From 94555166601fc21f23fb9c62e385febf4e7d14c5 Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Wed, 13 Aug 2025 20:54:07 -0700 Subject: [PATCH 1/7] DEV: add separate builders for thpoff, jemalloc, and oxipng Separate out builders for thpoff, jemalloc and oxipng/jhead Copy over the results of all libraries to reduce dependencies for base image needing build tools. --- image/base/Dockerfile | 37 ++++++++++++++++++++++++------------- 1 file changed, 24 insertions(+), 13 deletions(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index 1a1b51084..c5576f6fb 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -27,8 +27,23 @@ FROM builder AS nginx_builder ADD nginx_public_keys.key /tmp/nginx_public_keys.key ADD install-nginx /tmp/install-nginx RUN gpg --import /tmp/nginx_public_keys.key &&\ - rm /tmp/nginx_public_keys.key &&\ - /tmp/install-nginx + rm /tmp/nginx_public_keys.key &&\ + /tmp/install-nginx + +FROM builder AS thpoff_builder +# This tool allows us to disable huge page support for our current process +# since the flag is preserved through forks and execs it can be used on any +# process +ADD thpoff.c /src/thpoff.c +RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c + +FROM builder AS jemalloc_builder +ADD install-jemalloc /tmp/install-jemalloc +RUN /tmp/install-jemalloc + +FROM builder AS oxipng_builder +ADD install-oxipng /tmp/install-oxipng +RUN /tmp/install-oxipng FROM discourse/ruby:${RUBY_VERSION}-${DEBIAN_RELEASE}-slim AS discourse_dependencies @@ -70,6 +85,8 @@ RUN --mount=type=tmpfs,target=/var/log \ ghostscript libjbig0 libtiff6 libpng16-16 libfontconfig1 \ libwebpdemux2 libwebpmux3 libxext6 librsvg2-2 libgomp1 \ fonts-urw-base35 libheif1/${DEBIAN_RELEASE}-backports \ +# oxipng dependencies \ + advancecomp jpegoptim libjpeg-turbo-progs \ # nginx runtime dependencies \ nginx-common && \ # install these without recommends to avoid pulling in e.g. @@ -125,24 +142,18 @@ RUN ln -s /usr/local/bin/magick /usr/local/bin/animate &&\ ln -s /usr/local/bin/magick /usr/local/bin/stream &&\ test $(magick -version | grep -o -e png -e tiff -e jpeg -e freetype -e heic -e webp | wc -l) -eq 6 -ADD install-jemalloc /tmp/install-jemalloc -RUN /tmp/install-jemalloc +COPY --from=thpoff_builder /usr/local/sbin/thpoff /usr/local/sbin +COPY --from=jemalloc_builder /usr/lib/libjemalloc.so.2 /usr/lib +RUN ln -s /usr/lib/libjemalloc.so.2 /usr/lib/libjemalloc.so +COPY --from=oxipng_builder /usr/local/bin/jhead /usr/local/bin +COPY --from=oxipng_builder /usr/local/bin/oxipng /usr/local/bin ADD install-redis /tmp/install-redis -ADD install-oxipng /tmp/install-oxipng -RUN /tmp/install-oxipng - RUN gem install pups --force &&\ mkdir -p /pups/bin/ &&\ ln -s /usr/local/bin/pups /pups/bin/pups -# This tool allows us to disable huge page support for our current process -# since the flag is preserved through forks and execs it can be used on any -# process -ADD thpoff.c /src/thpoff.c -RUN gcc -o /usr/local/sbin/thpoff /src/thpoff.c && rm /src/thpoff.c - # this is required for aarch64 which uses buildx # see https://github.com/docker/buildx/issues/150 RUN rm -f /etc/service From 347784473cf4acc8a372f4efb1d47d609c7aafa9 Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Thu, 14 Aug 2025 17:06:03 -0700 Subject: [PATCH 2/7] Drop parallel Remove the dependency on parallel for two commands --- image/base/Dockerfile | 2 +- image/base/sbin/boot | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index c5576f6fb..ab365b3e7 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -76,7 +76,7 @@ RUN --mount=type=tmpfs,target=/var/log \ libxslt-dev libcurl4-openssl-dev \ libssl-dev libyaml-dev libtool \ libpcre3 libpcre3-dev zlib1g zlib1g-dev \ - libxml2-dev gawk parallel \ + libxml2-dev gawk \ libreadline-dev anacron wget \ psmisc whois brotli libunwind-dev \ libtcmalloc-minimal4 cmake \ diff --git a/image/base/sbin/boot b/image/base/sbin/boot index 67fa5aa12..1c340048b 100755 --- a/image/base/sbin/boot +++ b/image/base/sbin/boot @@ -5,7 +5,7 @@ shutdown() { echo Shutting Down /etc/runit/3 - ls /etc/service | SHELL=/bin/sh parallel sv force-stop {} + ls /etc/service | xargs sv force-stop kill -HUP $RUNSVDIR wait $RUNSVDIR @@ -13,7 +13,10 @@ shutdown() { sleep 0.1 ORPHANS=`ps -eo pid | grep -v PID | tr -d ' ' | grep -v '^1$'` - SHELL=/bin/bash parallel 'timeout 5 /bin/bash -c "kill {} && wait {}" || kill -9 {}' ::: $ORPHANS 2> /dev/null + for pid in $ORPHANS; do + (timeout 5 /bin/bash -c "kill $pid && wait $pid" 2>/dev/null || kill -9 $pid 2>/dev/null) & + done + wait exit } From 25968541802268c31858c411f006698f73ff39ec Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Fri, 15 Aug 2025 08:57:49 -0700 Subject: [PATCH 3/7] mount tmpfs for apt caches --- image/base/Dockerfile | 2 ++ 1 file changed, 2 insertions(+) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index ab365b3e7..4288940bf 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -69,6 +69,8 @@ RUN echo 2.0.