angie-conv-image/Dockerfile.base

# FROM docker.io/debian:bookworm-slim as base-upstream
ARG PYTHONTAG=3.11.10-slim-bookworm
FROM docker.io/python:${PYTHONTAG} AS base-upstream

FROM base-upstream AS base-intermediate
SHELL [ "/bin/sh", "-ec" ]

COPY /Dockerfile.base /usr/local/share/

COPY /scripts/*        /usr/local/sbin/
COPY /extra-scripts/*  /usr/local/sbin/

## PATH: remove /sbin and /bin (/usr is merged)
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
    TMPDIR=/tmp \
    LANG=C.UTF-8 \
    LC_ALL=C.UTF-8 \
    TERM=linux \
    TZ=Etc/UTC \
    MALLOC_ARENA_MAX=2 \
    PYTHONUNBUFFERED=1 \
    PYTHONDONTWRITEBYTECODE=1

## local development
# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
#     PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
#     PIP_TRUSTED_HOST="localhost"

COPY /apt/prefs.backports /etc/apt/preferences.d/backports
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources

## prevent services from auto-starting, part 1
RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
    rm -f "$s" "$b" ; \
    echo '#!/bin/sh' > "$b" ; \
    echo 'exit 101' >> "$b" ; \
    chmod 0755 "$b" ; \
    ln -s "$b" "$s"

RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
    ## prevent services from auto-starting, part 2
    divert_true /sbin/start-stop-daemon ; \
    ## always report that we're in chroot
    divert_true /usr/bin/ischroot ; \
    ## hide systemd helpers
    divert_true /usr/bin/deb-systemd-helper ; \
    divert_true /usr/bin/deb-systemd-invoke

RUN apt-env.sh apt-get update ; \
    apt-env.sh apt-get upgrade -y ; \
    apt-clean.sh

## perl-base: hardlink->symlink
RUN d=/usr/bin ; \
    find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
    ls -li "$d/perl"*

## remove unwanted binaries
RUN set -f ; \
    for i in \
      addgroup \
      addpart \
      adduser \
      apt-ftparchive \
      agetty \
      badblocks \
      blkdiscard \
      blkid \
      blkzone \
      blockdev \
      bsd-write \
      chage \
      chcpu \
      chfn \
      chgpasswd \
      chmem \
      chpasswd \
      chsh \
      cpgr \
      cppw \
      ctrlaltdel \
      debugfs \
      delgroup \
      delpart \
      deluser \
      dmesg \
      dumpe2fs \
      e2freefrag \
      e2fsck \
      e2image \
      e2label \
      e2mmpstatus \
      e2scrub \
     'e2scrub*' \
      e2undo \
      e4crypt \
      e4defrag \
      expiry \
      faillock \
      fdformat \
      fincore \
      findfs \
      fsck \
     'fsck.*' \
      fsfreeze \
      fstrim \
      getty \
      gpasswd \
      groupadd \
      groupdel \
      groupmems \
      groupmod \
      grpck \
      grpconv \
      grpunconv \
      hwclock \
      isosize \
      last \
      lastb \
      ldattach \
      losetup \
      lsblk \
      lsirq \
      lslogins \
      mcookie \
      mesg \
      mke2fs \
      mkfs \
     'mkfs.*' \
      mkhomedir_helper \
      mklost+found \
      mkswap \
      mount \
      newgrp \
      newusers \
      pam-auth-update \
      pam_getenv \
      pam_namespace_helper \
      pam_timestamp_check \
      partx \
      passwd \
      pivot_root \
      pwck \
      pwconv \
      pwhistory_helper \
      pwunconv \
      raw \
      readprofile \
      resize2fs \
      resizepart \
      rtcwake \
      sg \
      shadowconfig \
      su \
      sulogin \
      swaplabel \
      swapoff \
      swapon \
      switch_root \
      tune2fs \
      umount \
      unix_chkpwd \
      unix_update \
      update-passwd \
      useradd \
      userdel \
      usermod \
      utmpdump \
      vigr \
      vipw \
      wall \
      wdctl \
      wipefs \
      write \
     'write.*' \
      zramctl \
    ; do \
        for d in /usr/sbin /usr/bin /sbin /bin ; do \
            find "$d/" ! -type d -wholename "$d/$i" \
            | while read -r p ; do \
                [ -n "$p" ] || continue ; \
                [ -e "$p" ] || continue ; \
                dpkg -S "$p" >/dev/null 2>&1 || continue ; \
                divert-rm.sh "$p" ; \
            done ; \
        done ; \
        for d in /usr/sbin /usr/bin /sbin /bin ; do \
            find "$d/" ! -type d -wholename "$d/$i" \
            | while read -r p ; do \
                [ -n "$p" ] || continue ; \
                [ -e "$p" ] || continue ; \
                rm -fv "$p" ; \
            done ; \
        done ; \
    done

RUN apt-remove.sh \
      ca-certificates \
      e2fsprogs \
    ; \
    apt-clean.sh

