LFS (Linux From Scratch)

Linux From Scratch (LFS) is a project that provides you with step-by-step instructions for building your own custom Linux system, entirely from source code.

https://www.linuxfromscratch.org/

LFS可以用于制作基础系统或镜像。

传统的系统制作或镜像制作，通常是基于binary package 安装，使满足需求，但这往往会碰到很多问题，比如包之间的依赖冲突，安全漏洞，缺陷，ARM嵌入式资源限制等，

也就是说很难按照用户的要求去指定特定的版本。

LFS是基于纯源码编译，用户可以充分控制包的版本，以及解决上述存在的相关问题。最近碰到源鉴SCA/OpenSCA，通过LFS能很好解决。做出来的镜像很小很安全。

SCA https://www.xmirror.cn/  做安全检测的公司，主要是有几大检测引擎，源码分析、二进制分析、容器镜像扫描、运行时追踪、代码溯源，可以检测出二进制/源码/镜像内文件，

库版本等漏洞分析，及溯源，以及敏感信息。

.
├── build.sh
├── custom-noble-rev_20250324_231514.tar.gz
├── Dockerfile
└── pkg
    ├── bash-5.2.37.tar.gz
    ├── busybox-1.37.0.tar.bz2
    ├── busybox-snapshot.tar.bz2
    ├── coreutils-9.6.tar.gz
    ├── glibc-2.41.tar.gz
    └── linux-6.13.7.tar.xz

1 directory, 9 files

# Dockerfile 内容
# FROM scratch
# ADD rootfs.tar.xz /
# ENV PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# CMD ["/bin/bash"]

# FROM scratch

# ARG RELEASE
# ARG LAUNCHPAD_BUILD_ARCH
# LABEL org.opencontainers.image.ref.name=ubuntu
# LABEL org.opencontainers.image.version=23.10
# # ADD file:432d92758637d8e71c4a18c3b453d3c8130fd1fa31fd3cb9e60ecd32cdd17e07 in /
# ADD ubuntu-rootfs.tar /
# CMD ["/bin/bash"]

# docker build -t registry.cn-hangzhou.aliyuncs.com/10_18_1_2_5000/ubuntu:22.04_rev .
# docker run -it --network host --name lfs-builder --privileged -v `pwd`/pkg:/pkg -v `pwd`/rootfs:/opt/my-rootfs m.daocloud.io/docker.io/library/ubuntu:24.04 bash

FROM m.daocloud.io/docker.io/library/ubuntu:24.04 AS builder
COPY pkg /pkg
RUN bash -c "apt-get update -y && apt-get upgrade -y && apt-get install -y build-essential texinfo bison flex gawk rsync python3 && mkdir -p /opt/my-rootfs /pkg"
RUN bash -c "pushd /pkg \
    && tar -xf linux-6.13.7.tar.xz && cd linux-6.13.7 && make headers_install INSTALL_HDR_PATH=/opt/my-rootfs/usr -j \
    && popd"
RUN bash -c "pushd /pkg && tar -xzf glibc-2.41.tar.gz && cd glibc-2.41 \
    && mkdir build && cd build && ../configure --prefix=/usr --with-headers=/opt/my-rootfs/usr/include \
    && make -j$(nproc) && make DESTDIR=/opt/my-rootfs install \
    && popd"
RUN bash -c "export FORCE_UNSAFE_CONFIGURE=1 && pushd /pkg && tar -xzf coreutils-9.6.tar.gz \
    && cd coreutils-9.6 \
    && ./configure --prefix=/usr --disable-shared --enable-static --with-sysroot=/opt/my-rootfs CFLAGS='-I/opt/my-rootfs/usr/include' \
    LDFLAGS='-L/opt/my-rootfs/usr/lib -Wl,-rpath=/opt/my-rootfs/usr/lib' \
    && make -j$(nproc) && make DESTDIR=/opt/my-rootfs install \
    && popd"
RUN bash -c "pushd /pkg && tar -xjf busybox-snapshot.tar.bz2 \
    && cd busybox && make defconfig \
    && sed -i 's/CONFIG_STATIC.*/CONFIG_STATIC=y/' .config \
    && sed -i 's/CONFIG_TC=y/CONFIG_TC=n/' .config \
    && sed -i 's/CONFIG_STATIC_LIBGCC=n/CONFIG_STATIC_LIBGCC=y/' .config && echo 'CONFIG_STATIC_LIBGCC=y' >> .config \
    && make -j$(nproc) && make CONFIG_PREFIX=/opt/my-rootfs install && popd"

RUN bash -c "pushd /pkg && tar -xzf bash-5.2.37.tar.gz \
    && cd bash-5.2.37 && ./configure --prefix=/usr --enable-static-link && make -j$(nproc) && make DESTDIR=/opt/my-rootfs install \
    && popd"
RUN bash -c 'mkdir -p /opt/my-rootfs/dev && mknod -m 666 /opt/my-rootfs/dev/null c 1 3 && mknod -m 666 /opt/my-rootfs/dev/zero c 1 5 \
    && echo "nameserver 8.8.8.8" > /opt/my-rootfs/etc/resolv.conf \
    && echo "root:x:0:0:root:/root:/bin/bash" > /opt/my-rootfs/etc/passwd && mkdir -p /opt/my-rootfs/root'
    
RUN apt-get clean -y && apt-get autoclean -y && apt-get autoremove -y && rm -rf /var/lib/apt-get/lists/*

# FROM custom_noble:openssl AS builder
FROM scratch
COPY --from=builder /opt/my-rootfs /
CMD [ "/bin/bash" ]

#!/bin/bash
set -e
set -x
# sudo debootstrap \
#    --print-debs \
#   --arch=amd64 \
#   --variant=minbase \
#   --include=ca-certificates,gnupg \
#   noble \
#   ./rootfs \
#   http://archive.ubuntu.com/ubuntu

# # 进入 chroot 环境
# sudo chroot ./rootfs /bin/bash << 'EOF'
# # do your job

# # clean envir
# apt autoremove -y  
# apt clean 
# rm -rf /var/lib/apt/lists/*

# # 退出 chroot 环境  
# exit  
# EOF

# # 打包 rootfs（使用 xz 高压缩比）
# sudo tar --numeric-owner --exclude='./dev/*' -Jcpf rootfs.tar.xz -C ./rootfs .

# docker run -it --name lfs-builder --privileged -v /tmp/rootfs:/opt/my-rootfs m.daocloud.io/docker.io/library/ubuntu:24.04 bash
# 构建镜像
export https_proxy=http://10.18.11.52:7890
export http_proxy=http://10.18.11.52:7890
TAG=`date +%Y%m%d_%H%M%S`
docker build --network host --build-arg http_proxy="http://10.18.11.52:7890" --build-arg https_proxy="http://10.18.11.52:7890" -t custom-noble:${TAG} .

docker save custom-noble:${TAG} | gzip > custom-noble-rev_${TAG}.tar.gz