WIP: Consolidate layers

Author: tgxworld

image/base/install-imagemagick

@@ -5,31 +5,9 @@ set -e
 IMAGE_MAGICK_VERSION="7.1.0-62"
 IMAGE_MAGICK_HASH="d282117bc6d0e91ad1ad685d096623b96ed8e229f911c891d83277b350ef884a"
 
-# We use debian, but GitHub CI is stuck on Ubuntu Bionic, so this must be compatible with both
-LIBJPEGTURBO=$(cat /etc/issue | grep -qi Debian && echo 'libjpeg62-turbo libjpeg62-turbo-dev' || echo 'libjpeg-turbo8 libjpeg-turbo8-dev')
-
-# Ubuntu 22.04/22.10  doesn't have libwebp6
-LIBWEBP=$(cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22' && echo 'libwebp7' || echo 'libwebp6')
-
 PREFIX=/usr/local
 WDIR=/tmp/imagemagick
 
-# Install build deps
-apt -y -q remove imagemagick
-apt -y -q install git make gcc pkg-config autoconf curl g++ yasm cmake \
-    libde265-0 libde265-dev ${LIBJPEGTURBO} ${LIBWEBP} x265 libx265-dev libtool \
-    libpng16-16 libpng-dev libwebp-dev libgomp1 \
-    libwebpmux3 libwebpdemux2 ghostscript libxml2-dev libxml2-utils librsvg2-dev \
-    libltdl7-dev libbz2-dev gsfonts libtiff-dev libfreetype6-dev libjpeg-dev libheif1 libheif-dev
-
-# Ubuntu doesn't like backports
-if cat /etc/issue | grep -qiE 'Debian GNU/Linux 12|Ubuntu 22'; then
-  apt -y install libaom-dev
-else
-  # Use backports instead of compiling it
-  apt -y -q install -t bullseye-backports libaom-dev
-fi
-
 mkdir -p $WDIR
 cd $WDIR
 

image/base/install-nginx

@@ -11,9 +11,6 @@ gpg --verify nginx-$VERSION.tar.gz.asc nginx-$VERSION.tar.gz
 tar zxf nginx-$VERSION.tar.gz
 cd nginx-$VERSION
 
-# nginx-common for boilerplate files etc.
-apt install -y nginx-common
-
 cd /tmp
 # this is the reason we are compiling by hand...
 git clone https://github.com/google/ngx_brotli.git

image/base/install-oxipng

@@ -11,9 +11,6 @@ case "${dpkgArch##*-}" in
     *) echo >&2 "unsupported architecture: ${dpkgArch}"; exit 1 ;;
 esac
 
-# Install other deps
-apt -y -q install advancecomp jhead jpegoptim libjpeg-turbo-progs optipng
-
 mkdir /oxipng-install
 cd /oxipng-install
 

image/base/slim.Dockerfile

@@ -8,126 +8,207 @@ ARG DEBIAN_RELEASE
 ENV PG_MAJOR=13 \
     RUBY_ALLOCATOR=/usr/lib/libjemalloc.so \
     LEFTHOOK=0 \
-    DEBIAN_RELEASE=${DEBIAN_RELEASE}
+    DEBIAN_RELEASE=${DEBIAN_RELEASE} \
+    LC_ALL=en_US.UTF-8 \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8
 
 #LABEL maintainer="Sam Saffron \"https://twitter.com/samsaffron\""
 
-# Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the
-# mounted volumes.
-RUN groupadd --gid 104 postgres &&\
-    useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres &&\
-    groupadd --gid 106 redis &&\
-    useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis &&\
-    groupadd --gid 1000 discourse &&\
-    useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse
-
-RUN echo 2.0.`date +%Y%m%d` > /VERSION
-RUN echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list"
-RUN echo "debconf debconf/frontend select Teletype" | debconf-set-selections
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install gnupg sudo curl fping
-RUN sh -c "fping proxy && echo 'Acquire { Retries \"0\"; HTTP { Proxy \"http://proxy:3128\";}; };' > /etc/apt/apt.conf.d/40proxy && apt-get update || true"
-RUN apt-mark hold initscripts
-RUN apt-get -y upgrade
-
-RUN DEBIAN_FRONTEND=noninteractive apt-get install -y locales locales-all
-ENV LC_ALL en_US.UTF-8
-ENV LANG en_US.UTF-8
-ENV LANGUAGE en_US.UTF-8
-
-RUN install -d /usr/share/postgresql-common/pgdg &&\
-    curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc &&\
-    echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list
-
-RUN curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash -
-RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -
-RUN echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list
-RUN apt-get -y update
-# install these without recommends to avoid pulling in e.g.
-# X11 libraries, mailutils
-RUN DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends git rsyslog logrotate cron ssh-client less
-RUN DEBIAN_FRONTEND=noninteractive apt-get -y install autoconf build-essential ca-certificates rsync \
-    libxslt-dev libcurl4-openssl-dev \
-    libssl-dev libyaml-dev libtool \
-    libpcre3 libpcre3-dev zlib1g zlib1g-dev \
-    libxml2-dev gawk parallel \
-    postgresql-${PG_MAJOR} postgresql-client \
-    postgresql-contrib-${PG_MAJOR} libpq-dev postgresql-${PG_MAJOR}-pgvector \
-    libreadline-dev anacron wget \
-    psmisc whois brotli libunwind-dev \
-    libtcmalloc-minimal4 cmake \
-    pngcrush pngquant ripgrep poppler-utils
-RUN sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron
-RUN sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf
-RUN sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf
-RUN dpkg-divert --local --rename --add /sbin/initctl
-RUN sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"
-RUN cd / &&\
-    DEBIAN_FRONTEND=noninteractive apt-get -y install runit socat &&\
-    mkdir -p /etc/runit/1.d &&\
-    apt-get clean &&\
-    rm -f /etc/apt/apt.conf.d/40proxy &&\
-    locale-gen en_US &&\
-    DEBIAN_FRONTEND=noninteractive apt-get install -y nodejs yarn &&\
-    npm install -g terser uglify-js pnpm
-
 ADD install-imagemagick /tmp/install-imagemagick
-RUN /tmp/install-imagemagick
-
 ADD install-jemalloc /tmp/install-jemalloc
-RUN /tmp/install-jemalloc
-
 # From https://nginx.org/en/pgp_keys.html
 ADD nginx_public_keys.key /tmp/nginx_public_keys.key
 ADD install-nginx /tmp/install-nginx
-
-RUN gpg --import /tmp/nginx_public_keys.key &&\
-    rm /tmp/nginx_public_keys.key &&\
-    /tmp/install-nginx
-
-ADD install-redis /tmp/install-redis
-RUN /tmp/install-redis
-
 ADD install-oxipng /tmp/install-oxipng
-RUN /tmp/install-oxipng
-
-RUN echo 'gem: --no-document' >> /usr/local/etc/gemrc &&\
-    gem update --system
-
-RUN gem install pups --force &&\
-    mkdir -p /pups/bin/ &&\
-    ln -s /usr/local/bin/pups /pups/bin/pups
-
+ADD install-redis /tmp/install-redis
 # This tool allows us to disable huge page support for our current process
 # since the flag is preserved through forks and execs it can be used on any
 # process
 ADD thpoff.c /src/thpoff.c
-RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c
 