## "docker.io/python"-specific cleanup
RUN rm -f /root/.wget-hsts

RUN pip-env.sh pip list --format freeze \
    | grep -F '==' | awk -F= '{print $1}' \
    | xargs -r pip-env.sh pip install -U ; \
    python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"

RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
    rm -rfv \
      /usr/local/bin/idle* \
      "${libpython}/ensurepip/_bundled" \
      "${libpython}/idlelib" \
      "${libpython}/tkinter" \
      "${libpython}/turtle.py" \
      "${libpython}/turtledemo" \
    ; \
    python-rm-cache.sh /usr/local

RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
    find /run/ -mindepth 1 -ls -delete || : ; \
    install -d -m 01777 /run/lock

## ---

FROM base-intermediate AS certs
SHELL [ "/bin/sh", "-ec" ]

COPY /scripts/*       /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/

## "2024.08.30"
ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81

# 'https://raw.githubusercontent.com/certifi/python-certifi'
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'

ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
ADD "${CERTIFI_URI}" /tmp/certifi.crt

RUN apt-install.sh ca-certificates ; \
    apt-clean.sh ; \
    ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
    ls -l "${ca_file}" ; \
    ## process certifi
    certifi-extras.sh /tmp/certifi.crt ; \
    openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
    mv -f "${ca_file}.new" "${ca_file}" ; \
    chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
    ls -l "${ca_file}" "${ca_file}.fp"

## ---

FROM base-intermediate AS base

COPY --from=certs /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/

ENTRYPOINT [ ]
CMD [ "bash" ]
initial commit 2024-09-17 14:11:00 +03:00			`# FROM docker.io/debian:bookworm-slim as base-upstream`
			`ARG PYTHONTAG=3.11.10-slim-bookworm`
			`FROM docker.io/python:${PYTHONTAG} AS base-upstream`

treewide: rework certificate handling also: - reorder some blocks in dockerfiles - provide sane requirements.txt 2024-09-20 02:39:40 +03:00			`FROM base-upstream AS base-intermediate`
initial commit 2024-09-17 14:11:00 +03:00			`SHELL [ "/bin/sh", "-ec" ]`

			`COPY /Dockerfile.base /usr/local/share/`

			`COPY /scripts/* /usr/local/sbin/`
			`COPY /extra-scripts/* /usr/local/sbin/`

			`## PATH: remove /sbin and /bin (/usr is merged)`
			`ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \`
			`TMPDIR=/tmp \`
			`LANG=C.UTF-8 \`
			`LC_ALL=C.UTF-8 \`
			`TERM=linux \`
			`TZ=Etc/UTC \`
			`MALLOC_ARENA_MAX=2 \`
			`PYTHONUNBUFFERED=1 \`
			`PYTHONDONTWRITEBYTECODE=1`

			`## local development`
			`# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \`
			`# PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \`
			`# PIP_TRUSTED_HOST="localhost"`

			`COPY /apt/prefs.backports /etc/apt/preferences.d/backports`
			`COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources`

			`## prevent services from auto-starting, part 1`
			`RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \`
			`rm -f "$s" "$b" ; \`
			`echo '#!/bin/sh' > "$b" ; \`
			`echo 'exit 101' >> "$b" ; \`
			`chmod 0755 "$b" ; \`
			`ln -s "$b" "$s"`

			`RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \`
			`## prevent services from auto-starting, part 2`
			`divert_true /sbin/start-stop-daemon ; \`
			`## always report that we're in chroot`
			`divert_true /usr/bin/ischroot ; \`
			`## hide systemd helpers`
			`divert_true /usr/bin/deb-systemd-helper ; \`
			`divert_true /usr/bin/deb-systemd-invoke`

			`RUN apt-env.sh apt-get update ; \`
			`apt-env.sh apt-get upgrade -y ; \`
			`apt-clean.sh`

			`## perl-base: hardlink->symlink`
			`RUN d=/usr/bin ; \`
			`find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \`
			`ls -li "$d/perl"*`

