Change the way the images are presented to hook-docker:

jacobweinstock · jacobweinstock · commit 72fde591bbb8 · 2024-08-27T10:16:31.000-06:00
Instead of having hook-docker know about mounting the
embedded images, the images get mounted with the right
permissions and made available to hook-docker at the
"usual" location. This decouples this embedding process
from hook-docker. This should allow the two to only be
coupled by the mount point of /var/run/images.

Signed-off-by: Jacob Weinstock &lt;jakobweinstock@gmail.com&gt;
diff --git a/images/hook-docker/Dockerfile b/images/hook-docker/Dockerfile
@@ -13,6 +13,5 @@ RUN strip /usr/local/bin/docker /usr/local/bin/dockerd /usr/local/bin/docker-pro
 # Purge binutils package after stripping
 RUN apk del binutils
 COPY --from=dev /hook-docker .
-COPY entrypoint.sh /entrypoint.sh
 
-ENTRYPOINT ["/entrypoint.sh"]
+ENTRYPOINT ["/hook-docker"]
diff --git a/images/hook-docker/entrypoint.sh b/images/hook-docker/entrypoint.sh
diff --git a/images/hook-embedded/.dockerignore b/images/hook-embedded/.dockerignore
@@ -0,0 +1,3 @@
+*
+!images/
+!docker-mount.sh
diff --git a/images/hook-embedded/Dockerfile b/images/hook-embedded/Dockerfile
@@ -2,4 +2,8 @@ FROM scratch
 ENTRYPOINT []
 WORKDIR /
 COPY ./images/ /etc/embedded-images/
+# the name 001 is important as that is the order in which the scripts are executed
+# we need this mounting to happen before the other init.d scripts run so that
+# the mount points are available to them.
+COPY ./images-mount.sh /etc/init.d/001-images-mount.sh
 CMD []
diff --git a/images/hook-embedded/images-mount.sh b/images/hook-embedded/images-mount.sh
@@ -0,0 +1,17 @@
+#!/bin/sh
+
+exec 3>&1 4>&2
+trap 'exec 2>&4 1>&3' 0 1 2 3
+exec 1>/var/log/embedded-images.log 2>&1
+
+set -xeuo pipefail
+
+# We can't have a Linuxkit "init" container that dumps its file contents to /var and be writable
+# because the init process overwrites it and the contents are lost.
+# Instead, we have the init container, with all the Docker images, dump its contents to /etc/embedded-images.
+# Then we bind mount /etc/embedded-images to /run/images (/var/run is symlinked to /run) and make sure it's
+# read/write. This allows the DinD container to bind mount /var/run/images to /var/lib/docker and the Docker
+# images are available right away and /var/lib/docker is writable.
+mkdir -p /run/images
+mount -o bind,rw /etc/embedded-images/ /run/images
+mount -o remount,rw /run/images
diff --git a/linuxkit-templates/hook.template.yaml b/linuxkit-templates/hook.template.yaml
@@ -183,7 +183,6 @@ services:
       - /var/run/docker:/var/run
       - /var/run/images:/var/lib/docker
       - /var/run/worker:/worker
-      - /etc/embedded-images/:/etc/embedded-images/
     runtime:
       mkdir:
         - /var/run/images

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+*`
	`2`	`+!images/`
	`3`	`+!docker-mount.sh`