From 976a815e2c5a6ad4d7dc3ee697f106e47d4d2891 Mon Sep 17 00:00:00 2001
From: stam <stam@epicm.org>
Date: Tue, 22 Apr 2025 01:47:38 +0300
Subject: [PATCH] vscode docker image update

---
 .../advanced/vscode-server/docker/Dockerfile  | 77 ++++++++++--------
 .../docker/docker-compose-update              | 39 ---------
 .../docker/etc/containers/registries.conf     | 79 +++++++++++++++++++
 .../docker/etc/containers/storage.conf        |  8 ++
 .../etc/supervisor/conf.d/docker-service.conf | 13 +++
 .../etc/supervisor/conf.d/supervisord.conf    |  5 ++
 6 files changed, 149 insertions(+), 72 deletions(-)
 delete mode 100755 linux/advanced/vscode-server/docker/docker-compose-update
 create mode 100644 linux/advanced/vscode-server/docker/etc/containers/registries.conf
 create mode 100644 linux/advanced/vscode-server/docker/etc/containers/storage.conf
 create mode 100644 linux/advanced/vscode-server/docker/etc/supervisor/conf.d/docker-service.conf
 create mode 100644 linux/advanced/vscode-server/docker/etc/supervisor/conf.d/supervisord.conf

diff --git a/linux/advanced/vscode-server/docker/Dockerfile b/linux/advanced/vscode-server/docker/Dockerfile
index ee246a44b..934b22e91 100644
--- a/linux/advanced/vscode-server/docker/Dockerfile
+++ b/linux/advanced/vscode-server/docker/Dockerfile
@@ -12,47 +12,55 @@ ARG DEBIAN_FRONTEND=noninteractive
 ENV BuildDocker true
 
 ##################################################################
-#                    docker setup
+#        OCI setup: Buildah, Podman, Kaniko, Docker
 ##################################################################
-
-#Install packages
+# https://docs.docker.com/build/architecture/#install-buildx
 RUN install -m 0755 -d /etc/apt/keyrings && \
-    curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc && \
+    curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc && \
     chmod a+r /etc/apt/keyrings/docker.asc && \
-    echo "deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble nightly" > /etc/apt/sources.list.d/docker.list  && \
-    echo "deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble stable" >> /etc/apt/sources.list.d/docker.list  && \
-    echo "deb [signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu noble test" >> /etc/apt/sources.list.d/docker.list  && \
+    echo  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian bookworm stable nightly" | tee /etc/apt/sources.list.d/docker.list > /dev/null  && \
     apt-get update && \
     apt-get install -y --no-install-recommends --allow-unauthenticated \
-        docker-ce \
-        docker-ce-cli \
-        containerd.io \
-        docker-buildx-plugin \
-        docker-compose-plugin
-
-# A better fix for TW-52939 Dockerfile build fails because of aufs
-VOLUME /var/lib/docker
-
-COPY run-docker.sh /services/run-docker.sh
-RUN chmod +x /services/run-docker.sh && \
-    sync
-
-##################################################################
-#                    docker compose setup
-##################################################################
-COPY docker-compose-update /usr/local/bin/docker-compose-update
-RUN chmod +x /usr/local/bin/docker-compose-update && \
-    sync
-
-#Try to test
-RUN docker-compose-update
-
-#Install packages
-RUN export DOCKER_COMPOSE_VERSION=`curl --silent https://api.github.com/repos/docker/compose/releases/latest | jq .name -r` && \
+      supervisor \
+      docker-ce \
+      docker-ce-cli \
+      containerd.io \
+      docker-buildx-plugin \
+      docker-compose-plugin \
+      containerd.io \
+      buildah \ 
+      podman \ 
+      podman-compose \
+      fuse-overlayfs && \
+    pip3 install --break-system-packages --no-cache-dir \
+      kaniko-wrapper \
+      buildah-wrapper && \
+    systemctl disable docker && \
+    systemctl disable podman && \
+    rm -rf /bin/docker-compose && \
+    rm -rf /sbin/docker-compose && \
+    rm -rf /usr/bin/docker-compose && \
+    rm -rf /usr/sbin/docker-compose && \
+    rm -rf /usr/local/bin/docker-compose && \
+    rm -rf /usr/local/sbin/docker-compose && \
+    export  DOCKER_COMPOSE_VERSION=`curl --silent https://api.github.com/repos/docker/compose/releases/latest | jq .name -r` && \
     echo "Latest compose is: ${DOCKER_COMPOSE_VERSION}" && \
     curl -SL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_VERSION}/docker-compose-Linux-x86_64 -o /usr/local/bin/docker-compose && \
     chmod +x /usr/local/bin/docker-compose && \
-    docker-compose -v
+# cleanup
+    apt-get clean -y && \
+    apt-get clean all -y && \
+    apt-get autoclean -y && \
+    rm -rfv /var/lib/apt/lists/* && \
+    rm -rfv /var/cache/apt/archives/*.deb && \
+    rm -rfv /tmp/*  
+
+ENV BUILDAH_FORMAT=docker
+ENV BUILDAH_ISOLATION=docker
+ENV DOCKER_HOST="unix:///var/run/docker.sock"
+ENV PODMAN_HOST="unix:///var/run/docker.sock"
+
+COPY etc/ /etc/
 
