Add explicit "native" variants

These are explicitly targeting their native architectures -- for example, the amd64 build will only include `qemu-system-x86_64`, which leads to much smaller images for folks who just want to run a VM on its native platform.

4.2/Dockerfile

@@ -7,15 +7,24 @@
 FROM debian:buster-slim
 
 RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
 	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
 	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
-		-t "$suite-backports" \
 		ovmf \
 		qemu-efi-aarch64 \
 		qemu-efi-arm \
-# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu
 	; \
 	rm -rf /var/lib/apt/lists/*
 

4.2/Dockerfile.native

@@ -0,0 +1,201 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:buster-slim
+
+RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
+	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
+	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
+	apt-get update; \
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) apt-get install -y --no-install-recommends ovmf ;; \
+		arm64) apt-get install -y --no-install-recommends qemu-efi-aarch64 ;; \
+		armel | armhf) apt-get install -y --no-install-recommends qemu-efi-arm ;; \
+		*) echo >&2 "warning: architecture '$arch' unknown 😅 (is there a 'QEMU firmware' package that should be installed here? likely candidates: https://packages.debian.org/source/$suite/edk2)" ;; \
+	esac; \
+	rm -rf /var/lib/apt/lists/*
+
+COPY *.patch /qemu-patches/
+
+# https://wiki.qemu.org/SecurityProcess
+ENV QEMU_KEYS \
+# Michael Roth
+		CEACC9E15534EBABB82D3FA03353C9CEF108B584
+# https://wiki.qemu.org/Planning/ReleaseProcess#Sign_the_resulting_tarball_with_GPG: (they get signed by whoever is making the release)
+
+# https://www.qemu.org/download/#source
+# https://download.qemu.org/?C=M;O=D
+ENV QEMU_VERSION 4.2.1
+ENV QEMU_URL https://download.qemu.org/qemu-4.2.1.tar.xz
+
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	\
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		ca-certificates \
+		gnupg dirmngr \
+		wget \
+		xz-utils \
+		\
+		patch \
+		\
+		bzip2 \
+		gcc \
+		gnutls-dev \
+		libaio-dev \
+		libbz2-dev \
+		libc-dev \
+		libcap-dev \
+		libcap-ng-dev \
+		libcurl4-gnutls-dev \
+		libglib2.0-dev \
+		libiscsi-dev \
+		libjpeg-dev \
+		libncursesw5-dev \
+		libnfs-dev \
+		libnuma-dev \
+		libpixman-1-dev \
+		libpng-dev \
+		librbd-dev \
+		libseccomp-dev \
+		libssh-dev \
+		libusb-1.0-0-dev \
+		libusbredirparser-dev \
+		libxen-dev \
+		make \
+		pkg-config \
+		python3 \
+		xfslibs-dev \
+		zlib1g-dev \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	tarball="$(basename "$QEMU_URL")"; \
+	wget -O "$tarball.sig" "$QEMU_URL.sig"; \
+	wget -O "$tarball" "$QEMU_URL" --progress=dot:giga; \
+	\
+	export GNUPGHOME="$(mktemp -d)"; \
+	for key in $QEMU_KEYS; do \
+		gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+	done; \
+	gpg --batch --verify "$tarball.sig" "$tarball"; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME"; \
+	\
+	mkdir /usr/src/qemu; \
+	tar -xf "$tarball" -C /usr/src/qemu --strip-components=1; \
+	rm "$tarball" "$tarball.sig"; \
+	\
+	cd /usr/src/qemu; \
+	\
+	for p in /qemu-patches/*.patch; do \
+		patch --strip 1 --input "$p"; \
+	done; \
+	rm -rf /qemu-patches; \
+	\
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) targetList='x86_64-softmmu' ;; \
+		arm64) targetList='aarch64-softmmu' ;; \
+		armel | armhf) targetList='arm-softmmu' ;; \
+		i386) targetList='i386-softmmu' ;; \
+		mips64el) targetList='mips64el-softmmu' ;; \
+		ppc64el) targetList='ppc64-softmmu' ;; \
+		s390x) targetList='s390x-softmmu' ;; \
+		*) echo >&2 "error: architecture '$arch' unimplemented 😅"; exit 1 ;; \
+	esac; \
+	\
+	./configure --help; \
+	./configure \
+# let's add a link to our source code in the output of "--version" in case our users end up filing bugs against the QEMU project O:)
+		--with-pkgversion='https://github.com/tianon/docker-qemu' \
+		--target-list="$targetList" \
+# let's point "firmware path" to Debian's value so we get access to "OVMF.fd" and friends more easily
+		--firmwarepath=/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu \
+# https://salsa.debian.org/qemu-team/qemu/-/blob/058ab4ec8623766b50055c8c56d0d5448d52fb0a/debian/rules#L38
+		--disable-docs \
+		--disable-gtk --disable-vte \
+		--disable-sdl \
+		--enable-attr \
+		--enable-bzip2 \
+		--enable-cap-ng \
+		--enable-curl \
+		--enable-curses \
+		--enable-fdt \
+		--enable-gnutls \
+		--enable-kvm \
+		--enable-libiscsi \
+		--enable-libnfs \
+		--enable-libssh \
+		--enable-libusb \
+		--enable-linux-aio \
+		--enable-linux-user \
+		--enable-modules \
+		--enable-numa \
+		--enable-rbd \
+		--enable-seccomp \
+		--enable-system \
+		--enable-tools \
+		--enable-usb-redir \
+		--enable-vhost-net \
+		--enable-vhost-user \
+		--enable-vhost-vsock \
+		--enable-virtfs \
+		--enable-vnc \
+		--enable-vnc-jpeg \
+		--enable-vnc-png \
+		--enable-xen \
+		--enable-xfsctl \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+#		--enable-vde \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
+	\
+	cd /; \
+	rm -rf /usr/src/qemu; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local \
+		-type f \
+		\( -executable -o -name '*.so' \) \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+		-not -name 'block-rbd.so' \
+		-exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# basic smoke test
+	qemu-img --version
+
+STOPSIGNAL SIGHUP
+
+EXPOSE 22
+EXPOSE 5900
+
+COPY start-qemu /usr/local/bin/
+CMD ["start-qemu"]

