diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index cdf6184..ac9355f 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -25,6 +25,6 @@ jobs: images: |- ghcr.io/${{ github.repository }}${{ matrix.args.image-suffix }} # yamllint disable rule:line-length - dockle-accept-key: APPLICATION,APPLICATION_PERMISSIONS,APPLICATION_USER_ID,curl,HOME,libcrypto3,libssl3,PATH,PROJECT_KEY + dockle-accept-key: ca-certificates,curl,fdisk,qemu-system-arm,qemu-utils,unzip,xz-utils,RPI_KERNEL,RPI_KERNEL_CHECKSUM,RPI_KERNEL_URL,RPI_KERNEL_ZIP # yamllint enable rule:line-length token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.grype.yaml b/.grype.yaml new file mode 100644 index 0000000..8537e6f --- /dev/null +++ b/.grype.yaml @@ -0,0 +1,58 @@ +--- +ignore: + - vulnerability: CVE-2022-3872 + package: + name: qemu-system-arm + version: go1.24.4 + - vulnerability: CVE-2025-47907 + package: + name: stdlib + version: go1.24.5 + - vulnerability: CVE-2022-3872 + package: + name: qemu-system-arm + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2022-3872 + package: + name: qemu-system-common + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2022-3872 + package: + name: qemu-system-data + version: 1:10.0.2+ds-2 + - vulnerability: CVE-2022-3872 + package: + name: qemu-utils + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2024-6519 + package: + name: qemu-system-arm + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2024-6519 + package: + name: qemu-system-common + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2024-6519 + package: + name: qemu-system-data + version: 1:10.0.2+ds-2 + - vulnerability: CVE-2024-6519 + package: + name: qemu-utils + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2023-1386 + package: + name: qemu-system-arm + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2023-1386 + package: + name: qemu-system-common + version: 1:10.0.2+ds-2+b1 + - vulnerability: CVE-2023-1386 + package: + name: qemu-system-data + version: 1:10.0.2+ds-2 + - vulnerability: CVE-2023-1386 + package: + name: qemu-utils + version: 1:10.0.2+ds-2+b1 diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..bd7ea83 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,4 @@ +CVE-2022-3872 exp:2025-09-14 +CVE-2023-1386 exp:2025-09-14 +CVE-2024-6519 exp:2025-09-14 +CVE-2025-47907 exp:2025-09-14 diff --git a/Dockerfile b/Dockerfile index 78bedbc..41a8238 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,42 +1,56 @@ FROM debian:stable-20250811-slim AS fatcat-builder ARG FATCAT_ARCHIVE_URL="https://github.com/Gregwar/fatcat/archive" ARG FATCAT_VERSION=v1.1.0 -ARG FATCAT_CHECKSUM="sha256:303efe2aa73cbfe6fbc5d8af346d0f2c70b3f996fc891e8859213a58b95ad88c" +ARG FATCAT_CHECKSUM="303efe2aa73cbfe6fbc5d8af346d0f2c70b3f996fc891e8859213a58b95ad88c" ENV FATCAT_TARBALL="${FATCAT_VERSION}.tar.gz" WORKDIR /fatcat RUN apt-get update && \ - apt-get -y install \ - build-essential \ - cmake \ - wget \ - xz-utils \ - zlib1g-dev -ADD --checksum=${FATCAT_CHECKSUM} ${FATCAT_ARCHIVE_URL}/${FATCAT_TARBALL} . -RUN tar xvf "${FATCAT_TARBALL}" && \ + apt-get -y install --no-install-recommends \ + build-essential=12* \ + ca-certificates=2025* \ + cmake=3* \ + curl=8* \ + xz-utils=5* \ + zlib1g-dev=1* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN curl -L "${FATCAT_ARCHIVE_URL}/${FATCAT_TARBALL}" -o "${FATCAT_TARBALL}" && \ + echo "${FATCAT_CHECKSUM} ${FATCAT_TARBALL}" | sha256sum -c - && \ + tar xvf "${FATCAT_TARBALL}" && \ cmake fatcat-* -DCMAKE_CXX_FLAGS='-static' && \ - make -j$(nproc) + make -j"$(nproc)" FROM debian:stable-20250811-slim AS dockerpi-vm +ARG RPI_KERNEL_CHECKSUM="295a22f1cd49ab51b9e7192103ee7c917624b063cc5ca2e11434164638aad5f4" ARG RPI_KERNEL_URL="https://github.com/dhruvvyas90/qemu-rpi-kernel/archive/afe411f2c9b04730bcc6b2168cdc9adca224227c.zip" -ARG RPI_KERNEL_CHECKSUM="sha256:295a22f1cd49ab51b9e7192103ee7c917624b063cc5ca2e11434164638aad5f4" ENV RPI_KERNEL="qemu-rpi-kernel" ENV RPI_KERNEL_ZIP="${RPI_KERNEL}.zip" VOLUME /sdcard COPY --from=fatcat-builder /fatcat/fatcat /usr/local/bin/fatcat COPY ./entrypoint.sh /entrypoint.sh RUN apt-get update && \ - apt-get -y install \ - fdisk \ - qemu-system-aarch64 \ - qemu-system-arm \ - unzip \ - xz-utils && \ + apt-get -y install --no-install-recommends \ + ca-certificates=2025* \ + curl=8* \ + fdisk=2* \ + qemu-system-arm=1:10* \ + qemu-utils=1:10* \ + unzip=6* \ + xz-utils=5* && \ rm -rf /var/lib/apt/lists/* -ADD --checksum=${RPI_KERNEL_CHECKSUM} ${RPI_KERNEL_URL} ${RPI_KERNEL_ZIP} -RUN unzip ${RPI_KERNEL_ZIP} && \ +SHELL ["/bin/bash", "-o", "pipefail", "-c"] +RUN curl -L ${RPI_KERNEL_URL} -o ${RPI_KERNEL_ZIP} && \ + echo "${RPI_KERNEL_CHECKSUM} ${RPI_KERNEL_ZIP}" | sha256sum -c - && \ + unzip ${RPI_KERNEL_ZIP} && \ mkdir -p /root/${RPI_KERNEL} && \ mv ${RPI_KERNEL}-*/kernel-qemu-4.19.50-buster /root/${RPI_KERNEL}/ && \ mv ${RPI_KERNEL}-*/versatile-pb.dtb /root/${RPI_KERNEL}/ && \ rm -rf /tmp/* && \ rm ${RPI_KERNEL_ZIP} +RUN groupadd --system dockerpi && \ + useradd \ + --create-home \ + --gid root dockerpi \ + --home-dir /home/dockerpi \ + --system +USER dockerpi ENTRYPOINT ["bash", "./entrypoint.sh"] diff --git a/README.md b/README.md index c4fefcf..adff43c 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,11 @@ virtual machine environment. ## Usage ```zsh -docker run -it -v ${PWD}/raspberry-pi.img:/sdcard/filesystem.img dockerpi +docker run \ + --user root \ + -it \ + -v ${PWD}/raspberry-pi.img:/sdcard/filesystem.img \ + ghcr.io/schubergphilis/dockerpi:v0.1.0 ``` By default all filesystem changes will be lost on shutdown. You can persist