Merge pull request #1513 from RS-PYTHON/layer-cleanup

Use layer-cleanup and restore-apt

Author: jgaucher-cs

.github/actions/publish-docker/action.yml

@@ -105,10 +105,13 @@ runs:
         if [[ ${{ inputs.debug_mode }} == true ]]; then
           commands=$(cat << "EOF"
         USER root
-        COPY ./git_debug_image.sh ./git_debug_image.sh
-        RUN set -e; chmod u+x ./git_debug_image.sh; apt update; ./git_debug_image.sh ${{ inputs.branch_name }}; \
-            rm -f ./git_debug_image.sh ; \
-            layer-cleanup.sh
+        COPY ./git_debug_image.sh ./restore-apt.sh /usr/local/bin/
+        # Use ';' not '&&' because they are not well handled by awk.
+        RUN set -e; \
+            cd /usr/local/bin/; \
+            chmod u+x ./git_debug_image.sh ./restore-apt.sh; \
+            ./git_debug_image.sh ${{ inputs.branch_name }}; \
+            rm -f ./git_debug_image.sh ./restore-apt.sh
         WORKDIR /home/user/rs-server
         EOF
           )

.github/scripts/git_debug_image.sh

@@ -26,8 +26,7 @@ ROOT_DIR="$(realpath $SCRIPT_DIR/..)"
 BRANCH_NAME="$1" # git branch name
 
 # Install components in the docker images
-. /etc/os-release
-echo "deb http://deb.debian.org/debian $VERSION_CODENAME main" > /etc/apt/sources.list
+restore-apt.sh
 apt update
 apt install -y --no-install-recommends git vim-tiny mg
 
@@ -76,4 +75,4 @@ done
 chown -R user:user /home/user/rs-server
 
 # Clean everything
-rm -rf /tmp/whl /root/.cache/pip /var/cache/apt/archives /var/lib/apt/lists/* /etc/apt/sources.list
+layer-cleanup.sh

.github/scripts/layer-cleanup.sh

@@ -17,12 +17,12 @@ apt-get autoclean --yes
 apt-get autoremove --yes
 
 rm -rf /var/lib/apt/lists/*
-rm -rf /etc/apt/sources.list.d/*
 rm -rf /usr/local/src/*
 
 rm -rf /var/cache/apt/*
 rm -rf /root/.cache/*
 # including /root/.cache/pip
+rm -rf /home/*/.cache/*
 rm -rf /usr/local/share/.cache/*
 # including /usr/local/share/.cache/yarn
 
@@ -31,4 +31,9 @@ rm -rf /opt/conda/pkgs/cache
 
 rm -rf /tmp/whl
 
+# WARNING: this removes the apt repository list. To restore it and be able to run 'apt update',
+# you must run (works only in Debian):
+# . /etc/os-release && echo "deb http://deb.debian.org/debian $VERSION_CODENAME main" > /etc/apt/sources.list
+rm -rf /etc/apt/sources.list.d/*
+
 exit 0

.github/scripts/restore-apt.sh

@@ -0,0 +1,41 @@
+#!/bin/bash
+# Copyright 2024 CS Group
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# Restore the apt repository list.
+# WARNING: works only in Debian/Ubuntu !
+
+# Source OS release info
+. /etc/os-release
+
+if [[ "$ID" == "debian" ]]; then
+    cat > /etc/apt/sources.list <<EOF
+deb http://deb.debian.org/debian $VERSION_CODENAME main
+deb http://security.debian.org/debian-security $VERSION_CODENAME-security main
+deb http://deb.debian.org/debian $VERSION_CODENAME-updates main
+deb http://deb.debian.org/debian $VERSION_CODENAME-backports main
+EOF
+elif [[ "$ID" == "ubuntu" ]]; then
+    cat > /etc/apt/sources.list <<EOF
+deb http://archive.ubuntu.com/ubuntu $VERSION_CODENAME main
+deb http://security.ubuntu.com/ubuntu $VERSION_CODENAME-security main
+deb http://archive.ubuntu.com/ubuntu $VERSION_CODENAME-updates main
+deb http://archive.ubuntu.com/ubuntu $VERSION_CODENAME-backports main
+EOF
+else
+    echo "Unsupported distribution: $ID"
+    exit 1
+fi
+
+exit 0

.github/workflows/publish-binaries.yml

@@ -292,8 +292,8 @@ jobs:
           name: ${{ needs.services-adgs-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -339,8 +339,8 @@ jobs:
           name: ${{ needs.services-prip-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -386,8 +386,8 @@ jobs:
           name: ${{ needs.services-cadip-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -432,8 +432,8 @@ jobs:
           name: ${{ needs.services-catalog-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -478,8 +478,8 @@ jobs:
         run: cp ./services/frontend/.github/entrypoint_frontend.sh ./build_context_path
         shell: bash
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -525,8 +525,8 @@ jobs:
           name: ${{ needs.services-staging-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - name: Copy debug mode dependencies
@@ -572,8 +572,8 @@ jobs:
           name: ${{ needs.services-staging-whl.outputs.package_name }}
           path: ./build_context_path
 