5.0/Dockerfile

@@ -7,15 +7,24 @@
 FROM debian:buster-slim
 
 RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
 	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
 	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
-		-t "$suite-backports" \
 		ovmf \
 		qemu-efi-aarch64 \
 		qemu-efi-arm \
-# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu
 	; \
 	rm -rf /var/lib/apt/lists/*
 

5.0/Dockerfile.native

@@ -0,0 +1,201 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:buster-slim
+
+RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
+	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
+	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
+	apt-get update; \
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) apt-get install -y --no-install-recommends ovmf ;; \
+		arm64) apt-get install -y --no-install-recommends qemu-efi-aarch64 ;; \
+		armel | armhf) apt-get install -y --no-install-recommends qemu-efi-arm ;; \
+		*) echo >&2 "warning: architecture '$arch' unknown 😅 (is there a 'QEMU firmware' package that should be installed here? likely candidates: https://packages.debian.org/source/$suite/edk2)" ;; \
+	esac; \
+	rm -rf /var/lib/apt/lists/*
+
+COPY *.patch /qemu-patches/
+
+# https://wiki.qemu.org/SecurityProcess
+ENV QEMU_KEYS \
+# Michael Roth
+		CEACC9E15534EBABB82D3FA03353C9CEF108B584
+# https://wiki.qemu.org/Planning/ReleaseProcess#Sign_the_resulting_tarball_with_GPG: (they get signed by whoever is making the release)
+
+# https://www.qemu.org/download/#source
+# https://download.qemu.org/?C=M;O=D
+ENV QEMU_VERSION 5.0.1
+ENV QEMU_URL https://download.qemu.org/qemu-5.0.1.tar.xz
+
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	\
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		ca-certificates \
+		gnupg dirmngr \
+		wget \
+		xz-utils \
+		\
+		patch \
+		\
+		bzip2 \
+		gcc \
+		gnutls-dev \
+		libaio-dev \
+		libbz2-dev \
+		libc-dev \
+		libcap-dev \
+		libcap-ng-dev \
+		libcurl4-gnutls-dev \
+		libglib2.0-dev \
+		libiscsi-dev \
+		libjpeg-dev \
+		libncursesw5-dev \
+		libnfs-dev \
+		libnuma-dev \
+		libpixman-1-dev \
+		libpng-dev \
+		librbd-dev \
+		libseccomp-dev \
+		libssh-dev \
+		libusb-1.0-0-dev \
+		libusbredirparser-dev \
+		libxen-dev \
+		make \
+		pkg-config \
+		python3 \
+		xfslibs-dev \
+		zlib1g-dev \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	tarball="$(basename "$QEMU_URL")"; \
+	wget -O "$tarball.sig" "$QEMU_URL.sig"; \
+	wget -O "$tarball" "$QEMU_URL" --progress=dot:giga; \
+	\
+	export GNUPGHOME="$(mktemp -d)"; \
+	for key in $QEMU_KEYS; do \
+		gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+	done; \
+	gpg --batch --verify "$tarball.sig" "$tarball"; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME"; \
+	\
+	mkdir /usr/src/qemu; \
+	tar -xf "$tarball" -C /usr/src/qemu --strip-components=1; \
