Dstack-TEE
diff --git a/‎README.md‎
Lines changed: 170 additions & 0 deletions b/‎README.md‎
Lines changed: 170 additions & 0 deletions
diff --git a/‎build.sh‎
Lines changed: 50 additions & 0 deletions b/‎build.sh‎
Lines changed: 50 additions & 0 deletions
diff --git a/‎docker/Dockerfile‎
Lines changed: 89 additions & 0 deletions b/‎docker/Dockerfile‎
Lines changed: 89 additions & 0 deletions
@@ -0,0 +1,170 @@
+# Sysbox Installer for dstack
+
+A complete Docker-based installer for [Sysbox](https://github.com/nestybox/sysbox) on read-only dstack systems.
+
+## Features
+
+- 🚀 **Single-command installation** - One Docker run command installs everything
+- 🔒 **Source-built** - Builds Sysbox from verified Git source (v0.6.7)
+- ✅ **SHA256 verified** - All downloads verified with checksums  
+- 🔄 **Smart overlay handling** - Preserves existing /etc configurations
+- 📋 **Systemd integration** - Installs proper systemd services for Sysbox daemons
+- 🔍 **Installation detection** - Checks for existing installations
+- 🧪 **Built-in testing** - Verifies installation with basic and Docker-in-Docker tests
+
+## Quick Start
+
+### Build the Installer
+
+```bash
+cd installer
+chmod +x build.sh
+./build.sh sysbox-installer latest
+```
+
+### Install Sysbox
+
+**Single command installation:**
+```bash
+docker run --rm --privileged --pid=host --net=host -v /:/host \
+  sysbox-installer:latest
+```
+
+That's it! The installer will:
+- Check for existing installations
+- Build and install Sysbox from source  
+- Handle /etc overlay mount complexities
+- Configure Docker runtime
+- Create and start systemd services
+- Test the installation
+- Show final status
+
+## Manual Steps (if needed)
+
+### Interactive Installation
+
+```bash
+docker run -it --rm --privileged --pid=host --net=host -v /:/host \
+  sysbox-installer:latest bash
+```
+
+Then run: `/usr/local/bin/install-sysbox-complete.sh`
+
+### Check Build Information
+
+```bash
+docker run --rm sysbox-installer:latest cat /usr/local/share/BUILD_INFO
+```
+
+## Usage After Installation
+
+### Run Containers with Sysbox
+
+```bash
+# Basic system container
+docker run --runtime=sysbox-runc -it ubuntu bash
+
+# Docker-in-Docker
+docker run --runtime=sysbox-runc -d --name docker-container docker:dind
+
+# Kubernetes-in-Docker  
+docker run --runtime=sysbox-runc -d --name k8s-node kindest/node:latest
+```
+
+### Manage Sysbox Services
+
+```bash
+# Check status
+systemctl status sysbox-mgr sysbox-fs
+
+# Restart services
+systemctl restart sysbox-mgr sysbox-fs
+
+# View logs
+journalctl -u sysbox-mgr -u sysbox-fs
+```
+
+## File Structure
+
+```
+installer/
+├── build.sh                           # Build script
+├── README.md                          # This file
+├── docker/
+│   └── Dockerfile                     # Multi-stage build with source compilation
+└── scripts/
+    ├── install-sysbox-complete.sh     # Main installation script
+    ├── verify-downloads.sh            # SHA256 verification for downloads
+    ├── sysbox-mgr.service            # systemd service for sysbox-mgr
+    └── sysbox-fs.service             # systemd service for sysbox-fs
+```
+
+## Technical Details
+
+### What the Installer Does
+
+1. **Checks existing installation** - Prompts before overwriting
+2. **Copies binaries** - Places Sysbox binaries in `/tmp/` (writable location)
+3. **Sets up /etc overlay** - Creates persistent overlay preserving existing configs
+4. **Creates symlinks** - Links rsync, modprobe, iptables for Sysbox requirements  
+5. **Configures Docker** - Adds sysbox-runc runtime to Docker daemon
+6. **Creates systemd services** - Installs proper service files with dependencies
+7. **Starts services** - Enables and starts Sysbox daemons
+8. **Tests installation** - Verifies basic and Docker-in-Docker functionality
+
+### Data Locations
+
+- **Sysbox data**: `/dstack/persistent/sysbox-data`  
+- **Overlay data**: `/dstack/persistent/sysbox-etc-overlay`
+- **Binaries**: `/tmp/sysbox-*` and `/tmp/rsync-static`
+
+### Security
+
+- All downloads verified with SHA256 checksums
+- Sysbox built from official Git repository (recursive clone)
+- Uses specific version tags (v0.6.7)
+- Proper systemd service isolation
+
+## Troubleshooting
+
+### Check Service Status
+```bash
+systemctl status sysbox-mgr sysbox-fs
+journalctl -u sysbox-mgr -u sysbox-fs
+```
+
+### Verify Docker Runtime
+```bash
+docker info | grep -A5 Runtimes
+```
+
+### Test Basic Functionality
+```bash
+docker run --runtime=sysbox-runc --rm alpine echo "Test successful"
+```
+
+### Clean Installation
+```bash
+systemctl stop sysbox-mgr sysbox-fs
+systemctl disable sysbox-mgr sysbox-fs
+rm -f /etc/systemd/system/sysbox-*.service
+umount /etc  # If overlay mounted
+rm -rf /dstack/persistent/sysbox-*
+```
+
+## Requirements
+
+- Docker installed and running
+- Privileged container execution
+- dstack system with ZFS persistent storage
+- systemd for service management
+
+## Support
+
+For issues with the installer, check:
+1. Docker daemon is running
+2. Container has privileged access
+3. `/dstack/persistent/` is available and writable
+4. systemd is available on the host
+
+For Sysbox issues, see: https://github.com/nestybox/sysbox
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+set -e
+
+IMAGE_NAME="${1:-kvin/dstack-sysbox-installer}"
+IMAGE_TAG="${2:-latest}"
+
+echo "=========================================="
+echo "🔨 Building Sysbox Installer"
+echo "=========================================="
+
+# Change to installer directory
+cd "$(dirname "$0")"
+
+echo "📁 Build context: $(pwd)"
+echo "🏷️  Image: ${IMAGE_NAME}:${IMAGE_TAG}"
+
+# Verify required files exist
+echo "✅ Checking required files..."
