Skip to content

Commit

Permalink
WIP: Consolidate layers
Browse files Browse the repository at this point in the history
  • Loading branch information
@tgxworld
tgxworld committed Sep 2, 2024
1 parent fe48fa2 commit 9d7dcc3
Show file tree
Hide file tree
Showing 4 changed files with 189 additions and 136 deletions.
22 changes: 0 additions & 22 deletions image/base/install-imagemagick
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,31 +5,9 @@ set -e
IMAGE_MAGICK_VERSION="7.1.0-62"
IMAGE_MAGICK_HASH="d282117bc6d0e91ad1ad685d096623b96ed8e229f911c891d83277b350ef884a"

# We use debian, but GitHub CI is stuck on Ubuntu Bionic, so this must be compatible with both
LIBJPEGTURBO=$(cat /etc/issue | grep -qi Debian && echo 'libjpeg62-turbo libjpeg62-turbo-dev' || echo 'libjpeg-turbo8 libjpeg-turbo8-dev')

# Ubuntu 22.04/22.10 doesn't have libwebp6
LIBWEBP=$(cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22' && echo 'libwebp7' || echo 'libwebp6')

PREFIX=/usr/local
WDIR=/tmp/imagemagick

# Install build deps
apt -y -q remove imagemagick
apt -y -q install git make gcc pkg-config autoconf curl g++ yasm cmake \
libde265-0 libde265-dev ${LIBJPEGTURBO} ${LIBWEBP} x265 libx265-dev libtool \
libpng16-16 libpng-dev libwebp-dev libgomp1 \
libwebpmux3 libwebpdemux2 ghostscript libxml2-dev libxml2-utils librsvg2-dev \
libltdl7-dev libbz2-dev gsfonts libtiff-dev libfreetype6-dev libjpeg-dev libheif1 libheif-dev

# Ubuntu doesn't like backports
if cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22'; then
apt -y install libaom-dev
else
# Use backports instead of compiling it
apt -y -q install -t bullseye-backports libaom-dev
fi

mkdir -p $WDIR
cd $WDIR

Expand Down
3 changes: 0 additions & 3 deletions image/base/install-nginx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ gpg --verify nginx-$VERSION.tar.gz.asc nginx-$VERSION.tar.gz
tar zxf nginx-$VERSION.tar.gz
cd nginx-$VERSION

# nginx-common for boilerplate files etc.
apt install -y nginx-common

cd /tmp
# this is the reason we are compiling by hand...
git clone https://github.com/google/ngx_brotli.git
Expand Down
3 changes: 0 additions & 3 deletions image/base/install-oxipng
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,9 +11,6 @@ case "${dpkgArch##*-}" in
*) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;;
esac

# Install other deps
apt -y -q install advancecomp jhead jpegoptim libjpeg-turbo-progs optipng

mkdir /oxipng-install
cd /oxipng-install

Expand Down
297 changes: 189 additions & 108 deletions image/base/slim.Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,126 +8,207 @@ ARG DEBIAN_RELEASE
ENV PG_MAJOR=13 \
RUBY_ALLOCATOR=/usr/lib/libjemalloc.so \
LEFTHOOK=0 \
DEBIAN_RELEASE=${DEBIAN_RELEASE}
DEBIAN_RELEASE=${DEBIAN_RELEASE} \
LC_ALL=en_US.UTF-8 \
LANG=en_US.UTF-8 \
LANGUAGE=en_US.UTF-8

#LABEL maintainer="Sam Saffron \"https://twitter.com/samsaffron\""

# Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the
# mounted volumes.
RUN groupadd --gid 104 postgres &&\
useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres &&\
groupadd --gid 106 redis &&\
useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis &&\
groupadd --gid 1000 discourse &&\
useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse

RUN echo 2.0.`date +%Y%m%d` > /VERSION
RUN echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list"
RUN echo "debconf debconf/frontend select Teletype" | debconf-set-selections
RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install gnupg sudo curl fping
RUN sh -c "fping proxy && echo 'Acquire { Retries \"0\"; HTTP { Proxy \"http://proxy:3128\";}; };' > /etc/apt/apt.conf.d/40proxy && apt-get update || true"
RUN apt-mark hold initscripts
RUN apt-get -y upgrade

