Add fat base image for faster Docker builds

- Create Dockerfile.base with all shared dependencies (Node, Go, PHP, Playwright)
- Update all child Dockerfiles to use ghcr.io/freegle/freegle-base:latest
- Add GitHub Actions workflow for monthly base image rebuilds
- Fix CircleCI PHP coverage upload (use composer.phar, writable json_path)
- Add test artifacts to .dockerignore to reduce context transfer

This reduces clean build time from ~11min to ~6min by:
- Eliminating redundant package installation across containers
- Reducing Docker context transfer by ~290MB
- Removing duplicate apt-get operations

Author: edwh

.circleci/orb/freegle-tests.yml

@@ -76,6 +76,7 @@ commands:
             ls -la secrets/
 
             # Start services in detached mode (use base file only, not override)
+            # Note: base image is defined in docker-compose.yml and builds automatically
             docker-compose -f docker-compose.yml up -d
 
             echo "Waiting for basic services to start..."
@@ -689,17 +690,21 @@ commands:
               echo "DEBUG: Coverage file head:"
               head -20 /tmp/phpunit-clover.xml || true
 
-              # Install php-coveralls in the container and run from there
+              # Install php-coveralls in the container using composer.phar
               echo "DEBUG: Installing php-coveralls in container..."
-              docker exec freegle-apiv1 bash -c "cd /var/www/iznik && composer require php-coveralls/php-coveralls --dev 2>&1" || echo "DEBUG: composer require failed"
+              docker exec freegle-apiv1 bash -c "cd /var/www/iznik && php composer.phar require php-coveralls/php-coveralls --dev 2>&1" || echo "DEBUG: composer require failed"
 
               # Copy coverage file to container
               echo "DEBUG: Copying coverage file to container..."
               docker cp /tmp/phpunit-clover.xml freegle-apiv1:/var/www/iznik/clover.xml
 
-              # Create coveralls config in container
+              # Create coveralls config in container with writable json_path
               echo "DEBUG: Creating .coveralls.yml in container..."
-              docker exec freegle-apiv1 bash -c "echo 'coverage_clover: clover.xml' > /var/www/iznik/.coveralls.yml && echo 'service_name: circleci' >> /var/www/iznik/.coveralls.yml"
+              docker exec freegle-apiv1 bash -c "cat > /var/www/iznik/.coveralls.yml << 'COVERALLS_EOF'
+coverage_clover: clover.xml
+json_path: /tmp/coveralls-upload.json
+service_name: circleci
+COVERALLS_EOF"
 
               # Run php-coveralls from within the container (which has PHP)
               echo "DEBUG: Running php-coveralls in container..."

.github/workflows/build-base-image.yml

@@ -0,0 +1,42 @@
+name: Build Base Image
+
+on:
+  push:
+    paths:
+      - 'Dockerfile.base'
+      - 'scripts/retry.sh'
+    branches:
+      - master
+  schedule:
+    # Monthly rebuild on 1st of each month at 3am UTC
+    - cron: '0 3 1 * *'
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./Dockerfile.base
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/freegle-base:latest
+            ghcr.io/${{ github.repository_owner }}/freegle-base:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

Dockerfile.base

@@ -0,0 +1,88 @@
+# Freegle Fat Base Image
+# Contains all dependencies for Node, Go, PHP containers
+# Build: docker build -f Dockerfile.base -t freegle-base .
+# This image is built locally and used as the base for all Freegle containers
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    TZ='UTC'
+
+# Copy retry script for flaky network operations
+COPY scripts/retry.sh /usr/local/bin/retry
+RUN chmod +x /usr/local/bin/retry
+
+# ============ COMMON TOOLS ============
+RUN apt-get update && apt-get install -y \
+    ca-certificates curl gnupg wget git vim \
+    build-essential python3 \
+    zip unzip jq netcat telnet \
+    iputils-ping net-tools dnsutils \
+    lsb-release openssl \
+    && rm -rf /var/lib/apt/lists/*
+
+# ============ NODE.JS 22 ============
+RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
+    && apt-get install -y nodejs \
+    && npm config set fetch-retries 5 \
+    && npm config set fetch-retry-mintimeout 20000 \
+    && npm config set fetch-retry-maxtimeout 120000
+
+# ============ GO 1.23 ============
+RUN curl -fsSL https://go.dev/dl/go1.23.0.linux-amd64.tar.gz | tar -C /usr/local -xzf -
+ENV PATH="/usr/local/go/bin:/root/go/bin:${PATH}" \
+    GOPATH="/root/go" \
+    GOPROXY="https://proxy.golang.org,direct"
+
+# ============ PHP 8.1 + WEB SERVER ============
+# nginx: serves PHP API via php-fpm
+# postfix: mail relay for sending emails (configured to use mailhog)
+RUN apt-get update && apt-get install -y \
+    php8.1-fpm php8.1-cli php8.1-mysql php8.1-pgsql php8.1-redis \
+    php8.1-curl php8.1-zip php8.1-gd php8.1-mbstring php8.1-xml \
+    php8.1-intl php8.1-xdebug php-mailparse php8.1-simplexml \
+    php8.1-xmlrpc php8.1-pdo-mysql \
+    libxml2-dev libzip-dev zlib1g-dev libcurl4-openssl-dev \
+    libpng-dev libgmp-dev libjpeg-turbo8-dev libpq-dev \
+    php-pear php-dev libgeoip-dev php-mbstring \
+    nginx postfix cron rsyslog openssh-server \
+    default-mysql-client postgresql-client \
+    tesseract-ocr geoip-bin geoipupdate \
+    && rm -rf /var/lib/apt/lists/*
+
+# ============ PLAYWRIGHT DEPS ============
+RUN apt-get update && apt-get install -y \
+    xvfb dbus libglib2.0-0 libnss3 libnspr4 libatk1.0-0 \
+    libatk-bridge2.0-0 libcups2 libxkbcommon0 libatspi2.0-0 \
+    libxcomposite1 libxdamage1 libgbm1 libpango-1.0-0 \
+    libcairo2 libasound2 \
+    && mkdir -p /var/run/dbus \
+    && rm -rf /var/lib/apt/lists/*
+
+# ============ DOCKER CLI ============
+RUN install -m 0755 -d /etc/apt/keyrings \
+    && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+    && chmod a+r /etc/apt/keyrings/docker.gpg \
+    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
+    && apt-get update && apt-get install -y docker-ce-cli docker-compose-plugin \
+    && rm -rf /var/lib/apt/lists/*
+
+# ============ GOOGLE CLOUD SDK ============
+RUN curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-linux-x86_64.tar.gz \
+    && tar -xf google-cloud-cli-linux-x86_64.tar.gz \
+    && mv google-cloud-sdk /opt/ \
+    && /opt/google-cloud-sdk/install.sh --quiet --usage-reporting=false --path-update=false \
+    && rm google-cloud-cli-linux-x86_64.tar.gz
+ENV PATH="/opt/google-cloud-sdk/bin:${PATH}"
+
+# ============ GO SWAGGER (for apiv2) ============
+RUN go install github.com/go-swagger/go-swagger/cmd/swagger@v0.31.0
+
+# ============ PLAYWRIGHT BROWSERS ============
+RUN npx playwright install chromium && npx playwright install-deps
+
+# Remove packages that conflict with our setup
+RUN apt-get update && apt-get remove -y apache2* sendmail* mlocate php-ssh2 || true && rm -rf /var/lib/apt/lists/*
+
+# Final cleanup
+RUN apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