 ##################################################################
 #                  Cleanup
@@ -65,4 +73,7 @@ RUN echo "clean up" && \
     rm -rfv /root/tmp/* && \
     rm -rfv /tmp/*
 
+# A better fix for TW-52939 Dockerfile build fails because of aufs
+VOLUME ["/var/lib/docker", "/var/lib/containers", "/var/tmp", "/var/log/supervisor"]
+
 RUN updatedb
diff --git a/linux/advanced/vscode-server/docker/docker-compose-update b/linux/advanced/vscode-server/docker/docker-compose-update
deleted file mode 100755
index 1a43d1c9b..000000000
--- a/linux/advanced/vscode-server/docker/docker-compose-update
+++ /dev/null
@@ -1,39 +0,0 @@
-#!/bin/bash
-
-export DOCKER_COMPOSE_REMOTE_VERSION=`curl --silent https://api.github.com/repos/docker/compose/releases/latest | jq .name -r`
-
-export DOCKER_COMPOSE_LOCAL_VERSION=`docker-compose -v`
-
-export DOCKER_COMPOSE_BIN=/usr/local/bin/docker-compose
-
-if [ -f $DOCKER_COMPOSE_BIN ]; then
-   echo "========================================================================================"
-   echo "The file '$DOCKER_COMPOSE_BIN' exists."
-   echo "========================================================================================"
-   echo "Local Docker Compose version is: ${DOCKER_COMPOSE_LOCAL_VERSION}"
-   echo "========================================================================================"
-else
-   echo "========================================================================================"
-   echo "The file '$DOCKER_COMPOSE_BIN' in not found. Installing..."
-   echo "========================================================================================"
-fi
-
-echo "========================================================================================"
-echo "Latest Docker Compose version is: ${DOCKER_COMPOSE_REMOTE_VERSION}"
-echo "========================================================================================"
-
-
-echo "========================================================================================"
-echo "Installing remote version:"
-echo "========================================================================================"
-curl -SL https://github.com/docker/compose/releases/download/${DOCKER_COMPOSE_REMOTE_VERSION}/docker-compose-Linux-x86_64 -o $DOCKER_COMPOSE_BIN
-
-echo "========================================================================================"
-echo "Setting up permissions..."
-echo "========================================================================================"
-chmod +x $DOCKER_COMPOSE_BIN
-
-
-echo "========================================================================================"
-echo "Updated Docker Compose version is: ${DOCKER_COMPOSE_LOCAL_VERSION}"
-echo "========================================================================================"
diff --git a/linux/advanced/vscode-server/docker/etc/containers/registries.conf b/linux/advanced/vscode-server/docker/etc/containers/registries.conf
new file mode 100644
index 000000000..681592e4a
--- /dev/null
+++ b/linux/advanced/vscode-server/docker/etc/containers/registries.conf
@@ -0,0 +1,79 @@
+# For more information on this configuration file, see containers-registries.conf(5).
+#
+# NOTE: RISK OF USING UNQUALIFIED IMAGE NAMES
+# We recommend always using fully qualified image names including the registry
+# server (full dns name), namespace, image name, and tag
+# (e.g., registry.redhat.io/ubi8/ubi:latest). Pulling by digest (i.e.,
+# quay.io/repository/name@digest) further eliminates the ambiguity of tags.
+# When using short names, there is always an inherent risk that the image being
+# pulled could be spoofed. For example, a user wants to pull an image named
+# `foobar` from a registry and expects it to come from myregistry.com. If
+# myregistry.com is not first in the search list, an attacker could place a
+# different `foobar` image at a registry earlier in the search list. The user
+# would accidentally pull and run the attacker's image and code rather than the
+# intended content. We recommend only adding registries which are completely
+# trusted (i.e., registries which don't allow unknown or anonymous users to
+# create accounts with arbitrary names). This will prevent an image from being
+# spoofed, squatted or otherwise made insecure.  If it is necessary to use one
