Optimized the backend Docker build logic.

crazyoyo · crazyoyo · commit 4604d9724692 · 2026-03-06T23:23:18.000+08:00
diff --git a/e2b-setup-env-existing-vpc.yml b/e2b-setup-env-existing-vpc.yml
@@ -749,7 +749,7 @@ Resources:
               snap install go --classic
             - |
               # Install essential development and deployment tools
-              apt install unzip docker.io make jq postgresql-client-common -y
+              apt install unzip docker.io make jq postgresql-client-common git -y
             - |
               # Install PostgreSQL client for database management
               apt install postgresql-client -y
diff --git a/e2b-setup-env.yml b/e2b-setup-env.yml
@@ -873,7 +873,7 @@ Resources:
               snap install go --classic
             - |
               # Install essential development and deployment tools
-              apt install unzip docker.io make jq postgresql-client-common -y
+              apt install unzip docker.io make jq postgresql-client-common git -y
             - |
               # Install PostgreSQL client for database management
               apt install postgresql-client -y
diff --git a/infra-iac/packer/main.pkr.hcl b/infra-iac/packer/main.pkr.hcl
@@ -62,9 +62,11 @@ build {
       "sudo systemctl stop apt-daily.service apt-daily-upgrade.service unattended-upgrades.service || true",
       "sudo systemctl kill apt-daily.service apt-daily-upgrade.service unattended-upgrades.service || true",
       "sudo systemctl disable apt-daily.timer apt-daily-upgrade.timer || true",
+      "sudo systemctl mask apt-daily.service apt-daily-upgrade.service unattended-upgrades.service || true",
+      "sudo killall -9 apt-get apt dpkg unattended-upgr 2>/dev/null || true",
       "echo 'Waiting for apt/dpkg locks to be released...'",
-      "for i in $(seq 1 60); do if sudo fuser /var/lib/dpkg/lock /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock >/dev/null 2>&1; then echo \"Lock held, waiting... ($i/60)\"; sleep 5; else echo 'Locks released.'; break; fi; done",
-      "sleep 2"
+      "for i in $(seq 1 60); do if sudo fuser /var/lib/dpkg/lock /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock /var/cache/apt/archives/lock >/dev/null 2>&1; then echo \"Lock held, waiting... ($i/60)\"; sleep 5; else echo 'Locks released.'; break; fi; done",
+      "sleep 5"
     ]
   }
 
@@ -74,6 +76,7 @@ build {
       "DEBCONF_NONINTERACTIVE_SEEN=true"
     ]
     inline = [
+      "for i in $(seq 1 30); do if sudo fuser /var/lib/dpkg/lock /var/lib/dpkg/lock-frontend /var/lib/apt/lists/lock /var/cache/apt/archives/lock >/dev/null 2>&1; then echo \"Apt lock held, waiting... ($i/30)\"; sleep 5; else break; fi; done",
       "sudo -E apt-get clean",
       "sudo -E apt-get update -y",
       "sudo -E apt-get upgrade -y",
diff --git a/infra-iac/terraform/scripts/start-api.sh b/infra-iac/terraform/scripts/start-api.sh
@@ -36,6 +36,9 @@ net.core.netdev_max_backlog = 65535
 
 # Increase maximum number of TCP sockets
 net.ipv4.tcp_max_syn_backlog = 65535
+
+# Reserve static service ports from being used as ephemeral ports
+net.ipv4.ip_local_reserved_ports = 50001
 EOF
 sudo sysctl -p
 
diff --git a/infra-iac/terraform/scripts/start-build-cluster.sh b/infra-iac/terraform/scripts/start-build-cluster.sh
@@ -27,6 +27,9 @@ net.core.netdev_max_backlog = 65535
 
 # Increase maximum number of TCP sockets
 net.ipv4.tcp_max_syn_backlog = 65535
+
+# Reserve static service ports from being used as ephemeral ports
+net.ipv4.ip_local_reserved_ports = 44313,50001
 EOF
 sudo sysctl -p
 
diff --git a/infra-iac/terraform/scripts/start-client.sh b/infra-iac/terraform/scripts/start-client.sh
@@ -195,6 +195,9 @@ net.ipv4.tcp_max_syn_backlog = 65535
 # Increase the maximum number of memory map areas
 vm.max_map_count=1048576
 
+# Reserve static service ports from being used as ephemeral ports
+net.ipv4.ip_local_reserved_ports = 44313,50001
+
 EOF
 sudo sysctl -p
 
diff --git a/packages/shared/pkg/artifacts-registry/registry_aws.go b/packages/shared/pkg/artifacts-registry/registry_aws.go
@@ -121,19 +121,27 @@ func (g *AWSArtifactsRegistry) CopyImage(ctx context.Context, sourceRef string,
 		return fmt.Errorf("failed to parse source image reference '%s': %w", sourceRef, err)
 	}
 