`date +%Y%m%d` > /VERSION RUN echo "deb http://deb.debian.org/debian ${DEBIAN_RELEASE}-backports main" > "/etc/apt/sources.list.d/${DEBIAN_RELEASE}-backports.list" RUN --mount=type=tmpfs,target=/var/log \ + --mount=type=tmpfs,target=/var/cache/apt \ + --mount=type=tmpfs,target=/var/lib/apt \ echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \ apt-get -y update && DEBIAN_FRONTEND=noninteractive apt-get -y install gnupg sudo curl fping locales \ ca-certificates rsync \ From 655a376c082e74c8367517dce795a77d2fd2f52e Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Tue, 19 Aug 2025 12:54:07 -0700 Subject: [PATCH 4/7] DEV: only install nginx runtime packages drop -dev packages for nginx compilation now that this is separate --- image/base/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index 4288940bf..b4ead6a3d 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -77,12 +77,13 @@ RUN --mount=type=tmpfs,target=/var/log \ cmake g++ pkg-config patch \ libxslt-dev libcurl4-openssl-dev \ libssl-dev libyaml-dev libtool \ - libpcre3 libpcre3-dev zlib1g zlib1g-dev \ libxml2-dev gawk \ libreadline-dev anacron wget \ psmisc whois brotli libunwind-dev \ libtcmalloc-minimal4 cmake \ pngcrush pngquant ripgrep poppler-utils \ +# nginx runtime dependencies + libpcre3 zlib1g \ # imagemagick runtime dependencies ghostscript libjbig0 libtiff6 libpng16-16 libfontconfig1 \ libwebpdemux2 libwebpmux3 libxext6 librsvg2-2 libgomp1 \ From c28395bc0ac0479998c63b0ac9e2caa37b1a4555 Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Tue, 19 Aug 2025 13:09:16 -0700 Subject: [PATCH 5/7] Remove libtcmalloc - this is unreferenced ..and remove extra cmake reference, this is already in a line above --- image/base/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index b4ead6a3d..42bcc4c4f 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -80,7 +80,6 @@ RUN --mount=type=tmpfs,target=/var/log \ libxml2-dev gawk \ libreadline-dev anacron wget \ psmisc whois brotli libunwind-dev \ - libtcmalloc-minimal4 cmake \ pngcrush pngquant ripgrep poppler-utils \ # nginx runtime dependencies libpcre3 zlib1g \ From 7d9e6fe55a9e33666e8769feb45590f28802460d Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Tue, 19 Aug 2025 13:16:10 -0700 Subject: [PATCH 6/7] DEV: organize apt installs --- image/base/Dockerfile | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index 42bcc4c4f..b5afce9ff 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -72,15 +72,22 @@ RUN --mount=type=tmpfs,target=/var/log \ --mount=type=tmpfs,target=/var/cache/apt \ --mount=type=tmpfs,target=/var/lib/apt \ echo "debconf debconf/frontend select Teletype" | debconf-set-selections; \ - apt-get -y update && DEBIAN_FRONTEND=noninteractive apt-get -y install gnupg sudo curl fping locales \ + apt-get -y update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ + gnupg sudo curl fping locales \ ca-certificates rsync \ - cmake g++ pkg-config patch \ - libxslt-dev libcurl4-openssl-dev \ - libssl-dev libyaml-dev libtool \ - libxml2-dev gawk \ - libreadline-dev anacron wget \ - psmisc whois brotli libunwind-dev \ + gawk anacron wget \ + psmisc whois brotli \ pngcrush pngquant ripgrep poppler-utils \ +# gem build dependencies + cmake g++ pkg-config patch \ + libtool \ + libxslt-dev \ + libcurl4-openssl-dev \ + libssl-dev \ + libyaml-dev \ + libxml2-dev \ + libreadline-dev \ + libunwind-dev \ # nginx runtime dependencies libpcre3 zlib1g \ # imagemagick runtime dependencies From 6f3099209f329a997c3223a6420214113ca639ed Mon Sep 17 00:00:00 2001 From: Jeff Wong Date: Tue, 19 Aug 2025 13:23:59 -0700 Subject: [PATCH 7/7] correct copy libjemalloc.so Build in arm vs amd64 acts a bit differently - arm builds to libjemalloc.so.2 and symlinks whereas amd64 does not. build and copy over library directly to /usr/lib/libjemalloc.so in both cases. --- image/base/Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/image/base/Dockerfile b/image/base/Dockerfile index b5afce9ff..19ef39582 100644 --- a/image/base/Dockerfile +++ b/image/base/Dockerfile @@ -152,8 +152,7 @@ RUN ln -s /usr/local/bin/magick /usr/local/bin/animate &&\ test $(magick -version | grep -o -e png -e tiff -e jpeg -e freetype -e heic -e webp | wc -l) -eq 6 COPY --from=thpoff_builder /usr/local/sbin/thpoff /usr/local/sbin -COPY --from=jemalloc_builder /usr/lib/libjemalloc.so.2 /usr/lib -RUN ln -s /usr/lib/libjemalloc.so.2 /usr/lib/libjemalloc.so +COPY --from=jemalloc_builder /usr/lib/libjemalloc.so /usr/lib COPY --from=oxipng_builder /usr/local/bin/jhead /usr/local/bin COPY --from=oxipng_builder /usr/local/bin/oxipng /usr/local/bin