devenv: Add tmt and nushell

devenv/.dockerignore

@@ -14,6 +14,7 @@
 !devenv-init.sh
 !fetch-tools.sh
 !install-rust.sh
+!install-uv.sh
 !install-kani.sh
 !devenv-selftest.sh
 !userns-setup

devenv/Containerfile.c10s

@@ -1,7 +1,7 @@
 # These aren't packages, just low-dependency binaries dropped in /usr/local/bin
 # so we can fetch them independently in a separate build.
 ARG base=quay.io/centos/centos:stream10
 FROM $base as base
 # Life is too short to care about dash
 RUN ln -sfr /bin/bash /bin/sh
 RUN <<EORUN
@@ -25,20 +25,25 @@
 dnf -y makecache
 EORUN
 
 FROM base as tools
 # renovate: datasource=github-releases depName=bootc-dev/bcvk
 ARG bcvkversion=v0.9.0
 # renovate: datasource=github-releases depName=ossf/scorecard
 ARG scorecardversion=v5.1.1
-COPY fetch-tools.sh /run/src/
-RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion /run/src/fetch-tools.sh
+# renovate: datasource=github-releases depName=nushell/nushell
+ARG nushellversion=0.110.0
+# renovate: datasource=github-releases depName=astral-sh/uv
+ARG uvversion=0.10.2
+COPY fetch-tools.sh install-uv.sh /run/src/
+RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion nushellversion=$nushellversion /run/src/fetch-tools.sh
+RUN uvversion=$uvversion /run/src/install-uv.sh
 
 FROM base as rust
 COPY install-rust.sh /run/src/
 RUN /run/src/install-rust.sh
 
 # Kani formal verification tool - requires rustup for toolchain management
 FROM rust as kani
 # renovate: datasource=crate depName=kani-verifier
 ARG kaniversion=0.67.0
 RUN dnf install -y gcc && dnf clean all
@@ -73,6 +78,9 @@
 ENV RUSTUP_HOME=/usr/local/rustup
 # Point Kani at the system-wide installation
 ENV KANI_HOME=/usr/local/kani
+# Configure uv for system-wide tool installation
+ENV UV_TOOL_DIR=/usr/local/uv-tools
+ENV UV_TOOL_BIN_DIR=/usr/local/bin
 # Setup for codespaces
 COPY devenv-init.sh /usr/local/bin/
 COPY userns-setup /usr/lib/devenv/userns-setup

devenv/Containerfile.debian

@@ -1,12 +1,15 @@
 # These aren't packages, just low-dependency binaries dropped in /usr/local/bin
 # so we can fetch them independently in a separate build.
 ARG base=docker.io/library/debian:sid
 FROM $base as base
 # Life is too short to care about dash
 RUN ln -sfr /bin/bash /bin/sh
 RUN <<EORUN
 set -xeuo pipefail
 
+# Disable apt sandboxing for nested container environments
+echo 'APT::Sandbox::User "root";' > /etc/apt/apt.conf.d/99sandbox-disable
+
 # Initialize some basic packages
 apt -y update && apt -y install curl time bzip2
 
@@ -25,20 +28,25 @@
 apt -y update
 EORUN
 
 FROM base as tools
 # renovate: datasource=github-releases depName=bootc-dev/bcvk
 ARG bcvkversion=v0.9.0
 # renovate: datasource=github-releases depName=ossf/scorecard
 ARG scorecardversion=v5.1.1
-COPY fetch-tools.sh /run/src/
-RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion /run/src/fetch-tools.sh
+# renovate: datasource=github-releases depName=nushell/nushell
+ARG nushellversion=0.110.0
+# renovate: datasource=github-releases depName=astral-sh/uv
+ARG uvversion=0.10.2
+COPY fetch-tools.sh install-uv.sh /run/src/
+RUN bcvkversion=$bcvkversion scorecardversion=$scorecardversion nushellversion=$nushellversion /run/src/fetch-tools.sh
+RUN uvversion=$uvversion /run/src/install-uv.sh
 
 FROM base as rust
 COPY install-rust.sh /run/src/
 RUN /run/src/install-rust.sh
 
 # Kani formal verification tool - requires rustup for toolchain management
 FROM rust as kani
 # renovate: datasource=crate depName=kani-verifier
 ARG kaniversion=0.67.0
 RUN apt-get update && apt-get install -y --no-install-recommends gcc libc6-dev && rm -rf /var/lib/apt/lists/*
@@ -59,6 +67,14 @@
 COPY npm.txt /run/src
 RUN grep -vEe '^#' npm.txt | /bin/time -f '%E %C' xargs npm i -g
 
+# Install tmt via uv tool install for isolated environment
+# UV_TOOL_DIR and UV_TOOL_BIN_DIR set to system-wide locations like rustup
+COPY --from=tools /usr/local/bin/uv /usr/local/bin/uv
+COPY --from=tools /usr/local/bin/uvx /usr/local/bin/uvx
+ENV UV_TOOL_DIR=/usr/local/uv-tools
+ENV UV_TOOL_BIN_DIR=/usr/local/bin
+RUN uv tool install 'tmt[provision-virtual]'
+
 # Copy in the binaries from our tools container image
 COPY --from=tools /usr/local/bin/* /usr/local/bin/
 COPY --from=kani /usr/local/bin/* /usr/local/bin/

devenv/README.md

@@ -4,8 +4,16 @@ This container image is suitable for use on
 developing projects in the bootc-dev organization,
 especially bootc.
 
