refactor

Dockerfile.base

@@ -1,7 +1,7 @@
 ARG PYTHONTAG=3.11.9-slim-bookworm
 FROM docker.io/python:${PYTHONTAG} AS base-upstream
 
-FROM base-upstream AS base
+FROM base-upstream AS base-intermediate
 SHELL [ "/bin/sh", "-ec" ]
 
 COPY /Dockerfile.base  /usr/local/share/
@@ -25,7 +25,8 @@ ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
 #     PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
 #     PIP_TRUSTED_HOST="localhost"
 
-COPY /apt/sources.debian  /etc/apt/sources.list.d/debian.sources
+COPY /apt/preferences.backports  /etc/apt/preferences.d/backports
+COPY /apt/sources.debian         /etc/apt/sources.list.d/debian.sources
 
 ## prevent services from auto-starting, part 1
 RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \
@@ -45,7 +46,39 @@ RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
     divert_true /usr/bin/deb-systemd-invoke
 
 RUN apt-env.sh apt-get update ; \
+    apt-remove.sh \
+      ca-certificates \
+      e2fsprogs \
+    ; \
     apt-env.sh apt-get upgrade -y ; \
+    apt-install.sh \
+      brotli \
+      cron \
+      curl \
+      dumb-init \
+      file \
+      gettext-base \
+      gnupg \
+      iproute2 \
+      iputils-ping \
+      jdupes \
+      jq \
+      less \
+      libnss-wrapper \
+      logrotate \
+      lsof \
+      ncurses-base \
+      netbase \
+      netcat-openbsd \
+      openssl \
+      procps \
+      psmisc \
+      tzdata \
+      vim \
+      xxd \
+      xz-utils \
+      zstd \
+    ; \
     apt-clean.sh
 
 ## perl-base: hardlink->symlink
@@ -74,6 +107,7 @@ RUN set -f ; \
       chsh \
       cpgr \
       cppw \
+      crontab \
       ctrlaltdel \
       debugfs \
       delpart \
@@ -206,35 +240,106 @@ RUN set -f ; \
         done ; \
     done
 
-RUN apt-remove.sh \
-      ca-certificates \
-      e2fsprogs \
-    ; \
-    apt-clean.sh
-
 ## "docker.io/python"-specific cleanup
 RUN rm -f /root/.wget-hsts
 
-RUN python-rm-cache.sh /usr/local ; \
-    pip-env.sh pip list --format freeze \
+RUN pip-env.sh pip list --format freeze \
     | grep -F '==' | awk -F= '{print $1}' \
     | xargs -r pip-env.sh pip install -U ; \
     python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
 
-RUN python-rm-cache.sh /usr/local ; \
-    libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
+RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
     rm -rfv \
       /usr/local/bin/idle* \
+      /usr/local/bin/pydoc* \
       "${libpython}/ensurepip/_bundled" \
       "${libpython}/idlelib" \
+      "${libpython}/pydoc.py" \
+      "${libpython}/pydoc_data" \
       "${libpython}/tkinter" \
       "${libpython}/turtle.py" \
       "${libpython}/turtledemo" \
-    ; :
+    ; \
+    rm -rfv \
+      "${PYTHON_SITE_PACKAGES}/pkg_resources/tests" \
+      "${PYTHON_SITE_PACKAGES}/setuptools/tests" \
+      "${PYTHON_SITE_PACKAGES}/setuptools/_distutils/tests" \
+      "${PYTHON_SITE_PACKAGES}/setuptools/_vendor/importlib_resources/tests" \
+    ; \
+    find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete ; \
+    python-rm-cache.sh /usr/local
+
+## adjust pip/certifi
+RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
+    rm -f "${certifi_pem}" ; \
+    ln -s /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
 
 RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
     find /run/ -mindepth 1 -ls -delete || : ; \
-    install -d -m 01777 /run/lock
+    install -d -m 01777 /run/lock ; \
+    jdupes -1LSpr /usr/
+
+## ---
+
+FROM base-intermediate AS certs
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /extra-scripts/*  /usr/local/sbin/
+
+## "2024.08.30"
+ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81
+
+# 'https://raw.githubusercontent.com/certifi/python-certifi'
+ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
+
+ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
+ADD "${CERTIFI_URI}" /tmp/certifi.crt
+
+RUN apt-install.sh ca-certificates ; \
+    apt-clean.sh ; \
+    ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
+    ls -l "${ca_file}" ; \
+    ## process certifi
+    certifi-extras.sh /tmp/certifi.crt ; \
+    openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
+    mv -f "${ca_file}.new" "${ca_file}" ; \
+    chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
+    ls -l "${ca_file}" "${ca_file}.fp"
+
+## ---
+
+FROM base-intermediate AS apt-gpg
+SHELL [ "/bin/sh", "-ec" ]
+
+COPY /scripts/*        /usr/local/sbin/
+COPY /extra-scripts/*  /usr/local/sbin/
+
+COPY --from=certs  /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
+
+ADD https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc  /tmp/pgdg.gpg.bin
+ADD https://packagecloud.io/citusdata/community/gpgkey     /tmp/citus.gpg.bin
+
+## process GPG keyrings
+RUN pkg='gnupg' ; \
+    apt-install.sh ${pkg} ; \
+    gpg-export.sh /tmp/pgdg.gpg.bin /etc/apt/keyrings/pgdg.gpg.asc ; \
+    gpg-export.sh /tmp/citus.gpg.bin /etc/apt/keyrings/citus.gpg.asc ; \
+    apt-remove.sh ${pkg}
+
+COPY /apt/sources.pgdg   /etc/apt/sources.list.d/pgdg.sources
+COPY /apt/sources.citus  /etc/apt/sources.list.d/citus.sources
+
+## verify sources!
+RUN apt-env.sh apt-get update ; \
+    apt-clean.sh
+
+## ---
+
+FROM base-intermediate AS base
+
+COPY --from=certs    /etc/ssl/certs/ca-certificates.*  /etc/ssl/certs/
+COPY --from=apt-gpg  /etc/apt/keyrings/                /etc/apt/keyrings/
 
 ENTRYPOINT [ ]
 CMD [ "bash" ]