ARG PYTHONTAG=3.11.10-slim-bookworm FROM docker.io/python:${PYTHONTAG} AS base-upstream FROM base-upstream AS base-intermediate SHELL [ "/bin/sh", "-ec" ] COPY /Dockerfile.base /usr/local/share/ COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## PATH: remove /sbin and /bin (/usr is merged) ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ TMPDIR=/tmp \ LANG=C.UTF-8 \ LC_ALL=C.UTF-8 \ TERM=linux \ TZ=Etc/UTC \ MALLOC_ARENA_MAX=2 \ PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 ## local development # ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \ # PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \ # PIP_TRUSTED_HOST="localhost" COPY /apt/preferences.backports /etc/apt/preferences.d/backports COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources ## prevent services from auto-starting, part 1 RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \ rm -f "$s" "$b" ; \ echo '#!/bin/sh' > "$b" ; \ echo 'exit 101' >> "$b" ; \ chmod 0755 "$b" ; \ ln -s "$b" "$s" RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \ ## prevent services from auto-starting, part 2 divert_true /sbin/start-stop-daemon ; \ ## always report that we're in chroot divert_true /usr/bin/ischroot ; \ ## hide systemd helpers divert_true /usr/bin/deb-systemd-helper ; \ divert_true /usr/bin/deb-systemd-invoke RUN apt-env.sh apt-get update ; \ apt-remove.sh \ ca-certificates \ e2fsprogs \ ; \ apt-env.sh apt-get upgrade -y ; \ apt-install.sh \ brotli \ cron \ curl \ dumb-init \ file \ gettext-base \ gnupg \ iproute2 \ iputils-ping \ jdupes \ jq \ less \ libnss-wrapper \ logrotate \ lsof \ ncurses-base \ netbase \ netcat-openbsd \ openssl \ procps \ psmisc \ tzdata \ vim \ xxd \ xz-utils \ zstd \ ; \ apt-clean.sh ## perl-base: hardlink->symlink RUN d=/usr/bin ; \ find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \ ls -li "$d/perl"* ## remove unwanted binaries RUN set -f ; \ for i in \ addpart \ apt-ftparchive \ agetty \ badblocks \ blkdiscard \ blkid \ blkzone \ blockdev \ bsd-write \ chage \ chcpu \ chfn \ chgpasswd \ chmem \ chpasswd \ chsh \ cpgr \ cppw \ crontab \ ctrlaltdel \ debugfs \ delpart \ dmesg \ dumpe2fs \ e2freefrag \ e2fsck \ e2image \ e2label \ e2mmpstatus \ e2scrub \ 'e2scrub*' \ e2undo \ e4crypt \ e4defrag \ expiry \ faillock \ fdformat \ fincore \ findfs \ fsck \ 'fsck.*' \ fsfreeze \ fstrim \ getty \ gpasswd \ groupmems \ grpck \ grpconv \ grpunconv \ hwclock \ isosize \ last \ lastb \ ldattach \ losetup \ lsblk \ lsirq \ lslogins \ mcookie \ mesg \ mke2fs \ mkfs \ 'mkfs.*' \ mkhomedir_helper \ mklost+found \ mkswap \ mount \ newgrp \ newusers \ pam-auth-update \ pam_getenv \ pam_namespace_helper \ pam_timestamp_check \ partx \ pivot_root \ pwck \ pwconv \ pwhistory_helper \ pwunconv \ raw \ readprofile \ resize2fs \ resizepart \ rtcwake \ sg \ shadowconfig \ sulogin \ swaplabel \ swapoff \ swapon \ switch_root \ tune2fs \ umount \ unix_chkpwd \ unix_update \ utmpdump \ vigr \ vipw \ wall \ wdctl \ wipefs \ write \ 'write.