute init from device tree when available
 [ -f /proc/device-tree/cartesi-machine/init ] && . /proc/device-tree/cartesi-machine/init