diff --git a/image/base/install-imagemagick b/image/base/install-imagemagick index 44dbea43a..892105bf9 100755 --- a/image/base/install-imagemagick +++ b/image/base/install-imagemagick @@ -5,31 +5,9 @@ set -e IMAGE_MAGICK_VERSION="7.1.0-62" IMAGE_MAGICK_HASH="d282117bc6d0e91ad1ad685d096623b96ed8e229f911c891d83277b350ef884a" -# We use debian, but GitHub CI is stuck on Ubuntu Bionic, so this must be compatible with both -LIBJPEGTURBO=$(cat /etc/issue | grep -qi Debian && echo 'libjpeg62-turbo libjpeg62-turbo-dev' || echo 'libjpeg-turbo8 libjpeg-turbo8-dev') - -# Ubuntu 22.04/22.10 doesn't have libwebp6 -LIBWEBP=$(cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22' && echo 'libwebp7' || echo 'libwebp6') - PREFIX=/usr/local WDIR=/tmp/imagemagick -# Install build deps -apt -y -q remove imagemagick -apt -y -q install git make gcc pkg-config autoconf curl g++ yasm cmake \ - libde265-0 libde265-dev ${LIBJPEGTURBO} ${LIBWEBP} x265 libx265-dev libtool \ - libpng16-16 libpng-dev libwebp-dev libgomp1 \ - libwebpmux3 libwebpdemux2 ghostscript libxml2-dev libxml2-utils librsvg2-dev \ - libltdl7-dev libbz2-dev gsfonts libtiff-dev libfreetype6-dev libjpeg-dev libheif1 libheif-dev - -# Ubuntu doesn't like backports -if cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22'; then - apt -y install libaom-dev -else - # Use backports instead of compiling it - apt -y -q install -t bullseye-backports libaom-dev -fi - mkdir -p $WDIR cd $WDIR diff --git a/image/base/install-nginx b/image/base/install-nginx index d6d86eba2..24e98eca2 100755 --- a/image/base/install-nginx +++ b/image/base/install-nginx @@ -11,9 +11,6 @@ gpg --verify nginx-$VERSION.tar.gz.asc nginx-$VERSION.tar.gz tar zxf nginx-$VERSION.tar.gz cd nginx-$VERSION -# nginx-common for boilerplate files etc. -apt install -y nginx-common - cd /tmp # this is the reason we are compiling by hand... git clone https://github.com/google/ngx_brotli.git diff --git a/image/base/install-oxipng b/image/base/install-oxipng index 63cad97ff..c0195f1a7 100755 --- a/image/base/install-oxipng +++ b/image/base/install-oxipng @@ -11,9 +11,6 @@ case "${dpkgArch##*-}" in *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;; esac -# Install other deps -apt -y -q install advancecomp jhead jpegoptim libjpeg-turbo-progs optipng - mkdir /oxipng-install cd /oxipng-install diff --git a/image/base/slim.Dockerfile b/image/base/slim.Dockerfile index b08ee594e..8a911e8ec 100644 --- a/image/base/slim.Dockerfile +++ b/image/base/slim.Dockerfile @@ -8,126 +8,207 @@ ARG DEBIAN_RELEASE ENV PG_MAJOR=13 \ RUBY_ALLOCATOR=/usr/lib/libjemalloc.so \ LEFTHOOK=0 \ - DEBIAN_RELEASE=${DEBIAN_RELEASE} + DEBIAN_RELEASE=${DEBIAN_RELEASE} \ + LC_ALL=en_US.UTF-8 \ + LANG=en_US.UTF-8 \ + LANGUAGE=en_US.UTF-8 #LABEL maintainer="Sam Saffron \"https://twitter.com/samsaffron\"" -# Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the -# mounted volumes. -RUN groupadd --gid 104 postgres &&\ - useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres &&\ - groupadd --gid 106 redis &&\ - useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis &&\ - groupadd --gid 1000 discourse &&\ - useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse - -RUN echo 2.0.`date +%Y%m%d` > /VERSION -RUN echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list" -RUN echo "debconf debconf/frontend select Teletype" | debconf-set-selections -RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install gnupg sudo curl fping -RUN sh -c "fping proxy && echo 'Acquire { Retries \"0\"; HTTP { Proxy \"http://proxy:3128\";}; };' > /etc/apt/apt.conf.d/40proxy && apt-get update || true" -RUN apt-mark hold initscripts -RUN apt-get -y upgrade - -RUN DEBIAN_FRONTEND=noninteractive apt-get install -y locales locales-all -ENV LC_ALL en_US.UTF-8 -ENV LANG en_US.UTF-8 -ENV LANGUAGE en_US.UTF-8 - -RUN install -d /usr/share/postgresql-common/pgdg &&\ - curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc &&\ - echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list - -RUN curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash - -RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - -RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list -RUN apt-get -y update -# install these without recommends to avoid pulling in e.g. -# X11 libraries, mailutils -RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends git rsyslog logrotate cron ssh-client less -RUN DEBIAN_FRONTEND=noninteractive apt-get -y install autoconf build-essential ca-certificates rsync \ - libxslt-dev libcurl4-openssl-dev \ - libssl-dev libyaml-dev libtool \ - libpcre3 libpcre3-dev zlib1g zlib1g-dev \ - libxml2-dev gawk parallel \ - postgresql-${PG_MAJOR} postgresql-client \ - postgresql-contrib-${PG_MAJOR} libpq-dev postgresql-${PG_MAJOR}-pgvector \ - libreadline-dev anacron wget \ - psmisc whois brotli libunwind-dev \ - libtcmalloc-minimal4 cmake \ - pngcrush pngquant ripgrep poppler-utils -RUN sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron -RUN sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf -RUN sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf -RUN dpkg-divert --local --rename --add /sbin/initctl -RUN sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl" -RUN cd / &&\ - DEBIAN_FRONTEND=noninteractive apt-get -y install runit socat &&\ - mkdir -p /etc/runit/1.d &&\ - apt-get clean &&\ - rm -f /etc/apt/apt.conf.d/40proxy &&\ - locale-gen en_US &&\ - DEBIAN_FRONTEND=noninteractive apt-get install -y nodejs yarn &&\ - npm install -g terser uglify-js pnpm - ADD install-imagemagick /tmp/install-imagemagick -RUN /tmp/install-imagemagick - ADD install-jemalloc /tmp/install-jemalloc -RUN /tmp/install-jemalloc - # From https://nginx.org/en/pgp_keys.html ADD nginx_public_keys.key /tmp/nginx_public_keys.key ADD install-nginx /tmp/install-nginx - -RUN gpg --import /tmp/nginx_public_keys.key &&\ - rm /tmp/nginx_public_keys.key &&\ - /tmp/install-nginx - -ADD install-redis /tmp/install-redis -RUN /tmp/install-redis - ADD install-oxipng /tmp/install-oxipng -RUN /tmp/install-oxipng - -RUN echo 'gem: --no-document' >> /usr/local/etc/gemrc &&\ - gem update --system - -RUN gem install pups --force &&\ - mkdir -p /pups/bin/ &&\ - ln -s /usr/local/bin/pups /pups/bin/pups - +ADD install-redis /tmp/install-redis # This tool allows us to disable huge page support for our current process # since the flag is preserved through forks and execs it can be used on any # process ADD thpoff.c /src/thpoff.c -RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c -# clean up for docker squash -RUN rm -fr /usr/share/man &&\ - rm -fr /usr/share/doc &&\ - rm -fr /usr/share/vim/vim74/doc &&\ - rm -fr /usr/share/vim/vim74/lang &&\ - rm -fr /usr/share/vim/vim74/spell/en* &&\ - rm -fr /usr/share/vim/vim74/tutor &&\ - rm -fr /usr/local/share/doc &&\ - rm -fr /usr/local/share/ri &&\ - rm -fr /var/lib/apt/lists/* &&\ - rm -fr /root/.gem &&\ - rm -fr /root/.npm &&\ - rm -fr /tmp/* - -# this can probably be done, but I worry that people changing PG locales will have issues -# cd /usr/share/locale && rm -fr `ls -d */ | grep -v en` - -# this is required for aarch64 which uses buildx -# see https://github.com/docker/buildx/issues/150 -RUN rm -f /etc/service - -COPY etc/ /etc +RUN set -eux; \ + # Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the + # mounted volumes. + groupadd --gid 104 postgres; \ + useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres; \ + groupadd --gid 106 redis; \ + useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis; \ + groupadd --gid 1000 discourse; \ + useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse; \ + \ + echo 2.0.