From de4d64e9cb77f7798a0c4a1a4bfa293a59d62491 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Fri, 8 Mar 2024 22:52:30 +0000 Subject: [PATCH 01/24] Switch Heroku-24 to the deb822 APT sources format (#255) Since the upstream Ubuntu 24.04 image's default APT sources list now uses a new file location and APT's deb822 sources format. Fixes the warnings of form: `Target Packages (...) is configured multiple times in /etc/apt/sources.list` See: https://bugs.launchpad.net/ubuntu/+source/livecd-rootfs/+bug/2048129 https://discourse.ubuntu.com/t/spec-apt-deb822-sources-by-default/29333/1 Fixes #254. GUS-W-15213103. --- heroku-24/setup.sh | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 118c0e19..79023e92 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -8,14 +8,36 @@ set -x export DEBIAN_FRONTEND=noninteractive -# The default sources list minus backports, restricted and multiverse. -cat >/etc/apt/sources.list </etc/apt/sources.list.d/ubuntu.sources < Date: Mon, 11 Mar 2024 10:46:22 +0000 Subject: [PATCH 02/24] Use `RUN --mount` instead of `COPY` or inlining files (#256) This backports the `RUN --mount` change from Heroku-24 to Heroku-20 and Heroku-22, which saves needing to `COPY` in the temporary `setup.sh` script, thereby (a) reducing layer count (by 1 for the runtime images and 2 for the build variants), (b) avoiding the deleted `setup.sh` being shipped in the image (not accessible, since it's in an earlier layer). In addition, this allows us to stop inlining the Postgres APT GPG key and ImageMagick policy in `setup.sh`, making the script easier to read. I've left the inlined APT sources list, since (a) they use concatenation and so can't be replaced by a plain file copy, (b) they are smaller to inline, (c) the APT sources are arguably more important content to see upfront when reading `setup.sh`, without needing to switch to another file. --- heroku-20-build/Dockerfile | 3 +- heroku-20/Dockerfile | 3 +- heroku-20/imagemagick-policy.xml | 13 ++++ heroku-20/postgresql-ACCC4CF8.asc | 77 ++++++++++++++++++++++++ heroku-20/setup.sh | 99 +------------------------------ heroku-22-build/Dockerfile | 3 +- heroku-22/Dockerfile | 3 +- heroku-22/imagemagick-policy.xml | 13 ++++ heroku-22/postgresql-ACCC4CF8.asc | 77 ++++++++++++++++++++++++ heroku-22/setup.sh | 99 +------------------------------ heroku-24/postgresql-ACCC4CF8.asc | 77 ++++++++++++++++++++++++ heroku-24/setup.sh | 82 +------------------------ 12 files changed, 266 insertions(+), 283 deletions(-) create mode 100644 heroku-20/imagemagick-policy.xml create mode 100644 heroku-20/postgresql-ACCC4CF8.asc create mode 100644 heroku-22/imagemagick-policy.xml create mode 100644 heroku-22/postgresql-ACCC4CF8.asc create mode 100644 heroku-24/postgresql-ACCC4CF8.asc diff --git a/heroku-20-build/Dockerfile b/heroku-20-build/Dockerfile index a2a734a6..e263c67c 100644 --- a/heroku-20-build/Dockerfile +++ b/heroku-20-build/Dockerfile @@ -1,4 +1,3 @@ ARG BASE_IMAGE=heroku/heroku:20 FROM $BASE_IMAGE -COPY setup.sh /tmp/setup.sh -RUN /tmp/setup.sh +RUN --mount=target=/build /build/setup.sh diff --git a/heroku-20/Dockerfile b/heroku-20/Dockerfile index 013a998d..42727225 100644 --- a/heroku-20/Dockerfile +++ b/heroku-20/Dockerfile @@ -1,3 +1,2 @@ FROM ubuntu:20.04 -COPY setup.sh /tmp/setup.sh -RUN /tmp/setup.sh +RUN --mount=target=/build /build/setup.sh diff --git a/heroku-20/imagemagick-policy.xml b/heroku-20/imagemagick-policy.xml new file mode 100644 index 00000000..18cd3b36 --- /dev/null +++ b/heroku-20/imagemagick-policy.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/heroku-20/postgresql-ACCC4CF8.asc b/heroku-20/postgresql-ACCC4CF8.asc new file mode 100644 index 00000000..8480576e --- /dev/null +++ b/heroku-20/postgresql-ACCC4CF8.