RUN DEBIAN_FRONTEND=noninteractive apt-get install -y locales locales-all
ENV LC_ALL en_US.UTF-8
ENV LANG en_US.UTF-8
ENV LANGUAGE en_US.UTF-8

RUN install -d /usr/share/postgresql-common/pgdg &&\
curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc &&\
echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list

RUN curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash -
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list
RUN apt-get -y update
# install these without recommends to avoid pulling in e.g.
# X11 libraries, mailutils
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends git rsyslog logrotate cron ssh-client less
RUN DEBIAN_FRONTEND=noninteractive apt-get -y install autoconf build-essential ca-certificates rsync \
libxslt-dev libcurl4-openssl-dev \
libssl-dev libyaml-dev libtool \
libpcre3 libpcre3-dev zlib1g zlib1g-dev \
libxml2-dev gawk parallel \
postgresql-${PG_MAJOR} postgresql-client \
postgresql-contrib-${PG_MAJOR} libpq-dev postgresql-${PG_MAJOR}-pgvector \
libreadline-dev anacron wget \
psmisc whois brotli libunwind-dev \
libtcmalloc-minimal4 cmake \
pngcrush pngquant ripgrep poppler-utils
RUN sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron
RUN sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf
RUN sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf
RUN dpkg-divert --local --rename --add /sbin/initctl
RUN sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"
RUN cd / &&\
DEBIAN_FRONTEND=noninteractive apt-get -y install runit socat &&\
mkdir -p /etc/runit/1.d &&\
apt-get clean &&\
rm -f /etc/apt/apt.conf.d/40proxy &&\
locale-gen en_US &&\
DEBIAN_FRONTEND=noninteractive apt-get install -y nodejs yarn &&\
npm install -g terser uglify-js pnpm

ADD install-imagemagick /tmp/install-imagemagick
RUN /tmp/install-imagemagick

ADD install-jemalloc /tmp/install-jemalloc
RUN /tmp/install-jemalloc

# From https://nginx.org/en/pgp_keys.html
ADD nginx_public_keys.key /tmp/nginx_public_keys.key
ADD install-nginx /tmp/install-nginx

RUN gpg --import /tmp/nginx_public_keys.key &&\
rm /tmp/nginx_public_keys.key &&\
/tmp/install-nginx

ADD install-redis /tmp/install-redis
RUN /tmp/install-redis

ADD install-oxipng /tmp/install-oxipng
RUN /tmp/install-oxipng

RUN echo 'gem: --no-document' >> /usr/local/etc/gemrc &&\
gem update --system

RUN gem install pups --force &&\
mkdir -p /pups/bin/ &&\
ln -s /usr/local/bin/pups /pups/bin/pups

ADD install-redis /tmp/install-redis
# This tool allows us to disable huge page support for our current process
# since the flag is preserved through forks and execs it can be used on any
# process
ADD thpoff.c /src/thpoff.c
RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c

# clean up for docker squash
RUN rm -fr /usr/share/man &&\
rm -fr /usr/share/doc &&\
rm -fr /usr/share/vim/vim74/doc &&\
rm -fr /usr/share/vim/vim74/lang &&\
rm -fr /usr/share/vim/vim74/spell/en* &&\
rm -fr /usr/share/vim/vim74/tutor &&\
rm -fr /usr/local/share/doc &&\
rm -fr /usr/local/share/ri &&\
rm -fr /var/lib/apt/lists/* &&\
rm -fr /root/.gem &&\
rm -fr /root/.npm &&\
rm -fr /tmp/*

# this can probably be done, but I worry that people changing PG locales will have issues
# cd /usr/share/locale && rm -fr `ls -d */ | grep -v en`

# this is required for aarch64 which uses buildx
# see https://github.com/docker/buildx/issues/150
RUN rm -f /etc/service

