Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,6 @@ jobs:
images: |-
ghcr.io/${{ github.repository }}${{ matrix.args.image-suffix }}
# yamllint disable rule:line-length
dockle-accept-key: APPLICATION,APPLICATION_PERMISSIONS,APPLICATION_USER_ID,curl,HOME,libcrypto3,libssl3,PATH,PROJECT_KEY
dockle-accept-key: ca-certificates,curl,fdisk,qemu-system-arm,qemu-utils,unzip,xz-utils,RPI_KERNEL,RPI_KERNEL_CHECKSUM,RPI_KERNEL_URL,RPI_KERNEL_ZIP
# yamllint enable rule:line-length
token: ${{ secrets.GITHUB_TOKEN }}
58 changes: 58 additions & 0 deletions .grype.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
ignore:
- vulnerability: CVE-2022-3872
package:
name: qemu-system-arm
version: go1.24.4
- vulnerability: CVE-2025-47907
package:
name: stdlib
version: go1.24.5
- vulnerability: CVE-2022-3872
package:
name: qemu-system-arm
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2022-3872
package:
name: qemu-system-common
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2022-3872
package:
name: qemu-system-data
version: 1:10.0.2+ds-2
- vulnerability: CVE-2022-3872
package:
name: qemu-utils
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2024-6519
package:
name: qemu-system-arm
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2024-6519
package:
name: qemu-system-common
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2024-6519
package:
name: qemu-system-data
version: 1:10.0.2+ds-2
- vulnerability: CVE-2024-6519
package:
name: qemu-utils
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2023-1386
package:
name: qemu-system-arm
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2023-1386
package:
name: qemu-system-common
version: 1:10.0.2+ds-2+b1
- vulnerability: CVE-2023-1386
package:
name: qemu-system-data
version: 1:10.0.2+ds-2
- vulnerability: CVE-2023-1386
package:
name: qemu-utils
version: 1:10.0.2+ds-2+b1
4 changes: 4 additions & 0 deletions .trivyignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
CVE-2022-3872 exp:2025-09-14
CVE-2023-1386 exp:2025-09-14
CVE-2024-6519 exp:2025-09-14
CVE-2025-47907 exp:2025-09-14
52 changes: 33 additions & 19 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,42 +1,56 @@
FROM debian:stable-20250811-slim AS fatcat-builder
ARG FATCAT_ARCHIVE_URL="https://github.com/Gregwar/fatcat/archive"
ARG FATCAT_VERSION=v1.1.0
ARG FATCAT_CHECKSUM="sha256:303efe2aa73cbfe6fbc5d8af346d0f2c70b3f996fc891e8859213a58b95ad88c"
ARG FATCAT_CHECKSUM="303efe2aa73cbfe6fbc5d8af346d0f2c70b3f996fc891e8859213a58b95ad88c"
ENV FATCAT_TARBALL="${FATCAT_VERSION}.tar.gz"
WORKDIR /fatcat
RUN apt-get update && \
apt-get -y install \
build-essential \
cmake \
wget \
xz-utils \
zlib1g-dev
ADD --checksum=${FATCAT_CHECKSUM} ${FATCAT_ARCHIVE_URL}/${FATCAT_TARBALL} .
RUN tar xvf "${FATCAT_TARBALL}" && \
apt-get -y install --no-install-recommends \
build-essential=12* \
ca-certificates=2025* \
cmake=3* \
curl=8* \
xz-utils=5* \
zlib1g-dev=1*
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -L "${FATCAT_ARCHIVE_URL}/${FATCAT_TARBALL}" -o "${FATCAT_TARBALL}" && \
echo "${FATCAT_CHECKSUM} ${FATCAT_TARBALL}" | sha256sum -c - && \
tar xvf "${FATCAT_TARBALL}" && \
cmake fatcat-* -DCMAKE_CXX_FLAGS='-static' && \
make -j$(nproc)
make -j"$(nproc)"

FROM debian:stable-20250811-slim AS dockerpi-vm
ARG RPI_KERNEL_CHECKSUM="295a22f1cd49ab51b9e7192103ee7c917624b063cc5ca2e11434164638aad5f4"
ARG RPI_KERNEL_URL="https://github.com/dhruvvyas90/qemu-rpi-kernel/archive/afe411f2c9b04730bcc6b2168cdc9adca224227c.zip"
ARG RPI_KERNEL_CHECKSUM="sha256:295a22f1cd49ab51b9e7192103ee7c917624b063cc5ca2e11434164638aad5f4"
ENV RPI_KERNEL="qemu-rpi-kernel"
ENV RPI_KERNEL_ZIP="${RPI_KERNEL}.zip"
VOLUME /sdcard
COPY --from=fatcat-builder /fatcat/fatcat /usr/local/bin/fatcat
COPY ./entrypoint.sh /entrypoint.sh
RUN apt-get update && \
apt-get -y install \
fdisk \
qemu-system-aarch64 \
qemu-system-arm \
unzip \
xz-utils && \
apt-get -y install --no-install-recommends \
ca-certificates=2025* \
curl=8* \
fdisk=2* \
qemu-system-arm=1:10* \
qemu-utils=1:10* \
unzip=6* \
xz-utils=5* && \
rm -rf /var/lib/apt/lists/*
ADD --checksum=${RPI_KERNEL_CHECKSUM} ${RPI_KERNEL_URL} ${RPI_KERNEL_ZIP}
RUN unzip ${RPI_KERNEL_ZIP} && \
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN curl -L ${RPI_KERNEL_URL} -o ${RPI_KERNEL_ZIP} && \
echo "${RPI_KERNEL_CHECKSUM} ${RPI_KERNEL_ZIP}" | sha256sum -c - && \
unzip ${RPI_KERNEL_ZIP} && \
mkdir -p /root/${RPI_KERNEL} && \
mv ${RPI_KERNEL}-*/kernel-qemu-4.19.50-buster /root/${RPI_KERNEL}/ && \
mv ${RPI_KERNEL}-*/versatile-pb.dtb /root/${RPI_KERNEL}/ && \
rm -rf /tmp/* && \
rm ${RPI_KERNEL_ZIP}
RUN groupadd --system dockerpi && \
useradd \
--create-home \
--gid root dockerpi \
--home-dir /home/dockerpi \
--system
USER dockerpi
ENTRYPOINT ["bash", "./entrypoint.sh"]
6 changes: 5 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,11 @@ virtual machine environment.
## Usage

```zsh
docker run -it -v ${PWD}/raspberry-pi.img:/sdcard/filesystem.img dockerpi
docker run \
--user root \
-it \
-v ${PWD}/raspberry-pi.img:/sdcard/filesystem.img \
ghcr.io/schubergphilis/dockerpi:v0.1.0
```

By default all filesystem changes will be lost on shutdown. You can persist
Expand Down