docker-compose.yml

@@ -1,4 +1,14 @@
 services:
+  # Base image - must be built first, all other containers depend on it
+  base:
+    image: freegle-base:latest
+    build:
+      context: .
+      dockerfile: Dockerfile.base
+    command: ["true"]  # Exits immediately, just used for building
+    profiles:
+      - build  # Only runs when explicitly requested or as dependency
+
   reverse-proxy:
     container_name: freegle-traefik
     networks:
@@ -220,8 +230,6 @@ services:
     build:
       context: ./status
       network: host
-      additional_contexts:
-        scripts: ./scripts
     container_name: freegle-status
     networks:
       - default
@@ -305,8 +313,6 @@ services:
     build:
       context: ./iznik-server
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_SERVER_BRANCH: ${IZNIK_SERVER_BRANCH:-master}
     depends_on:
@@ -385,8 +391,6 @@ services:
     build:
       context: ./iznik-server-go
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_SERVER_GO_BRANCH: ${IZNIK_SERVER_GO_BRANCH:-master}
     depends_on:
@@ -442,8 +446,6 @@ services:
     build:
       context: ./iznik-nuxt3
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_NUXT3_BRANCH: ${IZNIK_NUXT3_BRANCH:-master}
     tmpfs:
@@ -494,8 +496,6 @@ services:
       context: ./iznik-nuxt3
       dockerfile: Dockerfile.prod
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_NUXT3_BRANCH: ${IZNIK_NUXT3_BRANCH:-master}
     tmpfs:
@@ -544,10 +544,8 @@ services:
       - "apiv2.localhost:host-gateway"
     build:
       context: .
-      dockerfile: ./iznik-nuxt3-modtools/Dockerfile
+      dockerfile: ./iznik-nuxt3-modtools/modtools/Dockerfile
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_NUXT3_MODTOOLS_BRANCH: ${IZNIK_NUXT3_MODTOOLS_BRANCH:-master}
     tmpfs:
@@ -604,8 +602,6 @@ services:
       context: ./iznik-nuxt3-modtools
       dockerfile: modtools/Dockerfile.prod
       network: host
-      additional_contexts:
-        scripts: ./scripts
       args:
         IZNIK_NUXT3_MODTOOLS_BRANCH: ${IZNIK_NUXT3_MODTOOLS_BRANCH:-master}
     tmpfs:
@@ -655,8 +651,6 @@ services:
       context: ./iznik-nuxt3
       dockerfile: Dockerfile.playwright
       network: host
-      additional_contexts:
-        scripts: ./scripts
     working_dir: /app
     extra_hosts:
       - "freegle-dev.localhost:127.0.0.1"

iznik-nuxt3

@@ -1,27 +1,9 @@
-FROM node:18-slim
+FROM ghcr.io/freegle/freegle-base:latest
 
 WORKDIR /app
 
-# Copy retry script for flaky network operations
-COPY --from=scripts retry.sh /usr/local/bin/retry
-RUN chmod +x /usr/local/bin/retry
-
-# Install docker CLI from official Docker repository (with retry for flaky networks including DNS)
-RUN retry bash -c 'apt-get update && apt-get install -y ca-certificates curl gnupg' \
-    && install -m 0755 -d /etc/apt/keyrings \
-    && retry bash -c 'curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg' \
-    && chmod a+r /etc/apt/keyrings/docker.gpg \
-    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian bookworm stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null \
-    && retry bash -c 'apt-get update && apt-get install -y docker-ce-cli' \
-    && rm -rf /var/lib/apt/lists/*
-
 COPY package.json ./
-
-# Configure npm retries for flaky networks
-RUN npm config set fetch-retries 5 && \
-    npm config set fetch-retry-mintimeout 20000 && \
-    npm config set fetch-retry-maxtimeout 120000 && \
-    npm install
+RUN npm install
 
 COPY . .