+	rm "$tarball" "$tarball.sig"; \
+	\
+	cd /usr/src/qemu; \
+	\
+	for p in /qemu-patches/*.patch; do \
+		patch --strip 1 --input "$p"; \
+	done; \
+	rm -rf /qemu-patches; \
+	\
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) targetList='x86_64-softmmu' ;; \
+		arm64) targetList='aarch64-softmmu' ;; \
+		armel | armhf) targetList='arm-softmmu' ;; \
+		i386) targetList='i386-softmmu' ;; \
+		mips64el) targetList='mips64el-softmmu' ;; \
+		ppc64el) targetList='ppc64-softmmu' ;; \
+		s390x) targetList='s390x-softmmu' ;; \
+		*) echo >&2 "error: architecture '$arch' unimplemented 😅"; exit 1 ;; \
+	esac; \
+	\
+	./configure --help; \
+	./configure \
+# let's add a link to our source code in the output of "--version" in case our users end up filing bugs against the QEMU project O:)
+		--with-pkgversion='https://github.com/tianon/docker-qemu' \
+		--target-list="$targetList" \
+# let's point "firmware path" to Debian's value so we get access to "OVMF.fd" and friends more easily
+		--firmwarepath=/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu \
+# https://salsa.debian.org/qemu-team/qemu/-/blob/058ab4ec8623766b50055c8c56d0d5448d52fb0a/debian/rules#L38
+		--disable-docs \
+		--disable-gtk --disable-vte \
+		--disable-sdl \
+		--enable-attr \
+		--enable-bzip2 \
+		--enable-cap-ng \
+		--enable-curl \
+		--enable-curses \
+		--enable-fdt \
+		--enable-gnutls \
+		--enable-kvm \
+		--enable-libiscsi \
+		--enable-libnfs \
+		--enable-libssh \
+		--enable-libusb \
+		--enable-linux-aio \
+		--enable-linux-user \
+		--enable-modules \
+		--enable-numa \
+		--enable-rbd \
+		--enable-seccomp \
+		--enable-system \
+		--enable-tools \
+		--enable-usb-redir \
+		--enable-vhost-net \
+		--enable-vhost-user \
+		--enable-vhost-vsock \
+		--enable-virtfs \
+		--enable-vnc \
+		--enable-vnc-jpeg \
+		--enable-vnc-png \
+		--enable-xen \
+		--enable-xfsctl \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+#		--enable-vde \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
+	\
+	cd /; \
+	rm -rf /usr/src/qemu; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local \
+		-type f \
+		\( -executable -o -name '*.so' \) \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+		-not -name 'block-rbd.so' \
+		-exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# basic smoke test
+	qemu-img --version
+
+STOPSIGNAL SIGHUP
+
+EXPOSE 22
+EXPOSE 5900
+
+COPY start-qemu /usr/local/bin/
+CMD ["start-qemu"]

5.1/Dockerfile

@@ -7,15 +7,24 @@
 FROM debian:buster-slim
 
 RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
 	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
 	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
-		-t "$suite-backports" \
 		ovmf \
 		qemu-efi-aarch64 \
 		qemu-efi-arm \
-# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu
 	; \
 	rm -rf /var/lib/apt/lists/*
 

