artifacts: use common functions for docker-popular

JamesC1305 · JamesC1305 · commit a140d810c49b · 2026-03-02T13:09:49.000Z
Simplify the docker-popular rootfs building using common functions.
Define a new file `setup-minimal.sh` that is responsible for the
image-specific setups.

Also, use squashfs for test-popular-containers tests, as there is no
specific reason for them to be ext4.

Signed-off-by: James Curtis &lt;jxcurtis@amazon.co.uk&gt;
diff --git a/.buildkite/pipeline_docker_popular.py b/.buildkite/pipeline_docker_popular.py
@@ -15,10 +15,10 @@
 pipeline.build_group_per_arch(
     "rootfs-build",
     [
-        "sudo yum install -y systemd-container",
+        "sudo yum install -y squashfs-tools docker",
+        "sudo tools/devtool sh 'tools/test-popular-containers/build_rootfs.sh'",
         "cd tools/test-popular-containers",
-        "sudo ./build_rootfs.sh",
-        f'tar czf "{ROOTFS_TAR}" *.ext4 *.id_rsa',
+        f'tar czf "{ROOTFS_TAR}" *.squashfs *.id_rsa',
         f'buildkite-agent artifact upload "{ROOTFS_TAR}"',
     ],
     depends_on_build=False,
diff --git a/tools/test-popular-containers/build_rootfs.sh b/tools/test-popular-containers/build_rootfs.sh
@@ -8,78 +8,36 @@ set -x
 
 cd $(dirname $0)
 TOPDIR=$(git rev-parse --show-cdup)
+source "$TOPDIR/tools/functions"
 
-function make_rootfs {
-    local LABEL=$1
-    local rootfs=$LABEL
-    local IMG=$LABEL.ext4
-    mkdir $LABEL
-    ctr image pull public.ecr.aws/docker/library/$LABEL
-    ctr image mount --rw public.ecr.aws/docker/library/$LABEL $LABEL
-    MNT_SIZE=$(du -sb $LABEL |cut -f1)
-    SIZE=$(( $MNT_SIZE + 512 * 2**20 ))
+# Get the executing uid and gid for `chown` and `chgrp`
+USER_UID=$(stat -c '%u' "$TOPDIR")
+USER_GID=$(stat -c '%g' "$TOPDIR")
 
-    # Generate key for ssh access from host
-    if [ ! -s id_rsa ]; then
-        ssh-keygen -f id_rsa -N ""
-    fi
-    cp id_rsa $rootfs.id_rsa
-    chmod a+r $rootfs.id_rsa
 
-    truncate -s "$SIZE" "$IMG"
-    mkfs.ext4 -F "$IMG" -d $LABEL
-    ctr image unmount $LABEL
-    rmdir $LABEL
+OVERLAY_DIR="$TOPDIR/resources/overlay"
+SETUP_SCRIPT="setup-minimal.sh"
+OUTPUT_DIR=$PWD
 
-    mkdir mnt
-    mount $IMG mnt
-    install -d -m 0600 "mnt/root/.ssh/"
-    cp -v id_rsa.pub "mnt/root/.ssh/authorized_keys"
-    cp -rvf $TOPDIR/resources/overlay/* mnt
-    SYSINIT=mnt/etc/systemd/system/sysinit.target.wants
-    mkdir -pv $SYSINIT
-    ln -svf /etc/systemd/system/fcnet.service $SYSINIT/fcnet.service
-    mkdir mnt/etc/local.d
-    cp -v fcnet.start mnt/etc/local.d
-    umount -l mnt
-    rmdir mnt
+IMAGES=(amazonlinux:2023 alpine:latest ubuntu:22.04 ubuntu:24.04 ubuntu:25.04 ubuntu:latest)
 
-    # --timezone=off parameter is needed to prevent systemd-nspawn from
-    # bind-mounting /etc/timezone, which causes a file conflict in Ubuntu 24.04
-    systemd-nspawn --timezone=off --pipe -i $IMG /bin/sh <<EOF
-set -x
-. /etc/os-release
-case \$ID in
-ubuntu)
-    export DEBIAN_FRONTEND=noninteractive
-    apt update
-    apt install -y openssh-server iproute2 udev
-    ;;
-alpine)
-    apk add openssh openrc
-    rc-update add sshd
-    rc-update add local default
-    echo "ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100" >>/etc/inittab
-    ;;
-amzn)
-    dnf update
-    dnf install -y openssh-server iproute passwd systemd-udev
-    # re-do this
-    ln -svf /etc/systemd/system/fcnet.service /etc/systemd/system/sysinit.target.wants/fcnet.service
-    rm -fv /etc/systemd/system/getty.target.wants/getty@tty1.service
-    ;;
-esac
-passwd -d root
-EOF
-}
+# Generate SSH key for access from host
+if [ ! -s id_rsa ]; then
+  ssh-keygen -f id_rsa -N ""
+fi
+
+# install rootfs dependencies
+apt update
+apt install -y busybox-static cpio curl docker.io tree
+prepare_docker
+
+for img in "${IMAGES[@]}"; do
+  build_rootfs "$img" "$OUTPUT_DIR" "$OVERLAY_DIR" "$SETUP_SCRIPT"
+
+  rootfs_name="${img//:/-}"
+  cp id_rsa "$rootfs_name.id_rsa"
+  chmod a+r "$rootfs_name.id_rsa"
 
