# FROM docker.io/debian:bookworm-slim as base-upstream ARG BASETAG=bookworm-slim FROM docker.io/debian:${BASETAG} AS base-upstream FROM base-upstream AS base-intermediate SHELL [ "/bin/sh", "-ec" ] COPY /Dockerfile.base /usr/local/share/ COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## PATH: remove /sbin and /bin (/usr is merged) ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ TMPDIR=/tmp \ LANG=C.UTF-8 \ LC_ALL=C.UTF-8 \ TERM=linux \ TZ=Etc/UTC \ MALLOC_ARENA_MAX=2 \ JRE_CACERTS_PATH=/etc/ssl/certs/java/cacerts COPY /apt/prefs.backports /etc/apt/preferences.d/backports COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources ## prevent services from auto-starting, part 1 RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \ rm -f "$s" "$b" ; \ echo '#!/bin/sh' > "$b" ; \ echo 'exit 101' >> "$b" ; \ chmod 0755 "$b" ; \ ln -s "$b" "$s" RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \ ## prevent services from auto-starting, part 2 divert_true /sbin/start-stop-daemon ; \ ## always report that we're in chroot divert_true /usr/bin/ischroot ; \ ## hide systemd helpers divert_true /usr/bin/deb-systemd-helper ; \ divert_true /usr/bin/deb-systemd-invoke RUN apt-env.sh apt-get update ; \ apt-env.sh apt-get upgrade -y ; \ apt-clean.sh ## remove unwanted binaries RUN set -f ; \ for i in \ addpart \ apt-ftparchive \ agetty \ badblocks \ blkdiscard \ blkid \ blkzone \ blockdev \ bsd-write \ chage \ chcpu \ chmem \ ctrlaltdel \ debugfs \ delpart \ dmesg \ dumpe2fs \ e2freefrag \ e2fsck \ e2image \ e2label \ e2mmpstatus \ e2scrub \ 'e2scrub*' \ e2undo \ e4crypt \ e4defrag \ faillock \ fdformat \ fincore \ findfs \ fsck \ 'fsck.*' \ fsfreeze \ fstrim \ getty \ hwclock \ isosize \ last \ lastb \ ldattach \ losetup \ lsblk \ lsirq \ lslogins \ mcookie \ mesg \ mke2fs \ mkfs \ 'mkfs.*' \ 'mklost+found' \ mkswap \ mount \ pam-auth-update \ pam_getenv \ pam_namespace_helper \ pam_timestamp_check \ partx \ pivot_root \ raw \ readprofile \ resize2fs \ resizepart \ rtcwake \ swaplabel \ swapoff \ swapon \ switch_root \ tune2fs \ umount \ utmpdump \ vigr \ vipw \ wall \ wdctl \ wipefs \ write \ 'write.*' \ zramctl \ ; do \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ dpkg -S "$p" >/dev/null 2>&1 || continue ; \ divert-rm.sh "$p" ; \ done ; \ done ; \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ rm -fv "$p" ; \ done ; \ done ; \ done RUN apt-remove.sh \ e2fsprogs \ ; \ apt-install.sh \ ca-certificates \ ca-certificates-java \ p11-kit \ netbase \ openssl \ procps \ psmisc \ ; \ apt-clean.sh ## set up locales! RUN _lang=en_US.UTF8 ; \ { \ echo "locales locales/default_environment_locale select ${LANG}" ; \ echo "locales locales/locales_to_be_generated multiselect ${LANG} UTF-8" ; \ } | debconf-set-selections ; \ f=/etc/dpkg/dpkg.cfg.d/docker ; \ if [ -f "$f" ] ; then \ sed -Ei '/\/usr\/share\/locale/d' "$f" ; \ fi ; \ echo "LANG=${_lang}" > /etc/default/locale ; \ apt-install.sh locales ; apt-clean.sh ; \ grep -Fixq "${_lang} UTF-8" /etc/locale.gen || { \ echo "${_lang} UTF-8" >> /etc/locale.gen ; \ locale-gen ; \ } ; \ locale -a | grep -Fixq "${_lang}" ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8' RUN find /run/ -mindepth 1 -ls -delete || : ; \ install -d -m 01777 /run/lock ## deduplicate (!) RUN apt-install.sh jdupes ; \ apt-clean.sh ; \ echo ; \ du -xd1 /usr/ | sort -Vk2 ; \ echo ; \ jdupes -1LSpr /usr/ ; \ echo ; \ du -xd1 /usr/ | sort -Vk2 ; \ echo ; \ apt-remove.sh jdupes RUN find /usr/local/sbin/ ! -type d -ls -delete ; \ find /run/ -mindepth 1 -ls -delete || : ; \ install -d -m 01777 /run/lock ## --- FROM base-intermediate AS certs SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## "2024.08.30" ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81 # 'https://raw.githubusercontent.com/certifi/python-certifi' ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw' ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem" ADD "${CERTIFI_URI}" /tmp/certifi.crt RUN ca_file='/etc/ssl/certs/ca-certificates.crt' ; \ java_ca_file='/etc/ssl/certs/java/cacerts' ; \ apt-install.sh default-jre-headless ; \ apt-clean.sh ; \ update-ca-certificates --fresh ; \ echo ; \ ls -l "${ca_file}" "${java_ca_file}" ; \ echo ; \ ## process certifi certifi-extras.sh /tmp/certifi.crt ; \ openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \ mv -f "${ca_file}.new" "${ca_file}" ; \ chmod 0644 "${ca_file}" "${ca_file}.fp" "${java_ca_file}" ; \ echo ; \ ls -l "${ca_file}" "${ca_file}.fp" "${java_ca_file}" ARG PSL_URI='https://publicsuffix.org/list/public_suffix_list.dat' ADD "${PSL_URI}" /tmp/public_suffix_list.dat RUN chmod 0644 /tmp/public_suffix_list.dat ; \ mkdir -p /usr/local/share/publicsuffix ; \ cp -f /tmp/public_suffix_list.dat /usr/local/share/publicsuffix/ ## --- FROM base-intermediate AS base COPY /scripts/* /usr/local/sbin/ COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ COPY --from=certs /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/ COPY --from=certs /usr/local/share/ca-certificates/ /usr/local/share/ca-certificates/ COPY --from=certs /usr/local/share/publicsuffix/ /usr/local/share/publicsuffix/ ENTRYPOINT [ ] CMD [ "bash" ]