5.1/Dockerfile.native

@@ -0,0 +1,201 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:buster-slim
+
+RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
+	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
+	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
+	apt-get update; \
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) apt-get install -y --no-install-recommends ovmf ;; \
+		arm64) apt-get install -y --no-install-recommends qemu-efi-aarch64 ;; \
+		armel | armhf) apt-get install -y --no-install-recommends qemu-efi-arm ;; \
+		*) echo >&2 "warning: architecture '$arch' unknown 😅 (is there a 'QEMU firmware' package that should be installed here? likely candidates: https://packages.debian.org/source/$suite/edk2)" ;; \
+	esac; \
+	rm -rf /var/lib/apt/lists/*
+
+COPY *.patch /qemu-patches/
+
+# https://wiki.qemu.org/SecurityProcess
+ENV QEMU_KEYS \
+# Michael Roth
+		CEACC9E15534EBABB82D3FA03353C9CEF108B584
+# https://wiki.qemu.org/Planning/ReleaseProcess#Sign_the_resulting_tarball_with_GPG: (they get signed by whoever is making the release)
+
+# https://www.qemu.org/download/#source
+# https://download.qemu.org/?C=M;O=D
+ENV QEMU_VERSION 5.1.0
+ENV QEMU_URL https://download.qemu.org/qemu-5.1.0.tar.xz
+
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	\
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		ca-certificates \
+		gnupg dirmngr \
+		wget \
+		xz-utils \
+		\
+		patch \
+		\
+		bzip2 \
+		gcc \
+		gnutls-dev \
+		libaio-dev \
+		libbz2-dev \
+		libc-dev \
+		libcap-dev \
+		libcap-ng-dev \
+		libcurl4-gnutls-dev \
+		libglib2.0-dev \
+		libiscsi-dev \
+		libjpeg-dev \
+		libncursesw5-dev \
+		libnfs-dev \
+		libnuma-dev \
+		libpixman-1-dev \
+		libpng-dev \
+		librbd-dev \
+		libseccomp-dev \
+		libssh-dev \
+		libusb-1.0-0-dev \
+		libusbredirparser-dev \
+		libxen-dev \
+		make \
+		pkg-config \
+		python3 \
+		xfslibs-dev \
+		zlib1g-dev \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	tarball="$(basename "$QEMU_URL")"; \
+	wget -O "$tarball.sig" "$QEMU_URL.sig"; \
+	wget -O "$tarball" "$QEMU_URL" --progress=dot:giga; \
+	\
+	export GNUPGHOME="$(mktemp -d)"; \
+	for key in $QEMU_KEYS; do \
+		gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+	done; \
+	gpg --batch --verify "$tarball.sig" "$tarball"; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME"; \
+	\
+	mkdir /usr/src/qemu; \
+	tar -xf "$tarball" -C /usr/src/qemu --strip-components=1; \
+	rm "$tarball" "$tarball.sig"; \
+	\
+	cd /usr/src/qemu; \
+	\
+	for p in /qemu-patches/*.patch; do \
+		patch --strip 1 --input "$p"; \
+	done; \
+	rm -rf /qemu-patches; \
+	\
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) targetList='x86_64-softmmu' ;; \
+		arm64) targetList='aarch64-softmmu' ;; \
+		armel | armhf) targetList='arm-softmmu' ;; \
+		i386) targetList='i386-softmmu' ;; \
+		mips64el) targetList='mips64el-softmmu' ;; \
+		ppc64el) targetList='ppc64-softmmu' ;; \
+		s390x) targetList='s390x-softmmu' ;; \
+		*) echo >&2 "error: architecture '$arch' unimplemented 😅"; exit 1 ;; \
+	esac; \
+	\
+	./configure --help; \
+	./configure \
+# let's add a link to our source code in the output of "--version" in case our users end up filing bugs against the QEMU project O:)
+		--with-pkgversion='https://github.com/tianon/docker-qemu' \
+		--target-list="$targetList" \
+# let's point "firmware path" to Debian's value so we get access to "OVMF.fd" and friends more easily
+		--firmwarepath=/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu \
+# https://salsa.debian.org/qemu-team/qemu/-/blob/058ab4ec8623766b50055c8c56d0d5448d52fb0a/debian/rules#L38
+		--disable-docs \
+		--disable-gtk --disable-vte \
+		--disable-sdl \
+		--enable-attr \
+		--enable-bzip2 \
+		--enable-cap-ng \
+		--enable-curl \
+		--enable-curses \
+		--enable-fdt \
+		--enable-gnutls \
+		--enable-kvm \
+		--enable-libiscsi \
+		--enable-libnfs \
+		--enable-libssh \
+		--enable-libusb \
+		--enable-linux-aio \
+		--enable-linux-user \
+		--enable-modules \
+		--enable-numa \
+		--enable-rbd \
+		--enable-seccomp \
+		--enable-system \
+		--enable-tools \
+		--enable-usb-redir \
+		--enable-vhost-net \
+		--enable-vhost-user \
+		--enable-vhost-vsock \
+		--enable-virtfs \
+		--enable-vnc \
+		--enable-vnc-jpeg \
+		--enable-vnc-png \
+		--enable-xen \
+		--enable-xfsctl \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+#		--enable-vde \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
+	\
+	cd /; \
+	rm -rf /usr/src/qemu; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local \
+		-type f \
+		\( -executable -o -name '*.so' \) \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+		-not -name 'block-rbd.so' \
+		-exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# basic smoke test
+	qemu-img --version
+
+STOPSIGNAL SIGHUP
+
+EXPOSE 22
+EXPOSE 5900
+
+COPY start-qemu /usr/local/bin/
+CMD ["start-qemu"]