-      - name: Copy layer-cleanup.sh script
-        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh
+      - name: Copy Dockerfile requirements
+        run: cp -t ./build_context_path ./.github/scripts/layer-cleanup.sh ./.github/scripts/restore-apt.sh
         shell: bash
 
       - id: publish-docker

services/adgs/.github/Dockerfile

@@ -45,15 +45,18 @@ RUN opentelemetry-bootstrap -a install && layer-cleanup.sh
 RUN apt autoremove -y git && layer-cleanup.sh
 
 # Add a default user
-RUN useradd -m user
-USER user
-WORKDIR /home/user
+ARG USER=user
+RUN useradd -m $USER
+USER $USER
+WORKDIR /home/$USER
 
 # The CI/CD will replace this tag in debug mode or else remove it
 # [DEBUG_MODE_COMMANDS]
 
-# After this, make sure we're still non-root
-USER user
+# Remove apt repository list and custom scripts
+USER root
+RUN rm -f /etc/apt/sources.list /usr/local/bin/layer-cleanup.sh /usr/local/bin/restore-apt.sh
+USER $USER
 
 ENTRYPOINT [ \
     "python", "-m", "uvicorn", "rs_server_adgs.fastapi.adgs_app:app", \

services/cadip/.github/Dockerfile

@@ -45,15 +45,18 @@ RUN opentelemetry-bootstrap -a install && layer-cleanup.sh
 RUN apt autoremove -y git && layer-cleanup.sh
 
 # Add a default user
-RUN useradd -m user
-USER user
-WORKDIR /home/user
+ARG USER=user
+RUN useradd -m $USER
+USER $USER
+WORKDIR /home/$USER
 
 # The CI/CD will replace this tag in debug mode or else remove it
 # [DEBUG_MODE_COMMANDS]
 
-# After this, make sure we're still non-root
-USER user
+# Remove apt repository list and custom scripts
+USER root
+RUN rm -f /etc/apt/sources.list /usr/local/bin/layer-cleanup.sh /usr/local/bin/restore-apt.sh
+USER $USER
 
 ENTRYPOINT [ \
     "python", "-m", "uvicorn", "rs_server_cadip.fastapi.cadip_app:app", \

services/catalog/.github/Dockerfile

@@ -45,17 +45,20 @@ RUN opentelemetry-bootstrap -a install && layer-cleanup.sh
 RUN apt autoremove -y git && layer-cleanup.sh
 
 # Add a default user
-RUN useradd -m user
-USER user
-WORKDIR /home/user
+ARG USER=user
+RUN useradd -m $USER
+USER $USER
+WORKDIR /home/$USER
 
 # The CI/CD will replace this tag in debug mode or else remove it
 # [DEBUG_MODE_COMMANDS]
 
 # [DEBUG_MODE_RELOAD_CATALOG]
 
-# After this, make sure we're still non-root
-USER user
+# Remove apt repository list and custom scripts
+USER root
+RUN rm -f /etc/apt/sources.list /usr/local/bin/layer-cleanup.sh /usr/local/bin/restore-apt.sh
+USER $USER
 
 # See: rs_server_catalog/main.py
 # uvicorn.run(

services/frontend/.github/Dockerfile

@@ -60,15 +60,18 @@ RUN chmod ugo+x /scripts/entrypoint_frontend.sh
 RUN chmod -R ugo+w $(dirname "${RSPY_OPENAPI_FILE}")
 
 # Add a default user
-RUN useradd -m user
-USER user
-WORKDIR /home/user
+ARG USER=user
+RUN useradd -m $USER
+USER $USER
+WORKDIR /home/$USER
 
 # The CI/CD will replace this tag in debug mode or else remove it
 # [DEBUG_MODE_COMMANDS]
 
-# After this, make sure we're still non-root
-USER user
+# Remove apt repository list and custom scripts
+USER root
+RUN rm -f /etc/apt/sources.list /usr/local/bin/layer-cleanup.sh /usr/local/bin/restore-apt.sh
+USER $USER
 
 ENTRYPOINT [ "/bin/bash", "-c", "set -x; /scripts/entrypoint_frontend.sh [DEBUG_MODE_RELOAD_FRONTEND]" ]
 

services/prip/.github/Dockerfile

@@ -45,15 +45,18 @@ RUN opentelemetry-bootstrap -a install && layer-cleanup.sh
 RUN apt autoremove -y git && layer-cleanup.sh
 
 # Add a default user
-RUN useradd -m user
-USER user
-WORKDIR /home/user
+ARG USER=user
+RUN useradd -m $USER
+USER $USER
+WORKDIR /home/$USER
 
 # The CI/CD will replace this tag in debug mode or else remove it
 # [DEBUG_MODE_COMMANDS]
 
-# After this, make sure we're still non-root
-USER user
+# Remove apt repository list and custom scripts
+USER root
+RUN rm -f /etc/apt/sources.list /usr/local/bin/layer-cleanup.sh /usr/local/bin/restore-apt.sh
+USER $USER
 
 ENTRYPOINT [ \
     "python", "-m", "uvicorn", "rs_server_prip.fastapi.prip_app:app", \