COPY etc/ /etc
RUN set -eux; \
# Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the
# mounted volumes.
groupadd --gid 104 postgres; \
useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres; \
groupadd --gid 106 redis; \
useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis; \
groupadd --gid 1000 discourse; \
useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse; \
\
echo 2.0.`date +%Y%m%d` > /VERSION; \
echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list"; \
echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \
apt-get update; \
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends sudo curl; \
install -d /usr/share/postgresql-common/pgdg; \
curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc; \
echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \
curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash -; \
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -; \
echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list; \
apt-mark hold initscripts; \
apt-get update; \
apt-get -y upgrade; \
\
# Dependencies required to run Discourse
DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
locales \
locales-all \
git \
rsyslog \
logrotate \
cron \
ssh-client \
less \
ca-certificates \
rsync \
libxslt-dev \
libcurl4-openssl-dev \
libssl-dev \
libyaml-dev \
libtool \
libpcre3 \
libpcre3-dev \
zlib1g \
zlib1g-dev \
libxml2-dev \
gawk \
parallel \
postgresql-${PG_MAJOR} \
postgresql-client \
postgresql-contrib-${PG_MAJOR} \
libpq-dev \
postgresql-${PG_MAJOR}-pgvector \
libreadline-dev \
anacron \
psmisc \
whois \
brotli \
libunwind-dev \
libtcmalloc-minimal4 \
ripgrep \
poppler-utils \
runit \
socat \
nodejs \
yarn \
# START Nginx
nginx-common \
# END Nginx
# START ImageMagick
pngcrush \
pngquant \
libde265-0 \
libde265-dev \
libjpeg62-turbo \
libjpeg62-turbo-dev \
libwebp7 \
x265 \
libx265-dev \
libtool \
libpng16-16 \
libpng-dev \
libwebp-dev \
libgomp1 \
libwebpmux3 \
libwebpdemux2 \
ghostscript \
libxml2-dev \
libxml2-utils \
librsvg2-dev \
libltdl7-dev \
libbz2-dev \
gsfonts \
libtiff-dev \
libfreetype6-dev \
libjpeg-dev \
libheif1 \
libheif-dev \
libaom-dev \
# END ImageMagick
; \
savedAptMark="$(apt-mark showmanual)"; \
# Dependencies required to build packages. These packages are automatically removed
# at the end of the RUN step.
DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \
wget \
gcc \
g++ \
make \
cmake \
autoconf \
automake \
libtool \
pkg-config \
autoconf \
yasm \
; \
sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron; \
sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf; \
sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf; \
dpkg-divert --local --rename --add /sbin/initctl; \
sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"; \
mkdir -p /etc/runit/1.d; \
rm -f /etc/apt/apt.conf.d/40proxy; \
locale-gen en_US; \
npm install -g terser uglify-js pnpm; \
\
# Installs ImageMagick
/tmp/install-imagemagick; \
# Installs JeMalloc
/tmp/install-jemalloc; \
\
# Installs Nginx
gpg --import /tmp/nginx_public_keys.key; \
rm /tmp/nginx_public_keys.key; \
/tmp/install-nginx; \
# Installs Redis
/tmp/install-redis; \
# Installs Oxipng
/tmp/install-oxipng; \
echo 'gem: --no-document' >> /usr/local/etc/gemrc; \
gem update --system; \
gem install pups --force; \
mkdir -p /pups/bin/; \
ln -s /usr/local/bin/pups /pups/bin/pups; \
gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c; \
\
# Discourse specific bits
install -dm 0755 -o discourse -g discourse /var/www/discourse; \
sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse; \
gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock); \
\
# Clean up
rm -fr /usr/share/man; \
rm -fr /usr/share/doc; \
rm -fr /usr/share/vim/vim74/doc; \
rm -fr /usr/share/vim/vim74/lang; \
rm -fr /usr/share/vim/vim74/spell/en*; \
rm -fr /usr/share/vim/vim74/tutor; \
rm -fr /usr/local/share/doc; \
rm -fr /usr/local/share/ri; \
rm -fr /var/lib/apt/lists/*; \
rm -fr /root/.gem; \
rm -fr /root/.npm; \
rm -fr /tmp/*; \
apt-mark auto '.*' > /dev/null; \
apt-mark manual $savedAptMark > /dev/null; \
find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
| awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
| sort -u \
| xargs -r dpkg-query --search \
| cut -d: -f1 \
| sort -u \
| xargs -r apt-mark manual \
; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
apt-get clean; \
\
# this is required for aarch64 which uses buildx
# see https://github.com/docker/buildx/issues/150
rm -f /etc/service

COPY etc/ /etc
COPY sbin/ /sbin

# Discourse specific bits
RUN install -dm 0755 -o discourse -g discourse /var/www/discourse &&\
sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse &&\
gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock)

0 comments on commit 9d7dcc3

Please sign in to comment.