5.2/Dockerfile

@@ -7,15 +7,24 @@
 FROM debian:buster-slim
 
 RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
 	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
 	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends \
-		-t "$suite-backports" \
 		ovmf \
 		qemu-efi-aarch64 \
 		qemu-efi-arm \
-# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu
 	; \
 	rm -rf /var/lib/apt/lists/*
 

5.2/Dockerfile.native

@@ -0,0 +1,204 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:buster-slim
+
+RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
+	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
+	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
+	apt-get update; \
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) apt-get install -y --no-install-recommends ovmf ;; \
+		arm64) apt-get install -y --no-install-recommends qemu-efi-aarch64 ;; \
+		armel | armhf) apt-get install -y --no-install-recommends qemu-efi-arm ;; \
+		*) echo >&2 "warning: architecture '$arch' unknown 😅 (is there a 'QEMU firmware' package that should be installed here? likely candidates: https://packages.debian.org/source/$suite/edk2)" ;; \
+	esac; \
+	rm -rf /var/lib/apt/lists/*
+
+COPY *.patch /qemu-patches/
+
+# https://wiki.qemu.org/SecurityProcess
+ENV QEMU_KEYS \
+# Michael Roth
+		CEACC9E15534EBABB82D3FA03353C9CEF108B584
+# https://wiki.qemu.org/Planning/ReleaseProcess#Sign_the_resulting_tarball_with_GPG: (they get signed by whoever is making the release)
+
+# https://www.qemu.org/download/#source
+# https://download.qemu.org/?C=M;O=D
+ENV QEMU_VERSION 5.2.0
+ENV QEMU_URL https://download.qemu.org/qemu-5.2.0.tar.xz
+
+RUN set -eux; \
+	\
+	savedAptMark="$(apt-mark showmanual)"; \
+	\
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
+		ca-certificates \
+		gnupg dirmngr \
+		wget \
+		xz-utils \
+		\
+		patch \
+		\
+		bzip2 \
+		gcc \
+		gnutls-dev \
+		libaio-dev \
+		libbz2-dev \
+		libc-dev \
+		libcap-dev \
+		libcap-ng-dev \
+		libcurl4-gnutls-dev \
+		libglib2.0-dev \
+		libiscsi-dev \
+		libjpeg-dev \
+		libncursesw5-dev \
+		libnfs-dev \
+		libnuma-dev \
+		libpixman-1-dev \
+		libpng-dev \
+		librbd-dev \
+		libseccomp-dev \
+		libssh-dev \
+		libusb-1.0-0-dev \
+		libusbredirparser-dev \
+		libxen-dev \
+		make \
+		pkg-config \
+		python3 \
+		xfslibs-dev \
+		zlib1g-dev \
+# https://wiki.qemu.org/ChangeLog/5.2#Build_Information
+		ninja-build \
+		python3-setuptools \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
+	\
+	tarball="$(basename "$QEMU_URL")"; \
+	wget -O "$tarball.sig" "$QEMU_URL.sig"; \
+	wget -O "$tarball" "$QEMU_URL" --progress=dot:giga; \
+	\
+	export GNUPGHOME="$(mktemp -d)"; \
+	for key in $QEMU_KEYS; do \
+		gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
+	done; \