-	// 2. Get ECR auth
-	auth, err := g.getAuthToken(ctx)
-	if err != nil {
-		return fmt.Errorf("failed to get ECR auth token: %w", err)
-	}
-
-	// 3. Fetch source image
-	img, err := remote.Image(src, remote.WithAuth(auth))
-	if err != nil {
-		return fmt.Errorf("failed to fetch source image '%s': %w", sourceRef, err)
+	// 2. Fetch source image — use auth only for private ECR, anonymous for public sources
+	var img containerregistry.Image
+	if isPrivateECR(sourceRef) {
+		auth, err := g.getAuthToken(ctx)
+		if err != nil {
+			return fmt.Errorf("failed to get ECR auth token: %w", err)
+		}
+		img, err = remote.Image(src, remote.WithAuth(auth))
+		if err != nil {
+			return fmt.Errorf("failed to fetch source image '%s': %w", sourceRef, err)
+		}
+	} else {
+		// Public images (Docker Hub, public.ecr.aws, etc.) — anonymous pull
+		var fetchErr error
+		img, fetchErr = remote.Image(src)
+		if fetchErr != nil {
+			return fmt.Errorf("failed to fetch source image '%s': %w", sourceRef, fetchErr)
+		}
 	}
 
-	// 4. Ensure target ECR repository exists
+	// 3. Ensure target ECR repository exists
 	targetRepoName := fmt.Sprintf("%s/%s", g.repositoryName, templateId)
 	if err := g.ensureRepository(ctx, targetRepoName); err != nil {
 		return fmt.Errorf("failed to ensure target repository: %w", err)
@@ -150,8 +158,12 @@ func (g *AWSArtifactsRegistry) CopyImage(ctx context.Context, sourceRef string,
 		return fmt.Errorf("failed to parse target reference '%s': %w", targetTag, err)
 	}
 
-	// 6. Write image to target
-	if err := remote.Write(dst, img, remote.WithAuth(auth)); err != nil {
+	// 6. Write image to target (always use ECR auth for the destination)
+	pushAuth, err := g.getAuthToken(ctx)
+	if err != nil {
+		return fmt.Errorf("failed to get ECR auth token for push: %w", err)
+	}
+	if err := remote.Write(dst, img, remote.WithAuth(pushAuth)); err != nil {
 		return fmt.Errorf("failed to write image to '%s': %w", targetTag, err)
 	}
 
@@ -177,30 +189,34 @@ func (g *AWSArtifactsRegistry) ensureRepository(ctx context.Context, repoName st
 	return nil
 }
 
-// resolveSourceRef resolves a short image name (e.g. "e2bdev/desktop") to a full
-// ECR URI by prepending the registry domain. If the reference already contains a
+// resolveSourceRef resolves image references. If the reference already contains a
 // registry domain (detected by a "." in the first path component), it is returned as-is.
+// Short names without a domain are treated as Docker Hub images.
 func (g *AWSArtifactsRegistry) resolveSourceRef(ctx context.Context, sourceRef string) (string, error) {
 	parts := strings.SplitN(sourceRef, "/", 2)
-	if strings.Contains(parts[0], ".") {
-		// Already has a registry domain
+	// Strip tag/digest before checking for domain dots
+	host := strings.SplitN(parts[0], ":", 2)[0]
+	if strings.Contains(host, ".") {
+		// Already has a registry domain (e.g. public.ecr.aws/..., 918xxx.dkr.ecr.../...)
 		return sourceRef, nil
 	}
 
-	// Get ECR registry URL from auth token
-	res, err := g.client.GetAuthorizationToken(ctx, &ecr.GetAuthorizationTokenInput{})
-	if err != nil {
-		return "", fmt.Errorf("failed to get ECR registry URL: %w", err)
-	}
-	if len(res.AuthorizationData) == 0 || res.AuthorizationData[0].ProxyEndpoint == nil {
-		return "", fmt.Errorf("no ECR proxy endpoint found")
+	// No domain → Docker Hub image
+	if len(parts) == 1 {
+		// Official image like "ubuntu:22.04" → "docker.io/library/ubuntu:22.04"
+		nameAndTag := strings.SplitN(sourceRef, ":", 2)
+		if len(nameAndTag) == 2 {
+			return fmt.Sprintf("docker.io/library/%s:%s", nameAndTag[0], nameAndTag[1]), nil
+		}
+		return fmt.Sprintf("docker.io/library/%s:latest", sourceRef), nil
 	}
+	// User image like "myuser/myrepo:tag" → "docker.io/myuser/myrepo:tag"
+	return fmt.Sprintf("docker.io/%s", sourceRef), nil
+}
 
-	// ProxyEndpoint is "https://918380168589.dkr.ecr.us-west-2.amazonaws.com"
-	registryURL := strings.TrimPrefix(*res.AuthorizationData[0].ProxyEndpoint, "https://")
-	registryURL = strings.TrimPrefix(registryURL, "http://")
-
-	return fmt.Sprintf("%s/%s", registryURL, sourceRef), nil
+// isPrivateECR checks if the image reference points to a private ECR registry.
+func isPrivateECR(ref string) bool {
+	return strings.Contains(ref, ".dkr.ecr.") && strings.Contains(ref, ".amazonaws.com")
 }
 
 func (g *AWSArtifactsRegistry) getAuthToken(ctx context.Context) (*authn.Basic, error) {
@@ -232,4 +248,4 @@ func (g *AWSArtifactsRegistry) getAuthToken(ctx context.Context) (*authn.Basic,
 		Username: username,
 		Password: password,
 	}, nil
-}
+}