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja +UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V +G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4 +bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi +c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC +IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh +hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U +A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3 +RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj +Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2 +AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB +tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A +CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO +xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY +kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3 +z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ +Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf +Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy +2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0 +B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T +7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi +vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b +ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI +RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP ++ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS +p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i ++eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp +1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+ +dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94 +xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q +fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+ ++985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl +hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT +ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg +mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh +Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM +TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd +nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct +AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/ +LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG +kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k +/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD +kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP +YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR +GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4 +6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e +B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM +TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9 +NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb +OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/ +BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe +LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB +Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m ++3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL +tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L +jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m +Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw +gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM +TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h +m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz +voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei +4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn +JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN +orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe +mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z +gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3 +paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a +OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby +Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y= +=DA1T +-----END PGP PUBLIC KEY BLOCK----- diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh index 62465a00..2a3573d0 100755 --- a/heroku-20/setup.sh +++ b/heroku-20/setup.sh @@ -26,87 +26,7 @@ apt-get install -y --no-install-recommends gnupg cat >>/etc/apt/sources.list < /etc/ImageMagick-6/policy.xml <<'IMAGEMAGICK_POLICY' - - - - - - - - - - - - - -IMAGEMAGICK_POLICY +cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml # Temporarily install ca-certificates-java to generate the certificates store used # by Java apps. Generation occurs in a post-install script which requires a JRE. diff --git a/heroku-22-build/Dockerfile b/heroku-22-build/Dockerfile index febaf305..bc831166 100644 --- a/heroku-22-build/Dockerfile +++ b/heroku-22-build/Dockerfile @@ -1,4 +1,3 @@ ARG BASE_IMAGE=heroku/heroku:22 FROM $BASE_IMAGE -COPY setup.sh /tmp/setup.sh -RUN /tmp/setup.sh +RUN --mount=target=/build /build/setup.sh diff --git a/heroku-22/Dockerfile b/heroku-22/Dockerfile index 35da0384..65c35116 100644 --- a/heroku-22/Dockerfile +++ b/heroku-22/Dockerfile @@ -1,3 +1,2 @@ FROM ubuntu:22.04 -COPY setup.sh /tmp/setup.sh -RUN /tmp/setup.sh +RUN --mount=target=/build /build/setup.sh diff --git a/heroku-22/imagemagick-policy.xml b/heroku-22/imagemagick-policy.xml new file mode 100644 index 00000000..f0ab0d66 --- /dev/null +++ b/heroku-22/imagemagick-policy.xml @@ -0,0 +1,13 @@ + + + + + + + + + + + + + diff --git a/heroku-22/postgresql-ACCC4CF8.asc b/heroku-22/postgresql-ACCC4CF8.asc new file mode 100644 index 00000000..8480576e --- /dev/null +++ b/heroku-22/postgresql-ACCC4CF8.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja +UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V +G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4 +bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi +c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC +IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh +hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U +A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3 +RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj +Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2 +AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB +tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A +CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO +xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY +kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3 +z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ +Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf +Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy +2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0 +B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T +7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi +vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b +ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI +RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP ++ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS +p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i ++eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp +1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+ +dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94 +xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q +fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+ ++985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl +hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT +ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg +mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh +Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM +TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd +nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct +AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/ +LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG +kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k +/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD +kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP +YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR +GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4 +6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e +B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM +TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9 +NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb +OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/ +BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe +LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB +Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m ++3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL +tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L +jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m +Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw +gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM +TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h +m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz +voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei +4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn +JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN +orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe +mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z +gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3 +paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a +OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby +Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y= +=DA1T +-----END PGP PUBLIC KEY BLOCK----- diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh index 756e558f..f37c3821 100755 --- a/heroku-22/setup.sh +++ b/heroku-22/setup.sh @@ -26,87 +26,7 @@ apt-get install -y --no-install-recommends gnupg cat >>/etc/apt/sources.list < /etc/ImageMagick-6/policy.xml <<'IMAGEMAGICK_POLICY' - - - - - - - - - - - - - -IMAGEMAGICK_POLICY +cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml # Temporarily install ca-certificates-java to generate the certificates store used # by Java apps. Generation occurs in a post-install script which requires a JRE. diff --git a/heroku-24/postgresql-ACCC4CF8.asc b/heroku-24/postgresql-ACCC4CF8.asc new file mode 100644 index 00000000..8480576e --- /dev/null +++ b/heroku-24/postgresql-ACCC4CF8.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBE6XR8IBEACVdDKT2HEH1IyHzXkb4nIWAY7echjRxo7MTcj4vbXAyBKOfjja +UrBEJWHN6fjKJXOYWXHLIYg0hOGeW9qcSiaa1/rYIbOzjfGfhE4x0Y+NJHS1db0V +G6GUj3qXaeyqIJGS2z7m0Thy4Lgr/LpZlZ78Nf1fliSzBlMo1sV7PpP/7zUO+aA4 +bKa8Rio3weMXQOZgclzgeSdqtwKnyKTQdXY5MkH1QXyFIk1nTfWwyqpJjHlgtwMi +c2cxjqG5nnV9rIYlTTjYG6RBglq0SmzF/raBnF4Lwjxq4qRqvRllBXdFu5+2pMfC +IZ10HPRdqDCTN60DUix+BTzBUT30NzaLhZbOMT5RvQtvTVgWpeIn20i2NrPWNCUh +hj490dKDLpK/v+A5/i8zPvN4c6MkDHi1FZfaoz3863dylUBR3Ip26oM0hHXf4/2U +A/oA4pCl2W0hc4aNtozjKHkVjRx5Q8/hVYu+39csFWxo6YSB/KgIEw+0W8DiTII3 +RQj/OlD68ZDmGLyQPiJvaEtY9fDrcSpI0Esm0i4sjkNbuuh0Cvwwwqo5EF1zfkVj +Tqz2REYQGMJGc5LUbIpk5sMHo1HWV038TWxlDRwtOdzw08zQA6BeWe9FOokRPeR2 +AqhyaJJwOZJodKZ76S+LDwFkTLzEKnYPCzkoRwLrEdNt1M7wQBThnC5z6wARAQAB +tBxQb3N0Z3JlU1FMIERlYmlhbiBSZXBvc2l0b3J5iQJOBBMBCAA4AhsDBQsJCAcD +BRUKCQgLBRYCAwEAAh4BAheAFiEEuXsK/KoaR/BE8kSgf8x9RqzMTPgFAlhtCD8A +CgkQf8x9RqzMTPgECxAAk8uL+dwveTv6eH21tIHcltt8U3Ofajdo+D/ayO53LiYO +xi27kdHD0zvFMUWXLGxQtWyeqqDRvDagfWglHucIcaLxoxNwL8+e+9hVFIEskQAY +kVToBCKMXTQDLarz8/J030Pmcv3ihbwB+jhnykMuyyNmht4kq0CNgnlcMCdVz0d3 +z/09puryIHJrD+A8y3TD4RM74snQuwc9u5bsckvRtRJKbP3GX5JaFZAqUyZNRJRJ +Tn2OQRBhCpxhlZ2afkAPFIq2aVnEt/Ie6tmeRCzsW3lOxEH2K7MQSfSu/kRz7ELf +Cz3NJHj7rMzC+76Rhsas60t9CjmvMuGONEpctijDWONLCuch3Pdj6XpC+MVxpgBy +2VUdkunb48YhXNW0jgFGM/BFRj+dMQOUbY8PjJjsmVV0joDruWATQG/M4C7O8iU0 +B7o6yVv4m8LDEN9CiR6r7H17m4xZseT3f+0QpMe7iQjz6XxTUFRQxXqzmNnloA1T +7VjwPqIIzkj/u0V8nICG/ktLzp1OsCFatWXh7LbU+hwYl6gsFH/mFDqVxJ3+DKQi +vyf1NatzEwl62foVjGUSpvh3ymtmtUQ4JUkNDsXiRBWczaiGSuzD9Qi0ONdkAX3b +ewqmN4TfE+XIpCPxxHXwGq9Rv1IFjOdCX0iG436GHyTLC1tTUIKF5xV4Y0+cXIOI +RgQQEQgABgUCTpdI7gAKCRDFr3dKWFELWqaPAKD1TtT5c3sZz92Fj97KYmqbNQZP ++ACfSC6+hfvlj4GxmUjp1aepoVTo3weJAhwEEAEIAAYFAk6XSQsACgkQTFprqxLS +p64F8Q//cCcutwrH50UoRFejg0EIZav6LUKejC6kpLeubbEtuaIH3r2zMblPGc4i ++eMQKo/PqyQrceRXeNNlqO6/exHozYi2meudxa6IudhwJIOn1MQykJbNMSC2sGUp +1W5M1N5EYgt4hy+qhlfnD66LR4G+9t5FscTJSy84SdiOuqgCOpQmPkVRm1HX5X1+ +dmnzMOCk5LHHQuiacV0qeGO7JcBCVEIDr+uhU1H2u5GPFNHm5u15n25tOxVivb94 +xg6NDjouECBH7cCVuW79YcExH/0X3/9G45rjdHlKPH1OIUJiiX47OTxdG3dAbB4Q +fnViRJhjehFscFvYWSqXo3pgWqUsEvv9qJac2ZEMSz9x2mj0ekWxuM6/hGWxJdB+ ++985rIelPmc7VRAXOjIxWknrXnPCZAMlPlDLu6+vZ5BhFX0Be3y38f7GNCxFkJzl +hWZ4Cj3WojMj+0DaC1eKTj3rJ7OJlt9S9xnO7OOPEUTGyzgNIDAyCiu8F4huLPaT +ape6RupxOMHZeoCVlqx3ouWctelB2oNXcxxiQ/8y+21aHfD4n/CiIFwDvIQjl7dg +mT3u5Lr6yxuosR3QJx1P6rP5ZrDTP9khT30t+HZCbvs5Pq+v/9m6XDmi+NlU7Zuh +Ehy97tL3uBDgoL4b/5BpFL5U9nruPlQzGq1P9jj40dxAaDAX/WKJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlB5KywFCQPDFt8ACgkQf8x9RqzM +TPhuCQ//QAjRSAOCQ02qmUAikT+mTB6baOAakkYq6uHbEO7qPZkv4E/M+HPIJ4wd +nBNeSQjfvdNcZBA/x0hr5EMcBneKKPDj4hJ0panOIRQmNSTThQw9OU351gm3YQct +AMPRUu1fTJAL/AuZUQf9ESmhyVtWNlH/56HBfYjE4iVeaRkkNLJyX3vkWdJSMwC/ +LO3Lw/0M3R8itDsm74F8w4xOdSQ52nSRFRh7PunFtREl+QzQ3EA/WB4AIj3VohIG +kWDfPFCzV3cyZQiEnjAe9gG5pHsXHUWQsDFZ12t784JgkGyO5wT26pzTiuApWM3k +/9V+o3HJSgH5hn7wuTi3TelEFwP1fNzI5iUUtZdtxbFOfWMnZAypEhaLmXNkg4zD +kH44r0ss9fR0DAgUav1a25UnbOn4PgIEQy2fgHKHwRpCy20d6oCSlmgyWsR40EPP +YvtGq49A2aK6ibXmdvvFT+Ts8Z+q2SkFpoYFX20mR2nsF0fbt1lfH65P64dukxeR +GteWIeNakDD40bAAOH8+OaoTGVBJ2ACJfLVNM53PEoftavAwUYMrR910qvwYfd/4 +6rh46g1Frr9SFMKYE9uvIJIgDsQB3QBp71houU4H55M5GD8XURYs+bfiQpJG1p7e +B8e5jZx1SagNWc4XwL2FzQ9svrkbg1Y+359buUiP7T6QXX2zY++JAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlEqbZUFCQg2wEEACgkQf8x9RqzM +TPhFMQ//WxAfKMdpSIA9oIC/yPD/dJpY/+DyouOljpE6MucMy/ArBECjFTBwi/j9 +NYM4ynAk34IkhuNexc1i9/05f5RM6+riLCLgAOsADDbHD4miZzoSxiVr6GQ3YXMb +OGld9kV9Sy6mGNjcUov7iFcf5Hy5w3AjPfKuR9zXswyfzIU1YXObiiZT38l55pp/ +BSgvGVQsvbNjsff5CbEKXS7q3xW+WzN0QWF6YsfNVhFjRGj8hKtHvwKcA02wwjLe +LXVTm6915ZUKhZXUFc0vM4Pj4EgNswH8Ojw9AJaKWJIZmLyW+aP+wpu6YwVCicxB +Y59CzBO2pPJDfKFQzUtrErk9irXeuCCLesDyirxJhv8o0JAvmnMAKOLhNFUrSQ2m ++3EnF7zhfz70gHW+EG8X8mL/EN3/dUM09j6TVrjtw43RLxBzwMDeariFF9yC+5bL +tnGgxjsB9Ik6GV5v34/NEEGf1qBiAzFmDVFRZlrNDkq6gmpvGnA5hUWNr+y0i01L +jGyaLSWHYjgw2UEQOqcUtTFK9MNzbZze4mVaHMEz9/aMfX25R6qbiNqCChveIm8m +Yr5Ds2zdZx+G5bAKdzX7nx2IUAxFQJEE94VLSp3npAaTWv3sHr7dR8tSyUJ9poDw +gw4W9BIcnAM7zvFYbLF5FNggg/26njHCCN70sHt8zGxKQINMc6SJAj0EEwEIACcC +GwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AFAlLpFRkFCQ6EJy0ACgkQf8x9RqzM +TPjOZA//Zp0e25pcvle7cLc0YuFr9pBv2JIkLzPm83nkcwKmxaWayUIG4Sv6pH6h +m8+S/CHQij/yFCX+o3ngMw2J9HBUvafZ4bnbI0RGJ70GsAwraQ0VlkIfg7GUw3Tz +voGYO42rZTru9S0K/6nFP6D1HUu+U+AsJONLeb6oypQgInfXQExPZyliUnHdipei +4WR1YFW6sjSkZT/5C3J1wkAvPl5lvOVthI9Zs6bZlJLZwusKxU0UM4Btgu1Sf3nn +JcHmzisixwS9PMHE+AgPWIGSec/N27a0KmTTvImV6K6nEjXJey0K2+EYJuIBsYUN +orOGBwDFIhfRk9qGlpgt0KRyguV+AP5qvgry95IrYtrOuE7307SidEbSnvO5ezNe +mE7gT9Z1tM7IMPfmoKph4BfpNoH7aXiQh1Wo+ChdP92hZUtQrY2Nm13cmkxYjQ4Z +gMWfYMC+DA/GooSgZM5i6hYqyyfAuUD9kwRN6BqTbuAUAp+hCWYeN4D88sLYpFh3 +paDYNKJ+Gf7Yyi6gThcV956RUFDH3ys5Dk0vDL9NiWwdebWfRFbzoRM3dyGP889a +OyLzS3mh6nHzZrNGhW73kslSQek8tjKrB+56hXOnb4HaElTZGDvD5wmrrhN94kby +Gtz3cydIohvNO9d90+29h0eGEDYti7j7maHkBKUAwlcPvMg5m3Y= +=DA1T +-----END PGP PUBLIC KEY BLOCK----- diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 79023e92..bed7f5ef 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -51,87 +51,7 @@ apt-get install -y --no-install-recommends gnupg cat >>/etc/apt/sources.list < Date: Mon, 11 Mar 2024 11:21:28 +0000 Subject: [PATCH 03/24] Use `--error-on=any` with `apt-get update` (#257) Since otherwise APT will ignore certain categories of errors that it sees as transient (such as failing to pull from one repo, even for things like TLS validation errors; this was discovered whilst working on #248). See: https://manpages.ubuntu.com/manpages/noble/man8/apt-get.8.html GUS-W-15224473. --- heroku-20-build/setup.sh | 2 +- heroku-20/setup.sh | 4 ++-- heroku-22-build/setup.sh | 2 +- heroku-22/setup.sh | 4 ++-- heroku-24-build/setup.sh | 2 +- heroku-24/setup.sh | 4 ++-- 6 files changed, 9 insertions(+), 9 deletions(-) diff --git a/heroku-20-build/setup.sh b/heroku-20-build/setup.sh index 19c0826c..ba20dbfd 100755 --- a/heroku-20-build/setup.sh +++ b/heroku-20-build/setup.sh @@ -8,7 +8,7 @@ set -x export DEBIAN_FRONTEND=noninteractive -apt-get update +apt-get update --error-on=any apt-get install -y --no-install-recommends \ autoconf \ automake \ diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh index 2a3573d0..8130826f 100755 --- a/heroku-20/setup.sh +++ b/heroku-20/setup.sh @@ -15,7 +15,7 @@ deb http://archive.ubuntu.com/ubuntu/ focal-security main universe deb http://archive.ubuntu.com/ubuntu/ focal-updates main universe EOF -apt-get update +apt-get update --error-on=any # Required by apt-key and does not exist in the base image on newer Ubuntu. apt-get install -y --no-install-recommends gnupg @@ -28,7 +28,7 @@ deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main EOF apt-key add /build/postgresql-ACCC4CF8.asc -apt-get update +apt-get update --error-on=any apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-transport-https \ diff --git a/heroku-22-build/setup.sh b/heroku-22-build/setup.sh index f4b28b64..5bc26dfc 100755 --- a/heroku-22-build/setup.sh +++ b/heroku-22-build/setup.sh @@ -8,7 +8,7 @@ set -x export DEBIAN_FRONTEND=noninteractive -apt-get update +apt-get update --error-on=any apt-get install -y --no-install-recommends \ autoconf \ automake \ diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh index f37c3821..0e628801 100755 --- a/heroku-22/setup.sh +++ b/heroku-22/setup.sh @@ -15,7 +15,7 @@ deb http://archive.ubuntu.com/ubuntu/ jammy-security main universe deb http://archive.ubuntu.com/ubuntu/ jammy-updates main universe EOF -apt-get update +apt-get update --error-on=any # Required by apt-key and does not exist in the base image on newer Ubuntu. apt-get install -y --no-install-recommends gnupg @@ -28,7 +28,7 @@ deb http://apt.postgresql.org/pub/repos/apt/ jammy-pgdg main EOF apt-key add /build/postgresql-ACCC4CF8.asc -apt-get update +apt-get update --error-on=any apt-get upgrade -y apt-get install -y --no-install-recommends \ apt-transport-https \ diff --git a/heroku-24-build/setup.sh b/heroku-24-build/setup.sh index 6ed1dad2..42f0b50e 100755 --- a/heroku-24-build/setup.sh +++ b/heroku-24-build/setup.sh @@ -8,7 +8,7 @@ set -x export DEBIAN_FRONTEND=noninteractive -apt-get update +apt-get update --error-on=any apt-get install -y --no-install-recommends \ autoconf \ automake \ diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index bed7f5ef..b1e8cc71 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -40,7 +40,7 @@ Signed-By: /usr/share/keyrings/ubuntu-archive-keyring.gpg Architectures: arm64 EOF -apt-get update +apt-get update --error-on=any # Required by apt-key and does not exist in the base image on newer Ubuntu. apt-get install -y --no-install-recommends gnupg @@ -53,7 +53,7 @@ deb http://apt.postgresql.org/pub/repos/apt/ noble-pgdg main EOF apt-key add /build/postgresql-ACCC4CF8.asc -apt-get update +apt-get update --error-on=any apt-get upgrade -y --no-install-recommends apt-get install -y --no-install-recommends \ apt-transport-https \ From c1ad0de35b28b71133b40717b40aca14bef780e4 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 11 Mar 2024 12:23:01 +0000 Subject: [PATCH 04/24] Cleanup setup scripts (#258) * Removes the stderr redirection to stdout, since it's no longer necessary (we're no longer using Travis CI, where stderr was highlighted in bright red) * Combines the `set` calls * Switches to an array for the list of packages to install, which avoids the need for line continuation markers, and will allow us to add code comments later explaining why we install certain packages (comments break lines using continuation markers) GUS-W-15224569. --- heroku-20-build/setup.sh | 165 ++++++++++++------------ heroku-20/setup.sh | 