`date +%Y%m%d` > /VERSION; \ + echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list"; \ + echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \ + apt-get update; \ + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends sudo curl; \ + install -d /usr/share/postgresql-common/pgdg; \ + curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc; \ + echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \ + curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash -; \ + curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -; \ + echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list; \ + apt-mark hold initscripts; \ + apt-get update; \ + apt-get -y upgrade; \ + \ + # Dependencies required to run Discourse + DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + locales \ + locales-all \ + git \ + rsyslog \ + logrotate \ + cron \ + ssh-client \ + less \ + ca-certificates \ + rsync \ + libxslt-dev \ + libcurl4-openssl-dev \ + libssl-dev \ + libyaml-dev \ + libtool \ + libpcre3 \ + libpcre3-dev \ + zlib1g \ + zlib1g-dev \ + libxml2-dev \ + gawk \ + parallel \ + postgresql-${PG_MAJOR} \ + postgresql-client \ + postgresql-contrib-${PG_MAJOR} \ + libpq-dev \ + postgresql-${PG_MAJOR}-pgvector \ + libreadline-dev \ + anacron \ + psmisc \ + whois \ + brotli \ + libunwind-dev \ + libtcmalloc-minimal4 \ + ripgrep \ + poppler-utils \ + runit \ + socat \ + nodejs \ + yarn \ + # START Nginx + nginx-common \ + # END Nginx + # START ImageMagick + pngcrush \ + pngquant \ + libde265-0 \ + libde265-dev \ + libjpeg62-turbo \ + libjpeg62-turbo-dev \ + libwebp7 \ + x265 \ + libx265-dev \ + libtool \ + libpng16-16 \ + libpng-dev \ + libwebp-dev \ + libgomp1 \ + libwebpmux3 \ + libwebpdemux2 \ + ghostscript \ + libxml2-dev \ + libxml2-utils \ + librsvg2-dev \ + libltdl7-dev \ + libbz2-dev \ + gsfonts \ + libtiff-dev \ + libfreetype6-dev \ + libjpeg-dev \ + libheif1 \ + libheif-dev \ + libaom-dev \ + # END ImageMagick + ; \ + savedAptMark="$(apt-mark showmanual)"; \ + # Dependencies required to build packages. These packages are automatically removed + # at the end of the RUN step. + DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \ + wget \ + gcc \ + g++ \ + make \ + cmake \ + autoconf \ + automake \ + libtool \ + pkg-config \ + autoconf \ + yasm \ + ; \ + sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron; \ + sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf; \ + sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf; \ + dpkg-divert --local --rename --add /sbin/initctl; \ + sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"; \ + mkdir -p /etc/runit/1.d; \ + rm -f /etc/apt/apt.conf.d/40proxy; \ + locale-gen en_US; \ + npm install -g terser uglify-js pnpm; \ + \ + # Installs ImageMagick + /tmp/install-imagemagick; \ + # Installs JeMalloc + /tmp/install-jemalloc; \ + \ + # Installs Nginx + gpg --import /tmp/nginx_public_keys.key; \ + rm /tmp/nginx_public_keys.key; \ + /tmp/install-nginx; \ + # Installs Redis + /tmp/install-redis; \ + # Installs Oxipng + /tmp/install-oxipng; \ + echo 'gem: --no-document' >> /usr/local/etc/gemrc; \ + gem update --system; \ + gem install pups --force; \ + mkdir -p /pups/bin/; \ + ln -s /usr/local/bin/pups /pups/bin/pups; \ + gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c; \ + \ + # Discourse specific bits + install -dm 0755 -o discourse -g discourse /var/www/discourse; \ + sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse; \ + gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock); \ + \ + # Clean up + rm -fr /usr/share/man; \ + rm -fr /usr/share/doc; \ + rm -fr /usr/share/vim/vim74/doc; \ + rm -fr /usr/share/vim/vim74/lang; \ + rm -fr /usr/share/vim/vim74/spell/en*; \ + rm -fr /usr/share/vim/vim74/tutor; \ + rm -fr /usr/local/share/doc; \ + rm -fr /usr/local/share/ri; \ + rm -fr /var/lib/apt/lists/*; \ + rm -fr /root/.gem; \ + rm -fr /root/.npm; \ + rm -fr /tmp/*; \ + apt-mark auto '.*' > /dev/null; \ + apt-mark manual $savedAptMark > /dev/null; \ + find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \ + | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \ + | sort -u \ + | xargs -r dpkg-query --search \ + | cut -d: -f1 \ + | sort -u \ + | xargs -r apt-mark manual \ + ; \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ + apt-get clean; \ + \ + # this is required for aarch64 which uses buildx + # see https://github.com/docker/buildx/issues/150 + rm -f /etc/service + +COPY etc/ /etc COPY sbin/ /sbin - -# Discourse specific bits -RUN install -dm 0755 -o discourse -g discourse /var/www/discourse &&\ - sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse &&\ - gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock)