Konstantin Demin
90cef9a785
base: - add PSL (share among layers) - remove fontconfig (not so essential dependency) jdk: - keep fontconfig
254 lines
6.5 KiB
Docker
254 lines
6.5 KiB
Docker
# FROM docker.io/debian:bookworm-slim as base-upstream
|
|
ARG BASETAG=bookworm-slim
|
|
FROM docker.io/debian:${BASETAG} AS base-upstream
|
|
|
|
FROM base-upstream AS base-intermediate
|
|
SHELL [ "/bin/sh", "-ec" ]
|
|
|
|
COPY /Dockerfile.base /usr/local/share/
|
|
|
|
COPY /scripts/* /usr/local/sbin/
|
|
COPY /extra-scripts/* /usr/local/sbin/
|
|
|
|
## PATH: remove /sbin and /bin (/usr is merged)
|
|
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
|
|
TMPDIR=/tmp \
|
|
LANG=C.UTF-8 \
|
|
LC_ALL=C.UTF-8 \
|
|
TERM=linux \
|
|
TZ=Etc/UTC \
|
|
MALLOC_ARENA_MAX=2 \
|
|
JRE_CACERTS_PATH=/etc/ssl/certs/java/cacerts
|
|
|
|
COPY /apt/prefs.backports /etc/apt/preferences.d/backports
|
|
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
|
|
|
|
## prevent services from auto-starting, part 1
|
|
RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
|
|
rm -f "$s" "$b" ; \
|
|
echo '#!/bin/sh' > "$b" ; \
|
|
echo 'exit 101' >> "$b" ; \
|
|
chmod 0755 "$b" ; \
|
|
ln -s "$b" "$s"
|
|
|
|
RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
|
|
## prevent services from auto-starting, part 2
|
|
divert_true /sbin/start-stop-daemon ; \
|
|
## always report that we're in chroot
|
|
divert_true /usr/bin/ischroot ; \
|
|
## hide systemd helpers
|
|
divert_true /usr/bin/deb-systemd-helper ; \
|
|
divert_true /usr/bin/deb-systemd-invoke
|
|
|
|
RUN apt-env.sh apt-get update ; \
|
|
apt-env.sh apt-get upgrade -y ; \
|
|
apt-clean.sh
|
|
|
|
## remove unwanted binaries
|
|
RUN set -f ; \
|
|
for i in \
|
|
addpart \
|
|
apt-ftparchive \
|
|
agetty \
|
|
badblocks \
|
|
blkdiscard \
|
|
blkid \
|
|
blkzone \
|
|
blockdev \
|
|
bsd-write \
|
|
chage \
|
|
chcpu \
|
|
chmem \
|
|
ctrlaltdel \
|
|
debugfs \
|
|
delpart \
|
|
dmesg \
|
|
dumpe2fs \
|
|
e2freefrag \
|
|
e2fsck \
|
|
e2image \
|
|
e2label \
|
|
e2mmpstatus \
|
|
e2scrub \
|
|
'e2scrub*' \
|
|
e2undo \
|
|
e4crypt \
|
|
e4defrag \
|
|
faillock \
|
|
fdformat \
|
|
fincore \
|
|
findfs \
|
|
fsck \
|
|
'fsck.*' \
|
|
fsfreeze \
|
|
fstrim \
|
|
getty \
|
|
hwclock \
|
|
isosize \
|
|
last \
|
|
lastb \
|
|
ldattach \
|
|
losetup \
|
|
lsblk \
|
|
lsirq \
|
|
lslogins \
|
|
mcookie \
|
|
mesg \
|
|
mke2fs \
|
|
mkfs \
|
|
'mkfs.*' \
|
|
'mklost+found' \
|
|
mkswap \
|
|
mount \
|
|
pam-auth-update \
|
|
pam_getenv \
|
|
pam_namespace_helper \
|
|
pam_timestamp_check \
|
|
partx \
|
|
pivot_root \
|
|
raw \
|
|
readprofile \
|
|
resize2fs \
|
|
resizepart \
|
|
rtcwake \
|
|
swaplabel \
|
|
swapoff \
|
|
swapon \
|
|
switch_root \
|
|
tune2fs \
|
|
umount \
|
|
utmpdump \
|
|
vigr \
|
|
vipw \
|
|
wall \
|
|
wdctl \
|
|
wipefs \
|
|
write \
|
|
'write.*' \
|
|
zramctl \
|
|
; do \
|
|
for d in /usr/sbin /usr/bin /sbin /bin ; do \
|
|
find "$d/" ! -type d -wholename "$d/$i" \
|
|
| while read -r p ; do \
|
|
[ -n "$p" ] || continue ; \
|
|
[ -e "$p" ] || continue ; \
|
|
dpkg -S "$p" >/dev/null 2>&1 || continue ; \
|
|
divert-rm.sh "$p" ; \
|
|
done ; \
|
|
done ; \
|
|
for d in /usr/sbin /usr/bin /sbin /bin ; do \
|
|
find "$d/" ! -type d -wholename "$d/$i" \
|
|
| while read -r p ; do \
|
|
[ -n "$p" ] || continue ; \
|
|
[ -e "$p" ] || continue ; \
|
|
rm -fv "$p" ; \
|
|
done ; \
|
|
done ; \
|
|
done
|
|
|
|
RUN apt-remove.sh \
|
|
e2fsprogs \
|
|
; \
|
|
apt-install.sh \
|
|
ca-certificates \
|
|
ca-certificates-java \
|
|
p11-kit \
|
|
netbase \
|
|
openssl \
|
|
procps \
|
|
psmisc \
|
|
; \
|
|
apt-clean.sh
|
|
|
|
## set up locales!
|
|
RUN _lang=en_US.UTF8 ; \
|
|
{ \
|
|
echo "locales locales/default_environment_locale select ${LANG}" ; \
|
|
echo "locales locales/locales_to_be_generated multiselect ${LANG} UTF-8" ; \
|
|
} | debconf-set-selections ; \
|
|
f=/etc/dpkg/dpkg.cfg.d/docker ; \
|
|
if [ -f "$f" ] ; then \
|
|
sed -Ei '/\/usr\/share\/locale/d' "$f" ; \
|
|
fi ; \
|
|
echo "LANG=${_lang}" > /etc/default/locale ; \
|
|
apt-install.sh locales ; apt-clean.sh ; \
|
|
grep -Fixq "${_lang} UTF-8" /etc/locale.gen || { \
|
|
echo "${_lang} UTF-8" >> /etc/locale.gen ; \
|
|
locale-gen ; \
|
|
} ; \
|
|
locale -a | grep -Fixq "${_lang}"
|
|
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
|
|
|
|
RUN find /run/ -mindepth 1 -ls -delete || : ; \
|
|
install -d -m 01777 /run/lock
|
|
|
|
## deduplicate (!)
|
|
RUN apt-install.sh jdupes ; \
|
|
apt-clean.sh ; \
|
|
echo ; \
|
|
du -xd1 /usr/ | sort -Vk2 ; \
|
|
echo ; \
|
|
jdupes -1LSpr /usr/ ; \
|
|
echo ; \
|
|
du -xd1 /usr/ | sort -Vk2 ; \
|
|
echo ; \
|
|
apt-remove.sh jdupes
|
|
|
|
RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
|
|
find /run/ -mindepth 1 -ls -delete || : ; \
|
|
install -d -m 01777 /run/lock
|
|
|
|
## ---
|
|
|
|
FROM base-intermediate AS certs
|
|
SHELL [ "/bin/sh", "-ec" ]
|
|
|
|
COPY /scripts/* /usr/local/sbin/
|
|
COPY /extra-scripts/* /usr/local/sbin/
|
|
|
|
## "2024.08.30"
|
|
ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81
|
|
|
|
# 'https://raw.githubusercontent.com/certifi/python-certifi'
|
|
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
|
|
|
|
ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
|
|
ADD "${CERTIFI_URI}" /tmp/certifi.crt
|
|
|
|
RUN ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
|
|
java_ca_file='/etc/ssl/certs/java/cacerts' ; \
|
|
apt-install.sh default-jre-headless ; \
|
|
apt-clean.sh ; \
|
|
update-ca-certificates --fresh ; \
|
|
echo ; \
|
|
ls -l "${ca_file}" "${java_ca_file}" ; \
|
|
echo ; \
|
|
## process certifi
|
|
certifi-extras.sh /tmp/certifi.crt ; \
|
|
openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
|
|
mv -f "${ca_file}.new" "${ca_file}" ; \
|
|
chmod 0644 "${ca_file}" "${ca_file}.fp" "${java_ca_file}" ; \
|
|
echo ; \
|
|
ls -l "${ca_file}" "${ca_file}.fp" "${java_ca_file}"
|
|
|
|
ARG PSL_URI='https://publicsuffix.org/list/public_suffix_list.dat'
|
|
ADD "${PSL_URI}" /tmp/public_suffix_list.dat
|
|
|
|
RUN chmod 0644 /tmp/public_suffix_list.dat ; \
|
|
mkdir -p /usr/local/share/publicsuffix ; \
|
|
cp -f /tmp/public_suffix_list.dat /usr/local/share/publicsuffix/
|
|
|
|
## ---
|
|
|
|
FROM base-intermediate AS base
|
|
|
|
COPY /scripts/* /usr/local/sbin/
|
|
|
|
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
|
|
COPY --from=certs /etc/ssl/certs/java/cacerts /etc/ssl/certs/java/
|
|
COPY --from=certs /usr/local/share/ca-certificates/ /usr/local/share/ca-certificates/
|
|
COPY --from=certs /usr/local/share/publicsuffix/ /usr/local/share/publicsuffix/
|
|
|
|
ENTRYPOINT [ ]
|
|
CMD [ "bash" ]
|