boot2

Playing with the boostrap
git clone https://git.ryansepassi.com/git/boot2.git
Log | Files | Refs
commit 992c8cc15c1e7ae225711195b82fbadcf384327a
parent 7f8ceb9a19fdfb5f894827e596261da1d3c5fb87
Author: Ryan Sepassi <rsepassi@gmail.com>
Date:   Thu, 23 Apr 2026 14:29:51 -0700

m1pp: switch build.sh and test.sh to a distroless-busybox image

Replace the alpine base with a two-stage distroless-static image that
pulls only busybox from another distroless layer. Both digests are
pinned. Gives us the minimal sh/cp/chmod surface needed by build.sh's
container step without shipping apk or any of alpine's userland.

build.sh now `podman build`s the image from Containerfile.busybox on
first run instead of aliasing a pinned alpine digest. test.sh shares
the same tag so parity runs and build-pipeline smoke runs execute
under one image.

Diffstat:

AContainerfile.busybox | 7+++++++


Mm1pp/build.sh | 9+++------


Mm1pp/test.sh | 6+++++-


3 files changed, 15 insertions(+), 7 deletions(-)

diff --git a/Containerfile.busybox b/Containerfile.busybox
@@ -0,0 +1,7 @@
+FROM gcr.io/distroless/static-debian12@sha256:7985579713fb1171e707d74659c67af3605642d1c9db305304c2998a99032615 AS busybox
+
+FROM gcr.io/distroless/static-debian12@sha256:20bc6c0bc4d625a22a8fde3e55f6515709b32055ef8fb9cfbddaa06d1760f838
+COPY --from=busybox /busybox/busybox /busybox/busybox
+RUN ["/busybox/busybox", "sh", "-c", "for n in sh cp chmod; do /busybox/busybox ln -s busybox /busybox/$n; done"]
+ENV PATH=/busybox:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+CMD ["/busybox/sh"]
diff --git a/m1pp/build.sh b/m1pp/build.sh
@@ -34,11 +34,8 @@ OUT=$2
 REPO=$(cd "$(dirname "$0")/.." && pwd)
 ARCH=aarch64
 PLATFORM=linux/arm64
-IMAGE=localhost/lispcc:aarch64
-## Digest-pinned source for the local tag. Mirrors the Makefile pin so the
-## tag is created from the same image bytes even when build.sh runs
-## standalone without `make` having materialised the image stamp.
-IMAGE_DIGEST='public.ecr.aws/docker/library/alpine@sha256:378c4c5418f7493bd500ad21ffb43818d0689daaad43e3261859fb417d1481a0'
+IMAGE=localhost/distroless-busybox:latest
+CONTAINERFILE=Containerfile.busybox
 
 P1_DEFS=build/p1v2/$ARCH/p1_$ARCH.M1
 TOOLS=build/$ARCH/tools
@@ -54,7 +51,7 @@ for f in "$P1_DEFS" "$TOOLS/M0" "$TOOLS/hex2-0" "$TOOLS/catm" "$ELF_HDR" lint.sh
 done
 
 if ! podman image exists "$IMAGE"; then
-    podman tag "$IMAGE_DIGEST" "$IMAGE"
+    podman build -f "$CONTAINERFILE" -t "$IMAGE" .
 fi
 
 NAME=$(basename "$SRC" .M1)
diff --git a/m1pp/test.sh b/m1pp/test.sh
@@ -21,7 +21,11 @@ set -eu
 
 REPO=$(cd "$(dirname "$0")/.." && pwd)
 PLATFORM=linux/arm64
-IMAGE=localhost/lispcc:aarch64
+## Share the tag that build.sh builds and runs under. build.sh creates it
+## on first run from Containerfile.busybox — we assume it exists by the time
+## a fixture is run (build_expander / per-fixture build.sh invocations
+## produce it as a side effect).
+IMAGE=localhost/distroless-busybox:latest
 
 cd "$REPO"