+for file in scripts/install-sysbox-complete.sh scripts/verify-downloads.sh scripts/sysbox-mgr.service scripts/sysbox-fs.service docker/Dockerfile; do
+    if [ ! -f "$file" ]; then
+        echo "❌ Missing required file: $file"
+        exit 1
+    fi
+done
+
+# Build the image
+echo "🚀 Building Docker image..."
+docker build -f docker/Dockerfile -t "${IMAGE_NAME}:${IMAGE_TAG}" .
+
+echo
+echo "=========================================="
+echo "✅ Build Complete!"
+echo "=========================================="
+echo
+echo "📦 Image: ${IMAGE_NAME}:${IMAGE_TAG}"
+echo
+echo "🚀 Usage:"
+echo
+echo "Single-command installation:"
+echo "  docker run --rm --privileged --pid=host --net=host -v /:/host \\"
+echo "    ${IMAGE_NAME}:${IMAGE_TAG}"
+echo
+echo "Interactive installation:"
+echo "  docker run -it --rm --privileged --pid=host --net=host -v /:/host \\"
+echo "    ${IMAGE_NAME}:${IMAGE_TAG} bash"
+echo
+echo "Check build info:"
+echo "  docker run --rm ${IMAGE_NAME}:${IMAGE_TAG} cat /usr/local/share/BUILD_INFO"
+echo
@@ -0,0 +1,89 @@
+# Multi-stage build for Sysbox installer
+# Stage 1: Build dependencies (rsync and Sysbox)
+FROM ubuntu:24.04 AS builder
+
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    wget \
+    git \
+    build-essential \
+    autoconf \
+    automake \
+    libbtrfs-dev \
+    libseccomp-dev \
+    libseccomp2 \
+    pkg-config \
+    protobuf-compiler \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Go for Sysbox build
+RUN wget -O- https://golang.org/dl/go1.21.5.linux-amd64.tar.gz | tar -C /usr/local -xzf -
+ENV PATH="/usr/local/go/bin:${PATH}"
+
+# Install Go protobuf plugins
+RUN go install github.com/golang/protobuf/protoc-gen-go@latest
+ENV PATH="${PATH}:/root/go/bin"
+
+WORKDIR /build
+
+# Copy verification script
+COPY scripts/verify-downloads.sh /usr/local/bin/verify-downloads.sh
+RUN chmod +x /usr/local/bin/verify-downloads.sh
+
+# Download and verify rsync
+RUN /usr/local/bin/verify-downloads.sh rsync /build && \
+    cd /build && \
+    tar xzf rsync-3.2.7.tar.gz && \
+    cd rsync-3.2.7 && \
+    CFLAGS="-static" ./configure \
+        --disable-openssl \
+        --disable-xxhash \
+        --disable-zstd \
+        --disable-lz4 && \
+    make LDFLAGS="-static" -j$(nproc) && \
+    strip rsync
+
+# Clone and build Sysbox from source
+RUN /usr/local/bin/verify-downloads.sh sysbox /build && \
+    cd /build/sysbox && \
+    make sysbox-static-local && \
+    make install DESTDIR=/build/sysbox-install
+
+# Stage 2: Final runtime image
+FROM alpine:latest
+
+# Install runtime dependencies
+RUN apk add --no-cache \
+    bash \
+    docker \
+    iptables \
+    util-linux \
+    coreutils \
+    findutils
+
+# Copy built binaries from builder stage
+COPY --from=builder /build/rsync-3.2.7/rsync /usr/local/bin/rsync
+COPY --from=builder /build/sysbox-install/sysbox-runc /usr/local/bin/sysbox-runc
+COPY --from=builder /build/sysbox-install/sysbox-mgr /usr/local/bin/sysbox-mgr
+COPY --from=builder /build/sysbox-install/sysbox-fs /usr/local/bin/sysbox-fs
+
+# Copy scripts and service files
+COPY scripts/install-sysbox-complete.sh /usr/local/bin/install-sysbox-complete.sh
+COPY scripts/verify-downloads.sh /usr/local/bin/verify-downloads.sh
+COPY scripts/sysbox-etc-overlay.service /usr/local/share/sysbox-etc-overlay.service
+COPY scripts/sysbox-mgr.service /usr/local/share/sysbox-mgr.service  
+COPY scripts/sysbox-fs.service /usr/local/share/sysbox-fs.service
+
+# Make everything executable
+RUN chmod +x /usr/local/bin/*
+
+# Create build info
+RUN echo "Sysbox Installer Image" > /usr/local/share/BUILD_INFO && \
+    echo "Built: $(date)" >> /usr/local/share/BUILD_INFO && \
+    echo "Sysbox: $(/usr/local/bin/sysbox-mgr --version | head -1)" >> /usr/local/share/BUILD_INFO && \
+    echo "rsync: $(/usr/local/bin/rsync --version | head -1)" >> /usr/local/share/BUILD_INFO
+
+WORKDIR /workspace
+
+# Default command runs the complete installer
+CMD ["/usr/local/bin/install-sysbox-complete.sh"]