+# of these registries, it should be added at the end of the list.
+#
+# # An array of host[:port] registries to try when pulling an unqualified image, in order.
+# unqualified-search-registries = ["example.com"]
+#
+# [[registry]]
+# # The "prefix" field is used to choose the relevant [[registry]] TOML table;
+# # (only) the TOML table with the longest match for the input image name
+# # (taking into account namespace/repo/tag/digest separators) is used.
+# #
+# # The prefix can also be of the form: *.example.com for wildcard subdomain
+# # matching.
+# #
+# # If the prefix field is missing, it defaults to be the same as the "location" field.
+# prefix = "example.com/foo"
+#
+# # If true, unencrypted HTTP as well as TLS connections with untrusted
+# # certificates are allowed.
+# insecure = false
+#
+# # If true, pulling images with matching names is forbidden.
+# blocked = false
+#
+# # The physical location of the "prefix"-rooted namespace.
+# #
+# # By default, this is equal to "prefix" (in which case "prefix" can be omitted
+# # and the [[registry]] TOML table can only specify "location").
+# #
+# # Example: Given
+# #   prefix = "example.com/foo"
+# #   location = "internal-registry-for-example.net/bar"
+# # requests for the image example.com/foo/myimage:latest will actually work with the
+# # internal-registry-for-example.net/bar/myimage:latest image.
+#
+# # The location can be empty iff prefix is in a
+# # wildcarded format: "*.example.com". In this case, the input reference will
+# # be used as-is without any rewrite.
+# location = internal-registry-for-example.com/bar"
+#
+# # (Possibly-partial) mirrors for the "prefix"-rooted namespace.
+# #
+# # The mirrors are attempted in the specified order; the first one that can be
+# # contacted and contains the image will be used (and if none of the mirrors contains the image,
+# # the primary location specified by the "registry.location" field, or using the unmodified
+# # user-specified reference, is tried last).
+# #
+# # Each TOML table in the "mirror" array can contain the following fields, with the same semantics
+# # as if specified in the [[registry]] TOML table directly:
+# # - location
+# # - insecure
+# [[registry.mirror]]
+# location = "example-mirror-0.local/mirror-for-foo"
+# [[registry.mirror]]
+# location = "example-mirror-1.local/mirrors/foo"
+# insecure = true
+# # Given the above, a pull of example.com/foo/image:latest will try:
+# # 1. example-mirror-0.local/mirror-for-foo/image:latest
+# # 2. example-mirror-1.local/mirrors/foo/image:latest
+# # 3. internal-registry-for-example.net/bar/image:latest
+# # in order, and use the first one that exists.
+
+unqualified-search-registries = ["docker.io"]
diff --git a/linux/advanced/vscode-server/docker/etc/containers/storage.conf b/linux/advanced/vscode-server/docker/etc/containers/storage.conf
new file mode 100644
index 000000000..edb86fb1d
--- /dev/null
+++ b/linux/advanced/vscode-server/docker/etc/containers/storage.conf
@@ -0,0 +1,8 @@
+[storage]
+driver = "overlay"
+runroot = "/run/containers/storage"
+graphroot = "/var/lib/containers/storage"
+#rootless_storage_path = "$HOME/.local/share/containers/storage"
+
+[storage.options.overlay]
+mount_program = "/usr/bin/fuse-overlayfs"
diff --git a/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/docker-service.conf b/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/docker-service.conf
new file mode 100644
index 000000000..faaafcaf4
--- /dev/null
+++ b/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/docker-service.conf
@@ -0,0 +1,13 @@
+[program:dockerd]
+command=/usr/bin/dockerd --host unix:///var/run/docker.sock --experimental --iptables=false --bridge=none --log-level=warn
+autostart=true
+autorestart=true
+killasgroup=true
+stopasgroup=true
+stdout_logfile=/var/log/supervisor/dockerd.out.log
+stdout_logfile_maxbytes=128MB
+stderr_logfile=/var/log/supervisor/dockerd.err.log
+stderr_logfile_maxbytes=128MB
+user=root
+priority=1
+startretries=5
diff --git a/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/supervisord.conf b/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/supervisord.conf
new file mode 100644
index 000000000..591277381
--- /dev/null
+++ b/linux/advanced/vscode-server/docker/etc/supervisor/conf.d/supervisord.conf
@@ -0,0 +1,5 @@
+[supervisord]
+nodaemon=true
+
+#[inet_http_server]
+#port = 1337