-# clean up for docker squash
-RUN rm -fr /usr/share/man &&\
-    rm -fr /usr/share/doc &&\
-    rm -fr /usr/share/vim/vim74/doc &&\
-    rm -fr /usr/share/vim/vim74/lang &&\
-    rm -fr /usr/share/vim/vim74/spell/en* &&\
-    rm -fr /usr/share/vim/vim74/tutor &&\
-    rm -fr /usr/local/share/doc &&\
-    rm -fr /usr/local/share/ri &&\
-    rm -fr /var/lib/apt/lists/* &&\
-    rm -fr /root/.gem &&\
-    rm -fr /root/.npm &&\
-    rm -fr /tmp/*
-
-# this can probably be done, but I worry that people changing PG locales will have issues
-# cd /usr/share/locale && rm -fr `ls -d */ | grep -v en`
-
-# this is required for aarch64 which uses buildx
-# see https://github.com/docker/buildx/issues/150
-RUN rm -f /etc/service
-
-COPY etc/  /etc
+RUN set -eux; \
+    # Ensures that the gid and uid of the following users are consistent to avoid permission issues on directories in the
+    # mounted volumes.
+    groupadd --gid 104 postgres; \
+    useradd --uid 101 --gid 104 --home /var/lib/postgresql --shell /bin/bash -c "PostgreSQL administrator,,," postgres; \
+    groupadd --gid 106 redis; \
+    useradd --uid 103 --gid 106 --home /var/lib/redis --shell /usr/sbin/nologin redis; \
+    groupadd --gid 1000 discourse; \
+    useradd --uid 1000 --gid 1000 -m --shell /bin/bash discourse; \
+    \
+    echo 2.0.`date +%Y%m%d` > /VERSION; \
+    echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list"; \
+    echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \
+    apt-get update; \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends sudo curl; \
+    install -d /usr/share/postgresql-common/pgdg; \
+    curl -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc --fail https://www.postgresql.org/media/keys/ACCC4CF8.asc; \
+    echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${DEBIAN_RELEASE}-pgdg main" > /etc/apt/sources.list.d/pgdg.list; \
+    curl --silent --location https://deb.nodesource.com/setup_18.x | sudo bash -; \
+    curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -; \
+    echo "deb https://dl.yarnpkg.com/debian/ stable main" > /etc/apt/sources.list.d/yarn.list; \
+    apt-mark hold initscripts; \
+    apt-get update; \
+    apt-get -y upgrade; \
+    \
+    # Dependencies required to run Discourse
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
+        locales \
+        locales-all \
+        git \
+        rsyslog \
+        logrotate \
+        cron \
+        ssh-client \
+        less \
+        ca-certificates \
+        rsync \
+        libxslt-dev \
+        libcurl4-openssl-dev \
+        libssl-dev \
+        libyaml-dev \
+        libtool \
+        libpcre3 \
+        libpcre3-dev \
+        zlib1g \
+        zlib1g-dev \
+        libxml2-dev \
+        gawk \
+        parallel \
+        postgresql-${PG_MAJOR} \
+        postgresql-client \
+        postgresql-contrib-${PG_MAJOR} \
+        libpq-dev \
+        postgresql-${PG_MAJOR}-pgvector \
+        libreadline-dev \
+        anacron \
+        psmisc \
+        whois \
+        brotli \
+        libunwind-dev \
+        libtcmalloc-minimal4 \
+        ripgrep \
+        poppler-utils \
+        runit \
+        socat \
+        nodejs \
+        yarn \
+        # START Nginx
+        nginx-common \
+        # END Nginx
+        # START ImageMagick
+        pngcrush \
+        pngquant \
+        libde265-0 \
+        libde265-dev \
+        libjpeg62-turbo \
+        libjpeg62-turbo-dev \
+        libwebp7 \
+        x265 \
+        libx265-dev \
+        libtool \
+        libpng16-16 \
+        libpng-dev \
+        libwebp-dev \
+        libgomp1 \
