ARG PYTHONTAG=3.11.9-slim-bookworm FROM docker.io/python:${PYTHONTAG} AS base-upstream FROM base-upstream AS base SHELL [ "/bin/sh", "-ec" ] COPY /Dockerfile.base /usr/local/share/ COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## PATH: remove /sbin and /bin (/usr is merged) ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ TMPDIR=/tmp \ LANG=C.UTF-8 \ LC_ALL=C.UTF-8 \ TERM=linux \ TZ=Etc/UTC \ MALLOC_ARENA_MAX=2 \ PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 ## local development # ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \ # PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \ # PIP_TRUSTED_HOST="localhost" COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources ## prevent services from auto-starting, part 1 RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \ rm -f "$s" "$b" ; \ echo '#!/bin/sh' > "$b" ; \ echo 'exit 101' >> "$b" ; \ chmod 0755 "$b" ; \ ln -s "$b" "$s" RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \ ## prevent services from auto-starting, part 2 divert_true /sbin/start-stop-daemon ; \ ## always report that we're in chroot divert_true /usr/bin/ischroot ; \ ## hide systemd helpers divert_true /usr/bin/deb-systemd-helper ; \ divert_true /usr/bin/deb-systemd-invoke RUN apt-env.sh apt-get update ; \ apt-env.sh apt-get upgrade -y ; \ apt-clean.sh ## perl-base: hardlink->symlink RUN d=/usr/bin ; \ find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \ ls -li "$d/perl"* ## remove unwanted binaries RUN set -f ; \ for i in \ addpart \ apt-ftparchive \ agetty \ badblocks \ blkdiscard \ blkid \ blkzone \ blockdev \ bsd-write \ chage \ chcpu \ chfn \ chgpasswd \ chmem \ chpasswd \ chsh \ cpgr \ cppw \ ctrlaltdel \ debugfs \ delpart \ dmesg \ dumpe2fs \ e2freefrag \ e2fsck \ e2image \ e2label \ e2mmpstatus \ e2scrub \ 'e2scrub*' \ e2undo \ e4crypt \ e4defrag \ expiry \ faillock \ fdformat \ fincore \ findfs \ fsck \ 'fsck.*' \ fsfreeze \ fstrim \ getty \ gpasswd \ groupmems \ grpck \ grpconv \ grpunconv \ hwclock \ isosize \ last \ lastb \ ldattach \ losetup \ lsblk \ lsirq \ lslogins \ mcookie \ mesg \ mke2fs \ mkfs \ 'mkfs.*' \ mkhomedir_helper \ mklost+found \ mkswap \ mount \ newgrp \ newusers \ pam-auth-update \ pam_getenv \ pam_namespace_helper \ pam_timestamp_check \ partx \ pivot_root \ pwck \ pwconv \ pwhistory_helper \ pwunconv \ raw \ readprofile \ resize2fs \ resizepart \ rtcwake \ sg \ shadowconfig \ sulogin \ swaplabel \ swapoff \ swapon \ switch_root \ tune2fs \ umount \ unix_chkpwd \ unix_update \ utmpdump \ vigr \ vipw \ wall \ wdctl \ wipefs \ write \ 'write.*' \ zramctl \ ; do \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ dpkg -S "$p" >/dev/null 2>&1 || continue ; \ divert-rm.sh "$p" ; \ done ; \ done ; \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ rm -fv "$p" ; \ done ; \ done ; \ done ; \ ## fixup rm -f \ /bin/lastb \ /bin/sg \ /sbin/getty \ ; : ## remove excessive privileges from binaries RUN set -f ; \ for i in \ passwd \ su \ ; do \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ dpkg -S "$p" >/dev/null 2>&1 || continue ; \ o=$(env stat -c '%U' "$p") ; \ g=$(env stat -c '%G' "$p") ; \ ls -l "$p" ; \ dpkg-statoverride --update --add "$o" "$g" 0755 "$p" ; \ ls -l "$p" ; \ done ; \ done ; \ done RUN apt-remove.sh \ ca-certificates \ e2fsprogs \ ; \ apt-clean.sh ## "docker.io/python"-specific cleanup RUN rm -f /root/.wget-hsts RUN python-rm-cache.sh /usr/local ; \ pip-env.sh pip list --format freeze \ | grep -F '==' | awk -F= '{print $1}' \ | xargs -r pip-env.sh pip install -U ; \ python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" RUN python-rm-cache.sh /usr/local ; \ libpython="${PYTHON_SITE_PACKAGES%/*}" ; \ rm -rfv \ /usr/local/bin/idle* \ "${libpython}/ensurepip/_bundled" \ "${libpython}/idlelib" \ "${libpython}/tkinter" \ "${libpython}/turtle.py" \ "${libpython}/turtledemo" \ ; : RUN find /usr/local/sbin/ ! -type d -ls -delete ; \ find /run/ -mindepth 1 -ls -delete || : ; \ install -d -m 01777 /run/lock ENTRYPOINT [ ] CMD [ "bash" ]