*' \ zramctl \ ; do \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ dpkg -S "$p" >/dev/null 2>&1 || continue ; \ divert-rm.sh "$p" ; \ done ; \ done ; \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ rm -fv "$p" ; \ done ; \ done ; \ done ; \ ## fixup rm -f \ /bin/lastb \ /bin/sg \ /sbin/getty \ ; : ## remove excessive privileges from binaries RUN set -f ; \ for i in \ passwd \ su \ ; do \ for d in /usr/sbin /usr/bin /sbin /bin ; do \ find "$d/" ! -type d -wholename "$d/$i" \ | while read -r p ; do \ [ -n "$p" ] || continue ; \ [ -e "$p" ] || continue ; \ dpkg -S "$p" >/dev/null 2>&1 || continue ; \ o=$(env stat -c '%U' "$p") ; \ g=$(env stat -c '%G' "$p") ; \ ls -l "$p" ; \ dpkg-statoverride --update --add "$o" "$g" 0755 "$p" ; \ ls -l "$p" ; \ done ; \ done ; \ done ## "docker.io/python"-specific cleanup RUN rm -f /root/.wget-hsts RUN pip-env.sh pip list --format freeze \ | grep -F '==' | awk -F= '{print $1}' \ | xargs -r pip-env.sh pip install -U ; \ python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \ rm -rfv \ /usr/local/bin/idle* \ /usr/local/bin/pydoc* \ "${libpython}/ensurepip/_bundled" \ "${libpython}/idlelib" \ "${libpython}/pydoc.py" \ "${libpython}/pydoc_data" \ "${libpython}/tkinter" \ "${libpython}/turtle.py" \ "${libpython}/turtledemo" \ ; \ rm -rfv \ "${PYTHON_SITE_PACKAGES}/pkg_resources/tests" \ "${PYTHON_SITE_PACKAGES}/setuptools/tests" \ "${PYTHON_SITE_PACKAGES}/setuptools/_distutils/tests" \ "${PYTHON_SITE_PACKAGES}/setuptools/_vendor/importlib_resources/tests" \ ; \ find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete ; \ python-rm-cache.sh /usr/local ## adjust pip/certifi RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \ rm -f "${certifi_pem}" ; \ ln -s /etc/ssl/certs/ca-certificates.crt "${certifi_pem}" RUN find /usr/local/sbin/ ! -type d -ls -delete ; \ find /run/ -mindepth 1 -ls -delete || : ; \ install -d -m 01777 /run/lock ; \ jdupes -1LSpr /usr/ ## --- FROM base-intermediate AS certs SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ ## "2024.08.30" ENV CERTIFI_COMMIT=325c2fde4f8eec10d682b09f3b0414dc05e69a81 # 'https://raw.githubusercontent.com/certifi/python-certifi' ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw' ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem" ADD "${CERTIFI_URI}" /tmp/certifi.crt RUN apt-install.sh ca-certificates ; \ apt-clean.sh ; \ ca_file='/etc/ssl/certs/ca-certificates.crt' ; \ ls -l "${ca_file}" ; \ ## process certifi certifi-extras.sh /tmp/certifi.crt ; \ openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \ mv -f "${ca_file}.new" "${ca_file}" ; \ chmod 0444 "${ca_file}" "${ca_file}.fp" ; \ ls -l "${ca_file}" "${ca_file}.fp" ## --- FROM base-intermediate AS apt-gpg SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ ADD https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc /tmp/pgdg.gpg.bin ADD https://packagecloud.io/citusdata/community/gpgkey /tmp/citus.gpg.bin ## process GPG keyrings RUN pkg='gnupg' ; \ apt-install.sh ${pkg} ; \ gpg-export.sh /tmp/pgdg.gpg.bin /etc/apt/keyrings/pgdg.gpg.asc ; \ gpg-export.sh /tmp/citus.gpg.bin /etc/apt/keyrings/citus.gpg.asc ; \ apt-remove.sh ${pkg} COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources ## verify sources! RUN apt-env.sh apt-get update ; \ apt-clean.sh ## --- FROM base-intermediate AS base COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/ ENTRYPOINT [ ] CMD [ "bash" ]