# SilverMetal Linux — reproducible-build runner image (systemd-in-container). # # This image is the "build host" for the ISO. derivative-maker's build # steps assume a real systemd-managed Debian host — they call # `systemctl restart approx-...`, `systemctl daemon-reload`, etc. and # expect the services they configure to actually run. The clean way to # satisfy that without a per-service whack-a-mole is to follow upstream's # own container pattern: systemd as PID 1 inside the container, with an # entrypoint that records the user-supplied command, masks irrelevant # units, and execs systemd. systemd then runs `docker-entrypoint.service` # which executes the recorded command, propagating its exit code back to # `docker run`. # # The vendored systemd entrypoint files live in # linux/build/docker/systemd-entrypoint/ and are pinned 1:1 to upstream's # pattern (see that directory's README for the bump procedure). # # Pinning by digest is the only thing keeping host-toolchain drift out # of the reproducibility gate, so do NOT replace the FROM line with a # tag-only reference. # # Build & push (run on 10.0.0.51 — never on the WSL/aarch64 dev box): # docker build \ # -f linux/build/docker/Dockerfile.builder \ # -t docker-registry.silverlabs.uk/silvermetal-builder: \ # -t docker-registry.silverlabs.uk/silvermetal-builder:latest \ # linux/build/docker # docker push docker-registry.silverlabs.uk/silvermetal-builder: # # To bump the base image: replace the digest, rebuild, push, update # BUILDER_IMAGE in linux/build/scripts/build.sh, run a full reproducibility # check, commit all the changes together. # debian:trixie-slim — pinned by digest. # Resolved 2026-05-07 via `docker pull debian:trixie-slim` on 10.0.0.51. FROM debian:trixie-slim@sha256:cedb1ef40439206b673ee8b33a46a03a0c9fa90bf3732f54704f99cb061d2c5a ENV DEBIAN_FRONTEND=noninteractive \ LC_ALL=C.UTF-8 \ LANG=C.UTF-8 \ SOURCE_DATE_EPOCH=0 \ USER=user \ HOME=/home/user \ container=docker # Pinned package versions. These come from the same snapshot.debian.org # timestamp as the ISO build, so a Dockerfile rebuild against that # snapshot produces the same toolchain bit-for-bit. ARG APT_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian/20260415T000000Z" ARG APT_SECURITY_SNAPSHOT_URL="https://snapshot.debian.org/archive/debian-security/20260415T000000Z" # Two-phase install: # 1. Use the base image's default mirror to seed ca-certificates so # HTTPS to snapshot.debian.org works. (slim images don't ship # CA bundles by default.) # 2. Pin sources.list to the snapshot and install the actual toolchain. # Phase 1 touches deb.debian.org without a pin; that's fine because # nothing it installs ends up in the final ISO — only the toolchain # installed in phase 2 does, and that is fully snapshot-pinned. # # Package set explanation: # - systemd / systemd-sysv / dbus / dbus-user-session # systemd-in-container runtime; PID 1 of the build container # - sq sqv sqop sequoia-git sequoia-chameleon-gnupg gpg-agent # upstream's commit-signature verification stack (sq-git etc.) # - approx # package proxy started by 1200_prepare-build-machine; with # systemd as PID 1, the .socket / @.service units actually fire # - dpkg-dev fakeroot fasttrack-archive-keyring safe-rm adduser sudo # ca-certificates git time curl lsb-release # baseline tools derivative-maker assumes are present # - debootstrap diffoscope-minimal dosfstools isolinux live-build # mtools reprepro rsync squashfs-tools syslinux-common xorriso # SilverMetal ISO toolchain (live-build chain + diff for the # reproducibility gate) RUN set -eux; \ apt-get update; \ apt-get install -y --no-install-recommends ca-certificates; \ rm -f /etc/apt/sources.list.d/*; \ printf 'deb [check-valid-until=no] %s trixie main\n' "$APT_SNAPSHOT_URL" > /etc/apt/sources.list; \ printf 'deb [check-valid-until=no] %s trixie-security main\n' "$APT_SECURITY_SNAPSHOT_URL" >> /etc/apt/sources.list; \ apt-get -o Acquire::Check-Valid-Until=false update; \ apt-get install -y --no-install-recommends \ systemd \ systemd-sysv \ dbus \ dbus-user-session \ sq \ sqv \ sqop \ sequoia-git \ sequoia-chameleon-gnupg \ gpg-agent \ approx \ adduser \ ca-certificates \ curl \ dpkg-dev \ fakeroot \ fasttrack-archive-keyring \ git \ gnupg \ lsb-release \ safe-rm \ sudo \ time \ debootstrap \ diffoscope-minimal \ dosfstools \ isolinux \ live-build \ mtools \ reprepro \ rsync \ squashfs-tools \ syslinux-common \ xorriso; \ apt-get clean; \ rm -rf /var/lib/apt/lists/* # Non-root build user with passwordless sudo. # Naming matches upstream's docker setup (USER=user, HOME=/home/user) # so derivative-maker's docker-aware checks line up. RUN adduser --quiet --disabled-password --home "${HOME}" --gecos "${USER},,,," "${USER}" \ && printf '%s\n' "${USER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/passwordless_sudo \ && chmod 440 /etc/sudoers.d/passwordless_sudo # systemd-in-container entrypoint — vendored from upstream's # derivative-maker/docker/. See systemd-entrypoint/README.md. COPY systemd-entrypoint/entrypoint.sh /usr/local/bin/entrypoint.sh COPY systemd-entrypoint/docker-entrypoint.service /etc/systemd/system/docker-entrypoint.service COPY systemd-entrypoint/docker-entrypoint.target /etc/systemd/system/docker-entrypoint.target COPY systemd-entrypoint/docker-entrypoint-stop.sh /usr/bin/docker-entrypoint-stop.sh RUN chmod +x /usr/local/bin/entrypoint.sh /usr/bin/docker-entrypoint-stop.sh ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] CMD ["/bin/bash"]