-It includes all tools used in the Justfile
-for relevant projects.
+The goal is to make this completely usable as a devcontainer
+with tools such as VSCode remote containers, Codespaces,
+[devpod](https://devpod.sh/) and others.
+
+Specifically this includes e.g.:
+
+- Rust and C/C++ toolchains
+- `nu`
+- [tmt](https://tmt.readthedocs.io/)
+- [Kani](https://model-checking.github.io/kani/usage.html) for system verification
 
 ## Base image
 

devenv/devenv-init.sh

@@ -1,3 +1,6 @@
 #!/bin/bash
-# Thin wrapper that calls the Python implementation
-exec python3 /usr/lib/devenv/userns-setup "$@"
+# Initialize development environment
+set -euo pipefail
+
+# Set up podman for nested containers
+python3 /usr/lib/devenv/userns-setup "$@"

devenv/fetch-tools.sh

@@ -6,6 +6,7 @@ set -xeuo pipefail
 # Required environment variables (passed as build ARGs)
 : "${bcvkversion:?bcvkversion is required}"
 : "${scorecardversion:?scorecardversion is required}"
+: "${nushellversion:?nushellversion is required}"
 
 arch=$(arch)
 
@@ -42,3 +43,22 @@ td=$(mktemp -d)
   mv scorecard /usr/local/bin/scorecard
 )
 rm -rf $td
+
+# nushell - modern shell
+td=$(mktemp -d)
+(
+  cd $td
+  # Map arch to nushell naming convention
+  case "${arch}" in
+    x86_64) nuarch=x86_64 ;;
+    aarch64) nuarch=aarch64 ;;
+    *) echo "nushell unavailable for $arch"; return 0 ;;
+  esac
+  target=nu-${nushellversion}-${nuarch}-unknown-linux-gnu.tar.gz
+  /bin/time -f '%E %C' curl -fLO https://github.com/nushell/nushell/releases/download/$nushellversion/$target
+  tar xvzf $target
+  # The extracted directory has the same name as the archive without .tar.gz
+  extracted_dir=nu-${nushellversion}-${nuarch}-unknown-linux-gnu
+  mv $extracted_dir/nu /usr/local/bin/nu
+)
+rm -rf $td

devenv/install-uv.sh

@@ -0,0 +1,34 @@
+#!/bin/bash
+# Install uv system-wide into /usr/local
+# This script is shared between c10s and debian container builds.
+# Similar to rustup, we install the binary to /usr/local/bin and configure
+# tools to be installed system-wide via environment variables.
+set -xeuo pipefail
+
+: "${uvversion:?uvversion is required}"
+
+arch=$(arch)
+
+# Map arch to uv naming convention
+case "${arch}" in
+  x86_64) uvarch=x86_64 ;;
+  aarch64) uvarch=aarch64 ;;
+  *) echo "uv unavailable for $arch"; exit 1 ;;
+esac
+
+target=uv-${uvarch}-unknown-linux-gnu.tar.gz
+
+td=$(mktemp -d)
+(
+  cd $td
+  /bin/time -f '%E %C' curl -fLO https://github.com/astral-sh/uv/releases/download/${uvversion}/$target
+  tar xvzf $target
+  # The extracted directory has the same name as the archive without .tar.gz
+  extracted_dir=uv-${uvarch}-unknown-linux-gnu
+  mv $extracted_dir/uv /usr/local/bin/uv
+  mv $extracted_dir/uvx /usr/local/bin/uvx
+)
+rm -rf $td
+
+# Verify installation
+/usr/local/bin/uv --version

devenv/packages-c10s.txt

@@ -12,5 +12,8 @@ xorriso
 qemu-img
 libvirt-daemon-kvm
 
+# Testing framework
+tmt
+
 # TUI editors
 vim-enhanced

devenv/packages-debian.txt

@@ -7,6 +7,9 @@ libkrb5-dev
 libvirt-dev
 libostree-dev
 
+# Python dev headers (needed for uv to build libvirt-python from source for tmt)
+python3-dev
+
 # Runtime virt
 genisoimage
 qemu-utils