			`## remove unwanted binaries`
			`RUN set -f ; \`
			`for i in \`
			`addgroup \`
			`addpart \`
			`adduser \`
			`apt-ftparchive \`
			`agetty \`
			`badblocks \`
			`blkdiscard \`
			`blkid \`
			`blkzone \`
			`blockdev \`
			`bsd-write \`
			`chage \`
			`chcpu \`
			`chfn \`
			`chgpasswd \`
			`chmem \`
			`chpasswd \`
			`chsh \`
			`cpgr \`
			`cppw \`
			`ctrlaltdel \`
			`debugfs \`
			`delgroup \`
			`delpart \`
			`deluser \`
			`dmesg \`
			`dumpe2fs \`
			`e2freefrag \`
			`e2fsck \`
			`e2image \`
			`e2label \`
			`e2mmpstatus \`
			`e2scrub \`
			`'e2scrub*' \`
			`e2undo \`
			`e4crypt \`
			`e4defrag \`
			`expiry \`
			`faillock \`
			`fdformat \`
			`fincore \`
			`findfs \`
			`fsck \`
			`'fsck.*' \`
			`fsfreeze \`
			`fstrim \`
			`getty \`
			`gpasswd \`
			`groupadd \`
			`groupdel \`
			`groupmems \`
			`groupmod \`
			`grpck \`
			`grpconv \`
			`grpunconv \`
			`hwclock \`
			`isosize \`
			`last \`
			`lastb \`
			`ldattach \`
			`losetup \`
			`lsblk \`
			`lsirq \`
			`lslogins \`
			`mcookie \`
			`mesg \`
			`mke2fs \`
			`mkfs \`
			`'mkfs.*' \`
			`mkhomedir_helper \`
			`mklost+found \`
			`mkswap \`
			`mount \`
			`newgrp \`
			`newusers \`
			`pam-auth-update \`
			`pam_getenv \`
			`pam_namespace_helper \`
			`pam_timestamp_check \`
			`partx \`
			`passwd \`
			`pivot_root \`
			`pwck \`
			`pwconv \`
			`pwhistory_helper \`
			`pwunconv \`
			`raw \`
			`readprofile \`
			`resize2fs \`
			`resizepart \`
			`rtcwake \`
			`sg \`
			`shadowconfig \`
			`su \`
			`sulogin \`
			`swaplabel \`
			`swapoff \`
			`swapon \`
			`switch_root \`
			`tune2fs \`
			`umount \`
			`unix_chkpwd \`
			`unix_update \`
			`update-passwd \`
			`useradd \`
			`userdel \`
			`usermod \`
			`utmpdump \`
			`vigr \`
			`vipw \`
			`wall \`
			`wdctl \`
			`wipefs \`
			`write \`
			`'write.*' \`
			`zramctl \`
			`; do \`
			`for d in /usr/sbin /usr/bin /sbin /bin ; do \`
			`find "$d/" ! -type d -wholename "$d/$i" \`
			`\| while read -r p ; do \`
			`[ -n "$p" ] \|\| continue ; \`
			`[ -e "$p" ] \|\| continue ; \`
			`dpkg -S "$p" >/dev/null 2>&1 \|\| continue ; \`
			`divert-rm.sh "$p" ; \`
			`done ; \`
			`done ; \`
			`for d in /usr/sbin /usr/bin /sbin /bin ; do \`
			`find "$d/" ! -type d -wholename "$d/$i" \`
			`\| while read -r p ; do \`
			`[ -n "$p" ] \|\| continue ; \`
			`[ -e "$p" ] \|\| continue ; \`
			`rm -fv "$p" ; \`
			`done ; \`
			`done ; \`
			`done`

			`RUN apt-remove.sh \`
			`ca-certificates \`
			`e2fsprogs \`
			`; \`
			`apt-clean.sh`

			`## "docker.io/python"-specific cleanup`
			`RUN rm -f /root/.wget-hsts`

			`RUN pip-env.sh pip list --format freeze \`
			`\| grep -F '==' \| awk -F= '{print $1}' \`
			`\| xargs -r pip-env.sh pip install -U ; \`
			`python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"`

			`RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \`
			`rm -rfv \`
			`/usr/local/bin/idle* \`
			`"${libpython}/ensurepip/_bundled" \`
			`"${libpython}/idlelib" \`
			`"${libpython}/tkinter" \`
			`"${libpython}/turtle.py" \`
			`"${libpython}/turtledemo" \`
			`; \`
			`python-rm-cache.sh /usr/local`

			`RUN find /usr/local/sbin/ ! -type d -ls -delete ; \`
			`find /run/ -mindepth 1 -ls -delete \|\| : ; \`
			`install -d -m 01777 /run/lock`

treewide: rework certificate handling also: - reorder some blocks in dockerfiles - provide sane requirements.txt 2024-09-20 02:39:40 +03:00			`## ---`

			`FROM base-intermediate AS certs`
			`SHELL [ "/bin/sh", "-ec" ]`

			`COPY /scripts/* /usr/local/sbin/`
			`COPY /extra-scripts/* /usr/local/sbin/`

			`## "2024.08.30"`
			`ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81`

			`# 'https://raw.githubusercontent.com/certifi/python-certifi'`
			`ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'`

			`ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"`
			`ADD "${CERTIFI_URI}" /tmp/certifi.crt`

			`RUN apt-install.sh ca-certificates ; \`
			`apt-clean.sh ; \`
			`ca_file='/etc/ssl/certs/ca-certificates.crt' ; \`
			`ls -l "${ca_file}" ; \`
			`## process certifi`
			`certifi-extras.sh /tmp/certifi.crt ; \`
			`openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \`
			`mv -f "${ca_file}.new" "${ca_file}" ; \`
			`chmod 0444 "${ca_file}" "${ca_file}.fp" ; \`
			`ls -l "${ca_file}" "${ca_file}.fp"`

			`## ---`

			`FROM base-intermediate AS base`

			`COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/`

initial commit 2024-09-17 14:11:00 +03:00			`ENTRYPOINT [ ]`
			`CMD [ "bash" ]`