+        libwebpmux3 \
+        libwebpdemux2 \
+        ghostscript \
+        libxml2-dev \
+        libxml2-utils \
+        librsvg2-dev \
+        libltdl7-dev \
+        libbz2-dev \
+        gsfonts \
+        libtiff-dev \
+        libfreetype6-dev \
+        libjpeg-dev \
+        libheif1 \
+        libheif-dev \
+        libaom-dev \
+        # END ImageMagick
+    ; \
+    savedAptMark="$(apt-mark showmanual)"; \
+    # Dependencies required to build packages. These packages are automatically removed
+    # at the end of the RUN step.
+    DEBIAN_FRONTEND=noninteractive apt-get -y install --no-install-recommends \
+        wget \
+        gcc \
+        g++ \
+        make \
+        cmake \
+        autoconf \
+        automake \
+        libtool \
+        pkg-config \
+        autoconf \
+        yasm \
+    ; \
+    sed -i -e 's/start -q anacron/anacron -s/' /etc/cron.d/anacron; \
+    sed -i.bak 's/$ModLoad imklog/#$ModLoad imklog/' /etc/rsyslog.conf; \
+    sed -i.bak 's/module(load="imklog")/#module(load="imklog")/' /etc/rsyslog.conf; \
+    dpkg-divert --local --rename --add /sbin/initctl; \
+    sh -c "test -f /sbin/initctl || ln -s /bin/true /sbin/initctl"; \
+    mkdir -p /etc/runit/1.d; \
+    rm -f /etc/apt/apt.conf.d/40proxy; \
+    locale-gen en_US; \
+    npm install -g terser uglify-js pnpm; \
+    \
+    # Installs ImageMagick
+    /tmp/install-imagemagick; \
+    # Installs JeMalloc
+    /tmp/install-jemalloc; \
+    \
+    # Installs Nginx
+    gpg --import /tmp/nginx_public_keys.key; \
+    rm /tmp/nginx_public_keys.key; \
+    /tmp/install-nginx; \
+    # Installs Redis
+    /tmp/install-redis; \
+    # Installs Oxipng
+    /tmp/install-oxipng; \
+    echo 'gem: --no-document' >> /usr/local/etc/gemrc; \
+    gem update --system; \
+    gem install pups --force; \
+    mkdir -p /pups/bin/; \
+    ln -s /usr/local/bin/pups /pups/bin/pups; \
+    gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c; \
+    \
+    # Discourse specific bits
+    install -dm 0755 -o discourse -g discourse /var/www/discourse; \
+    sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse; \
+    gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock); \
+    \
+    # Clean up
+    rm -fr /usr/share/man; \
+    rm -fr /usr/share/doc; \
+    rm -fr /usr/share/vim/vim74/doc; \
+    rm -fr /usr/share/vim/vim74/lang; \
+    rm -fr /usr/share/vim/vim74/spell/en*; \
+    rm -fr /usr/share/vim/vim74/tutor; \
+    rm -fr /usr/local/share/doc; \
+    rm -fr /usr/local/share/ri; \
+    rm -fr /var/lib/apt/lists/*; \
+    rm -fr /root/.gem; \
+    rm -fr /root/.npm; \
+    rm -fr /tmp/*; \
+    apt-mark auto '.*' > /dev/null; \
+    apt-mark manual $savedAptMark > /dev/null; \
+    find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
+      | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); printf "*%s\n", so }' \
+      | sort -u \
+      | xargs -r dpkg-query --search \
+      | cut -d: -f1 \
+      | sort -u \
+      | xargs -r apt-mark manual \
+      ; \
+    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+    apt-get clean; \
+    \
+    # this is required for aarch64 which uses buildx
+    # see https://github.com/docker/buildx/issues/150
+    rm -f /etc/service
+
+COPY etc/ /etc
 COPY sbin/ /sbin
-
-# Discourse specific bits
-RUN install -dm 0755 -o discourse -g discourse /var/www/discourse &&\
-    sudo -u discourse git clone --filter=tree:0 https://github.com/discourse/discourse.git /var/www/discourse &&\
-    gem install bundler --conservative -v $(awk '/BUNDLED WITH/ { getline; gsub(/ /,""); print $0 }' /var/www/discourse/Gemfile.lock)