+	gpg --batch --verify "$tarball.sig" "$tarball"; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME"; \
+	\
+	mkdir /usr/src/qemu; \
+	tar -xf "$tarball" -C /usr/src/qemu --strip-components=1; \
+	rm "$tarball" "$tarball.sig"; \
+	\
+	cd /usr/src/qemu; \
+	\
+	for p in /qemu-patches/*.patch; do \
+		patch --strip 1 --input "$p"; \
+	done; \
+	rm -rf /qemu-patches; \
+	\
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) targetList='x86_64-softmmu' ;; \
+		arm64) targetList='aarch64-softmmu' ;; \
+		armel | armhf) targetList='arm-softmmu' ;; \
+		i386) targetList='i386-softmmu' ;; \
+		mips64el) targetList='mips64el-softmmu' ;; \
+		ppc64el) targetList='ppc64-softmmu' ;; \
+		s390x) targetList='s390x-softmmu' ;; \
+		*) echo >&2 "error: architecture '$arch' unimplemented 😅"; exit 1 ;; \
+	esac; \
+	\
+	./configure --help; \
+	./configure \
+# let's add a link to our source code in the output of "--version" in case our users end up filing bugs against the QEMU project O:)
+		--with-pkgversion='https://github.com/tianon/docker-qemu' \
+		--target-list="$targetList" \
+# let's point "firmware path" to Debian's value so we get access to "OVMF.fd" and friends more easily
+		--firmwarepath=/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu \
+# https://salsa.debian.org/qemu-team/qemu/-/blob/058ab4ec8623766b50055c8c56d0d5448d52fb0a/debian/rules#L38
+		--disable-docs \
+		--disable-gtk --disable-vte \
+		--disable-sdl \
+		--enable-attr \
+		--enable-bzip2 \
+		--enable-cap-ng \
+		--enable-curl \
+		--enable-curses \
+		--enable-fdt \
+		--enable-gnutls \
+		--enable-kvm \
+		--enable-libiscsi \
+		--enable-libnfs \
+		--enable-libssh \
+		--enable-libusb \
+		--enable-linux-aio \
+		--enable-linux-user \
+		--enable-modules \
+		--enable-numa \
+		--enable-rbd \
+		--enable-seccomp \
+		--enable-system \
+		--enable-tools \
+		--enable-usb-redir \
+		--enable-vhost-net \
+		--enable-vhost-user \
+		--enable-vhost-vsock \
+		--enable-virtfs \
+		--enable-vnc \
+		--enable-vnc-jpeg \
+		--enable-vnc-png \
+		--enable-xen \
+		--enable-xfsctl \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+#		--enable-vde \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
+	\
+	cd /; \
+	rm -rf /usr/src/qemu; \
+	\
+	apt-mark auto '.*' > /dev/null; \
+	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local \
+		-type f \
+		\( -executable -o -name '*.so' \) \
+# rbd support is enabled, but "librbd1" is not included since it adds ~60MB and is version-sensitive (https://github.com/tianon/docker-qemu/pull/11#issuecomment-689816553)
+		-not -name 'block-rbd.so' \
+		-exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+# basic smoke test
+	qemu-img --version
+
+STOPSIGNAL SIGHUP
+
+EXPOSE 22
+EXPOSE 5900
+
+COPY start-qemu /usr/local/bin/
+CMD ["start-qemu"]

Dockerfile.template

@@ -1,16 +1,58 @@
 FROM debian:buster-slim
 
 RUN set -eux; \
+# add backports for (potentially) newer QEMU firmware packages
 	suite="$(awk '$1 == "deb" { print $3; exit }' /etc/apt/sources.list)"; \
 	echo "deb http://deb.debian.org/debian $suite-backports main" > /etc/apt/sources.list.d/backports.list; \
+# and add APT pinning to ensure we don't accidentally get QEMU from Debian
+	{ \
+		echo 'Package: qemu-efi-* ovmf'; \
+		echo 'Pin: release a=*-backports'; \
+		echo 'Pin-Priority: 600'; \
+		echo; \
+		echo 'Package: qemu*'; \
+		echo 'Pin: version *'; \
+		echo 'Pin-Priority: -10'; \
+	} > /etc/apt/preferences.d/qemu.pref; \
 	apt-get update; \
+{{ def firmware_packages: {
+	amd64: "ovmf",
+	arm64: "qemu-efi-aarch64",
+	"armel | armhf": "qemu-efi-arm",
+# TODO add "i386": "ovmf-ia32" in bullseye+
+# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu (not sure which arches to add this to since it contains all of them...  maybe every relevant one?)
+} -}}
+{{ if env.variant == "native" then ( -}}
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+{{
+	[
+		firmware_packages
+		| to_entries[]
+		| (
+-}}
+		{{ .key }}) apt-get install -y --no-install-recommends {{ .value }} ;; \
+{{
+		)
+	] | add
+-}}
+		*) echo >&2 "warning: architecture '$arch' unknown 😅 (is there a 'QEMU firmware' package that should be installed here? likely candidates: https://packages.debian.org/source/$suite/edk2)" ;; \
+	esac; \
+{{ ) else ( -}}
 	apt-get install -y --no-install-recommends \
-		-t "$suite-backports" \
-		ovmf \
-		qemu-efi-aarch64 \
-		qemu-efi-arm \
-# TODO in bullseye+, add u-boot-qemu ?  https://packages.debian.org/bullseye/u-boot-qemu
+{{
+	[
+		[ firmware_packages[] ]
+		| sort[]
+		| (
+-}}
+		{{ . }} \
+{{
+		)
+	] | add
+-}}
 	; \
+{{ ) end -}}
 	rm -rf /var/lib/apt/lists/*
 
 COPY *.patch /qemu-patches/
@@ -97,11 +139,28 @@ RUN set -eux; \
 		patch --strip 1 --input "$p"; \
 	done; \
 	rm -rf /qemu-patches; \
+{{ if env.variant == "native" then ( -}}
+	\
+	arch="$(dpkg --print-architecture)"; \
+	case "$arch" in \
+		amd64) targetList='x86_64-softmmu' ;; \
+		arm64) targetList='aarch64-softmmu' ;; \
+		armel | armhf) targetList='arm-softmmu' ;; \
+		i386) targetList='i386-softmmu' ;; \
+		mips64el) targetList='mips64el-softmmu' ;; \
+		ppc64el) targetList='ppc64-softmmu' ;; \
+		s390x) targetList='s390x-softmmu' ;; \
+		*) echo >&2 "error: architecture '$arch' unimplemented 😅"; exit 1 ;; \
+	esac; \
+{{ ) else "" end -}}
 	\
 	./configure --help; \
 	./configure \
 # let's add a link to our source code in the output of "--version" in case our users end up filing bugs against the QEMU project O:)
 		--with-pkgversion='https://github.com/tianon/docker-qemu' \
+{{ if env.variant == "native" then ( -}}
+		--target-list="$targetList" \
+{{ ) else ( -}}
 		--target-list=' \
 # system targets
 # (https://sources.debian.org/src/qemu/buster/debian/rules/#L59-L63, slimmed)
@@ -115,6 +174,7 @@ RUN set -eux; \
 			ppc64-linux-user ppc64le-linux-user riscv64-linux-user sparc64-linux-user \
 			s390x-linux-user \
 		' \
+{{ ) end -}}
 # let's point "firmware path" to Debian's value so we get access to "OVMF.fd" and friends more easily
 		--firmwarepath=/usr/share/qemu:/usr/share/seabios:/usr/lib/ipxe/qemu \
 # https://salsa.debian.org/qemu-team/qemu/-/blob/058ab4ec8623766b50055c8c56d0d5448d52fb0a/debian/rules#L38

