Rework container creation

- simplify the process by having the riddler container build the rootfs and config
- output tarred up rootfs and config.json as otherwise file ownership not preserved
- allow easy build of a collection of container tarballs with another conversion script

This makes it easy to choose which container images you want and just convert any
set to a initrd image
```
tar cf - container1.tar container2.tar | docker run -i tartar2initrd > initrd.img
```

Next stage will use a manifest to select the ones to add for each edition.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>

base/riddler/Dockerfile

@@ -9,6 +9,7 @@ RUN \
   jq \
   linux-headers \
   musl-dev \
+  tar \
   && true
 
 COPY Dockerfile /

base/riddler/Makefile

@@ -8,11 +8,11 @@ default: push
 hash: Dockerfile riddler.sh
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
-	docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > hash
+	docker run --entrypoint=/bin/sh --rm $(IMAGE):build -c 'cat /Dockerfile /usr/bin/riddler.sh /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
 
 push: hash
 	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
-		 (docker tag $(IMAGE):build mobylinux/$(IMAGE):latest && \
+		 (docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
 		  docker push mobylinux/$(IMAGE):$(shell cat hash))
 	docker rmi $(IMAGE):build
 	rm -f hash

base/riddler/riddler.sh

@@ -2,6 +2,17 @@
 
 set -e
 
+# arguments are image name, prefix, then arguments passed to Docker
+# eg ./riddler.sh alpine:3.4 / --read-only alpine:3.4 ls
+# This script will output a tarball under prefix/ with rootfs and config.json
+
+IMAGE="$1"; shift
+PREFIX="$1"; shift
+
+cd /tmp
+mkdir -p /tmp/$PREFIX
+cd /tmp/$PREFIX
+
 # riddler always adds the apparmor options if this is not present
 EXTRA_OPTIONS="--security-opt apparmor=unconfined"
 
@@ -19,10 +30,25 @@ docker rm $CONTAINER > /dev/null
 # remove user namespaces
 # --read-only sets /dev ro
 # /sysfs ro unless privileged - cannot detect so will do if grant all caps
-# 
-cat config.json | \
+#
+mv config.json config.json.orig
+cat config.json.orig | \
   jq 'del(.process.rlimits)' | \
   jq 'del (.linux.resources.memory.swappiness)' | \
   jq 'del(.linux.uidMappings) | del(.linux.gidMappings) | .linux.namespaces = (.linux.namespaces|map(select(.type!="user")))' | \
   jq 'if .root.readonly==true then .mounts = (.mounts|map(if .destination=="/dev" then .options |= .+ ["ro"] else . end)) else . end' | \
-  jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end'
+  jq '.mounts = if .process.capabilities | length != 38 then (.mounts|map(if .destination=="/sys" then .options |= .+ ["ro"] else . end)) else . end' \
+  > config.json
+rm config.json.orig
+
+# extract rootfs
+EXCLUDE="--exclude .dockerenv --exclude Dockerfile \
+        --exclude dev/console --exclude dev/pts --exclude dev/shm \
+        --exclude etc/hostname --exclude etc/hosts --exclude etc/mtab --exclude etc/resolv.conf"
+mkdir -p rootfs
+CONTAINER="$(docker create $IMAGE /dev/null)"
+docker export "$CONTAINER" | tar -xf - -C rootfs $EXCLUDE
+docker rm "$CONTAINER" > /dev/null
+
+cd /tmp
+tar cf - .

base/tartar2initrd/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.5
+
+RUN \
+  apk update && apk upgrade -a && \
+  apk add --no-cache \
+  libarchive-tools \
+  && true
+
+COPY . /
+
+ENTRYPOINT ["/bin/sh", "-c"]
+CMD ["/tartar2initrd.sh"]

base/tartar2initrd/Makefile

@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=tartar2initrd
+
+default: push
+
+hash: Dockerfile tartar2initrd.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint=/bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:

base/tartar2initrd/tartar2initrd.sh

@@ -0,0 +1,40 @@
+#!/bin/sh
+
+set -e
+
+mkdir -p /tmp/input0 /tmp/input
+
+cd /tmp/input0
+
+# outer tarball
+bsdtar xf -
+
+cd /tmp/input
+
+# inner tarballs
+find /tmp/input0 \( -name '*.tar' -or -name '*.tgz' -or -name '*.tar.gz' \) -exec bsdtar xf '{}' \;
+
+find . | cpio -H newc -o | gzip -9 > ../initrd.img
+
+cd /tmp
+
+SIZE=$(stat -c "%s" initrd.img)
+SIZE4=$(( $SIZE / 4 \* 4 ))
+DIFF=$(( $SIZE - $SIZE4 ))
+[ $DIFF -ne 0 ] && DIFF=$(( 4 - $DIFF ))
+
+dd if=/dev/zero bs=1 count=$DIFF of=zeropad 2>/dev/null
+
+cat zeropad >> initrd.img
+
+SIZE=$(stat -c "%s" initrd.img)
+SIZE4=$(( $SIZE / 4 \* 4 )) 
+DIFF=$(( $SIZE - $SIZE4 ))
+
+if [ $DIFF -ne 0 ]
+then
+	echo "Bad alignment" >2
+	exit 1
+fi
+
+cat initrd.img