-# FIXME: The AL image build procedure is known for keeping changing the ext4 file
-# even after the systemd-nspawn command exits, for unknown reason, causing
-# the subsequent tar command to fail.  Placing it first as a mitigation gives it
-# more time to converge to a stable state.
-make_rootfs amazonlinux:2023
-make_rootfs alpine:latest
-make_rootfs ubuntu:22.04
-make_rootfs ubuntu:24.04
-make_rootfs ubuntu:25.04
-make_rootfs ubuntu:latest
+  chown "$USER_UID" "$rootfs_name.squashfs" "$rootfs_name.id_rsa"
+  chgrp "$USER_GID" "$rootfs_name.squashfs" "$rootfs_name.id_rsa"
+done
diff --git a/tools/test-popular-containers/setup-minimal.sh b/tools/test-popular-containers/setup-minimal.sh
@@ -0,0 +1,61 @@
+#!/bin/sh
+# Copyright 2025 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+# Minimal rootfs setup: just enough to boot with SSH and networking.
+# Runs inside a Docker container via build_rootfs().
+
+set -eux
+
+. /etc/os-release
+# On Ubuntu, installing openssh-server automatically sets up required SSH keys for the server.
+# AL2023 and Alpine do not do this, so we should setup keys manually via `ssh-keygen`.
+# Alpine additionally requires /var/empty to be present for sshd to start properly.
+case $ID in
+ubuntu)
+  export DEBIAN_FRONTEND=noninteractive
+  apt update
+  apt install -y openssh-server iproute2 udev
+  ;;
+amzn)
+  dnf install -y openssh-server iproute systemd-udev passwd tar
+  ssh-keygen -A
+  ;;
+alpine)
+  apk add openssh openrc tar
+  mkdir -p /var/empty
+  ssh-keygen -A
+  rc-update add sshd
+  rc-update add local default
+  echo "ttyS0::respawn:/sbin/getty -L ttyS0 115200 vt100" >>/etc/inittab
+  ;;
+esac
+
+passwd -d root
+
+# Install SSH public key if available
+if [ -f /work/id_rsa.pub ]; then
+  install -d -m 0700 /root/.ssh
+  cp /work/id_rsa.pub /root/.ssh/authorized_keys
+  chmod 0600 /root/.ssh/authorized_keys
+fi
+
+if [ -d /etc/systemd/system ]; then
+  # Enable fcnet for systemd-based images
+  mkdir -pv /etc/systemd/system/sysinit.target.wants
+  ln -svf /etc/systemd/system/fcnet.service /etc/systemd/system/sysinit.target.wants/fcnet.service
+  cp -v fcnet.start /etc/local.d
+
+    # The serial getty service hooks up the login prompt to the kernel console
+    # at ttyS0 (where Firecracker connects its serial console). We'll set it up
+    # for autologin to avoid the login prompt.
+    for console in ttyS0; do
+        mkdir "/etc/systemd/system/serial-getty@$console.service.d/"
+        cat <<'EOF' > "/etc/systemd/system/serial-getty@$console.service.d/override.conf"
+    [Service]
+    # systemd requires this empty ExecStart line to override
+    ExecStart=
+    ExecStart=-/sbin/agetty --autologin root -o '-p -- \\u' --keep-baud 115200,38400,9600 %I dumb
+EOF
+    done
+fi
diff --git a/tools/test-popular-containers/test-docker-rootfs.py b/tools/test-popular-containers/test-docker-rootfs.py
@@ -5,7 +5,7 @@
 # pylint:disable=invalid-name
 
 """
-Test all the ext4 rootfs in the current directory
+Test all the squashfs rootfs in the current directory
 """
 
 import os
@@ -29,7 +29,7 @@
 vmfcty = MicroVMFactory(DEFAULT_BINARY_DIR)
 # (may take a while to compile Firecracker...)
 
-for rootfs in Path(".").glob("*.ext4"):
+for rootfs in Path(".").glob("*.squashfs"):
     print(f">>>> Testing {rootfs}")
     uvm = vmfcty.build(kernel, rootfs)
     uvm.spawn()