README.md

@@ -14,7 +14,7 @@ $ docker run -it --rm \
 	-e QEMU_CDROM=/tmp/debian.iso \
 	-e QEMU_BOOT='order=d' \
 	-e QEMU_PORTS='2375 2376' \
-	tianon/qemu
+	tianon/qemu:native
 ```
 
 Note: port 22 will always be mapped (regardless of the contents of `QEMU_PORTS`).
@@ -24,3 +24,5 @@ For supplying additional arguments, use a command of `start-qemu <args>`. For ex
 For UEFI support, [the `ovmf` package](https://packages.debian.org/sid/ovmf) is installed, which can be utilized most easily by supplying `--bios /usr/share/ovmf/OVMF.fd`.
 
 By default, this image will use [QEMU's user-mode networking stack](https://wiki.qemu.org/Documentation/Networking#User_Networking_.28SLIRP.29), which means if you want ping/ICMP working, you'll likely need to also include something like `--sysctl net.ipv4.ping_group_range='0 2147483647'` in your container runtime settings.
+
+The `native` variants for `amd64` only contain `qemu-system-x86_64` -- the non-`native` variants contain QEMU compiled for a variety of target CPUs.

apply-templates.sh

@@ -27,14 +27,15 @@ generated_warning() {
 }
 
 for version; do
-	export version
-
-	echo "processing $version ..."
-
-	{
-		generated_warning
-		gawk -f "$jqt" Dockerfile.template
-	} > "$version/Dockerfile"
-
 	cp -a start-qemu "$version/"
+	for variant in '' native; do
+		export version variant
+
+		echo "processing $version${variant:+ ($variant)} ..."
+
+		{
+			generated_warning
+			gawk -f "$jqt" Dockerfile.template
+		} > "$version/Dockerfile${variant:+.$variant}"
+	done
 done

generate-stackbrew-library.sh

@@ -29,8 +29,8 @@ dirCommit() {
 	(
 		cd "$dir"
 		fileCommit \
-			Dockerfile \
-			$(git show HEAD:./Dockerfile | awk '
+			Dockerfile* \
+			$(git show HEAD:./Dockerfile* | awk '
 				toupper($1) == "COPY" {
 					for (i = 2; i < NF; i++) {
 						print $i
@@ -40,6 +40,21 @@ dirCommit() {
 	)
 }
 
+getArches() {
+	local officialImagesUrl='https://github.com/docker-library/official-images/raw/master/library/'
+
+	eval "declare -g -A parentRepoToArches=( $(
+		find -name 'Dockerfile*' -exec awk '
+				toupper($1) == "FROM" && $2 !~ /^(scratch|.*\/.*)(:|$)/ {
+					print "'"$officialImagesUrl"'" $2
+				}
+			' '{}' + \
+			| sort -u \
+			| xargs bashbrew cat --format '[{{ .RepoName }}:{{ .TagName }}]="{{ join " " .TagEntry.Architectures }}"'
+	) )"
+}
+getArches
+
 cat <<-EOH
 # this file is generated via https://github.com/tianon/docker-qemu/blob/$(fileCommit "$self")/$self
 
@@ -71,10 +86,25 @@ for version; do
 
 	commit="$(dirCommit "$version")"
 
-	echo
-	cat <<-EOE
-		Tags: $(join ', ' "${versionAliases[@]}")
-		GitCommit: $commit
-		Directory: $version
-	EOE
+	for variant in '' native; do
+		variantAliases=( "${versionAliases[@]}" )
+		if [ -n "$variant" ]; then
+			variantAliases=( "${variantAliases[@]/%/-$variant}" )
+			variantAliases=( "${variantAliases[@]//latest-/}" )
+		fi
+
+		variantParent="$(awk 'toupper($1) == "FROM" { print $2 }' "$version/Dockerfile${variant:+.$variant}")"
+		variantArches="${parentRepoToArches[$variantParent]}"
+
+		echo
+		cat <<-EOE
+			Tags: $(join ', ' "${variantAliases[@]}")
+			Architectures: $(join ', ' $variantArches)
+			GitCommit: $commit
+			Directory: $version
+		EOE
+		if [ -n "$variant" ]; then
+			echo "File: Dockerfile.$variant"
+		fi
+	done
 done