258 +++++++++++++++++++------------------- heroku-22-build/setup.sh | 163 ++++++++++++------------ heroku-22/setup.sh | 262 +++++++++++++++++++-------------------- heroku-24-build/setup.sh | 155 ++++++++++++----------- heroku-24/setup.sh | 250 ++++++++++++++++++------------------- 6 files changed, 625 insertions(+), 628 deletions(-) diff --git a/heroku-20-build/setup.sh b/heroku-20-build/setup.sh index ba20dbfd..d79b87a6 100755 --- a/heroku-20-build/setup.sh +++ b/heroku-20-build/setup.sh @@ -1,92 +1,91 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive +packages=( + autoconf + automake + bison + build-essential + bzr + cmake + gettext + git + jq + libacl1-dev + libapt-pkg-dev + libargon2-dev + libattr1-dev + libaudit-dev + libbsd-dev + libbz2-dev + libc-client2007e-dev + libcairo2-dev + libcap-dev + libcurl4-openssl-dev + libdb-dev + libev-dev + libevent-dev + libexif-dev + libffi-dev + libgcrypt20-dev + libgd-dev + libgdbm-dev + libgeoip-dev + libglib2.0-dev + libgnutls28-dev + libgs-dev + libicu-dev + libidn11-dev + libjpeg-dev + libkeyutils-dev + libkmod-dev + libkrb5-dev + libldap2-dev + liblz4-dev + liblzf-dev + libmagic-dev + libmagickwand-dev + libmcrypt-dev + libmemcached-dev + libmysqlclient-dev + libncurses5-dev + libncursesw5-dev + libnetpbm10-dev + libonig-dev + libpam0g-dev + libpopt-dev + libpq-dev + librabbitmq-dev + libreadline-dev + librtmp-dev + libseccomp-dev + libselinux1-dev + libsemanage1-dev + libsodium-dev + libssl-dev + libsystemd-dev + libtool + libudev-dev + libuv1-dev + libwrap0-dev + libxml2-dev + libxslt-dev + libyaml-dev + libzip-dev + libzstd-dev + mercurial + patchelf + postgresql-server-dev-15 + python3-dev + ruby-dev + zlib1g-dev +) + apt-get update --error-on=any -apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - bison \ - build-essential \ - bzr \ - cmake \ - gettext \ - git \ - jq \ - libacl1-dev \ - libapt-pkg-dev \ - libargon2-dev \ - libattr1-dev \ - libaudit-dev \ - libbsd-dev \ - libbz2-dev \ - libc-client2007e-dev \ - libcairo2-dev \ - libcap-dev \ - libcurl4-openssl-dev \ - libdb-dev \ - libev-dev \ - libevent-dev \ - libexif-dev \ - libffi-dev \ - libgcrypt20-dev \ - libgd-dev \ - libgdbm-dev \ - libgeoip-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libgs-dev \ - libicu-dev \ - libidn11-dev \ - libjpeg-dev \ - libkeyutils-dev \ - libkmod-dev \ - libkrb5-dev \ - libldap2-dev \ - liblz4-dev \ - liblzf-dev \ - libmagic-dev \ - libmagickwand-dev \ - libmcrypt-dev \ - libmemcached-dev \ - libmysqlclient-dev \ - libncurses5-dev \ - libncursesw5-dev \ - libnetpbm10-dev \ - libonig-dev \ - libpam0g-dev \ - libpopt-dev \ - libpq-dev \ - librabbitmq-dev \ - libreadline-dev \ - librtmp-dev \ - libseccomp-dev \ - libselinux1-dev \ - libsemanage1-dev \ - libsodium-dev \ - libssl-dev \ - libsystemd-dev \ - libtool \ - libudev-dev \ - libuv1-dev \ - libwrap0-dev \ - libxml2-dev \ - libxslt-dev \ - libyaml-dev \ - libzip-dev \ - libzstd-dev \ - mercurial \ - patchelf \ - postgresql-server-dev-15 \ - python3-dev \ - ruby-dev \ - zlib1g-dev \ +apt-get install -y --no-install-recommends "${packages[@]}" rm -rf /root/* rm -rf /tmp/* diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh index 8130826f..367e8e35 100755 --- a/heroku-20/setup.sh +++ b/heroku-20/setup.sh @@ -1,10 +1,6 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive @@ -30,130 +26,134 @@ apt-key add /build/postgresql-ACCC4CF8.asc apt-get update --error-on=any apt-get upgrade -y -apt-get install -y --no-install-recommends \ - apt-transport-https \ - apt-utils \ - bind9-host \ - bzip2 \ - coreutils \ - curl \ - dnsutils \ - ed \ - file \ - fontconfig \ - gcc \ - geoip-database \ - gettext-base \ - ghostscript \ - gir1.2-harfbuzz-0.0 \ - git \ - gsfonts \ - imagemagick \ - iproute2 \ - iputils-tracepath \ - language-pack-en \ - less \ - libaom0 \ - libargon2-1 \ - libass9 \ - libc-client2007e \ - libc6-dev \ - libcairo2 \ - libcroco3 \ - libcurl4 \ - libdatrie1 \ - libev4 \ - libevent-2.1-7 \ - libevent-core-2.1-7 \ - libevent-extra-2.1-7 \ - libevent-openssl-2.1-7 \ - libevent-pthreads-2.1-7 \ - libexif12 \ - libfreetype6 \ - libfribidi0 \ - libgd3 \ - libgdk-pixbuf2.0-0 \ - libgdk-pixbuf2.0-common \ - libgnutls-openssl27 \ - libgnutls30 \ - libgnutlsxx28 \ - libgraphite2-3 \ - libgraphite2-3 \ - libgs9 \ - libharfbuzz-gobject0 \ - libharfbuzz-icu0 \ - libharfbuzz0b \ - liblzf1 \ - libmagickcore-6.q16-3-extra \ - libmcrypt4 \ - libmemcached11 \ - libmp3lame0 \ - libmysqlclient21 \ - libnuma1 \ - libogg0 \ - libonig5 \ - libopencore-amrnb0 \ - libopencore-amrwb0 \ - libopus0 \ - libpango-1.0-0 \ - libpangocairo-1.0-0 \ - libpangoft2-1.0-0 \ - libpixman-1-0 \ - librabbitmq4 \ - librsvg2-2 \ - librsvg2-common \ - libsasl2-modules \ - libseccomp2 \ - libsodium23 \ - libspeex1 \ - libthai-data \ - libthai0 \ - libtheora0 \ - libunistring2 \ - libuv1 \ - libvips42 \ - libvorbis0a \ - libvorbisenc2 \ - libvorbisfile3 \ - libvpx6 \ - libwebp6 \ - libwebpdemux2 \ - libwebpmux3 \ - libx264-155 \ - libx265-179 \ - libxcb-render0 \ - libxcb-shm0 \ - libxrender1 \ - libxslt1.1 \ - libzip5 \ - libzstd1 \ - locales \ - lsb-release \ - make \ - netcat-openbsd \ - openssh-client \ - openssh-server \ - patch \ - poppler-utils \ - postgresql-client-15 \ - python-is-python3 \ - python3 \ - rename \ - rsync \ - ruby \ - shared-mime-info \ - socat \ - stunnel \ - syslinux \ - tar \ - telnet \ - tzdata \ - unzip \ - wget \ - xz-utils \ - zip \ - zlib1g \ - zstd \ + +packages=( + apt-transport-https + apt-utils + bind9-host + bzip2 + coreutils + curl + dnsutils + ed + file + fontconfig + gcc + geoip-database + gettext-base + ghostscript + gir1.2-harfbuzz-0.0 + git + gsfonts + imagemagick + iproute2 + iputils-tracepath + language-pack-en + less + libaom0 + libargon2-1 + libass9 + libc-client2007e + libc6-dev + libcairo2 + libcroco3 + libcurl4 + libdatrie1 + libev4 + libevent-2.1-7 + libevent-core-2.1-7 + libevent-extra-2.1-7 + libevent-openssl-2.1-7 + libevent-pthreads-2.1-7 + libexif12 + libfreetype6 + libfribidi0 + libgd3 + libgdk-pixbuf2.0-0 + libgdk-pixbuf2.0-common + libgnutls-openssl27 + libgnutls30 + libgnutlsxx28 + libgraphite2-3 + libgraphite2-3 + libgs9 + libharfbuzz-gobject0 + libharfbuzz-icu0 + libharfbuzz0b + liblzf1 + libmagickcore-6.q16-3-extra + libmcrypt4 + libmemcached11 + libmp3lame0 + libmysqlclient21 + libnuma1 + libogg0 + libonig5 + libopencore-amrnb0 + libopencore-amrwb0 + libopus0 + libpango-1.0-0 + libpangocairo-1.0-0 + libpangoft2-1.0-0 + libpixman-1-0 + librabbitmq4 + librsvg2-2 + librsvg2-common + libsasl2-modules + libseccomp2 + libsodium23 + libspeex1 + libthai-data + libthai0 + libtheora0 + libunistring2 + libuv1 + libvips42 + libvorbis0a + libvorbisenc2 + libvorbisfile3 + libvpx6 + libwebp6 + libwebpdemux2 + libwebpmux3 + libx264-155 + libx265-179 + libxcb-render0 + libxcb-shm0 + libxrender1 + libxslt1.1 + libzip5 + libzstd1 + locales + lsb-release + make + netcat-openbsd + openssh-client + openssh-server + patch + poppler-utils + postgresql-client-15 + python-is-python3 + python3 + rename + rsync + ruby + shared-mime-info + socat + stunnel + syslinux + tar + telnet + tzdata + unzip + wget + xz-utils + zip + zlib1g + zstd +) + +apt-get install -y --no-install-recommends "${packages[@]}" cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml diff --git a/heroku-22-build/setup.sh b/heroku-22-build/setup.sh index 5bc26dfc..a95dba27 100755 --- a/heroku-22-build/setup.sh +++ b/heroku-22-build/setup.sh @@ -1,91 +1,90 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive +packages=( + autoconf + automake + bison + build-essential + bzr + cmake + gettext + git + jq + libacl1-dev + libapt-pkg-dev + libargon2-dev + libattr1-dev + libaudit-dev + libbsd-dev + libbz2-dev + libc-client2007e-dev + libcairo2-dev + libcap-dev + libcurl4-openssl-dev + libdb-dev + libev-dev + libevent-dev + libexif-dev + libffi-dev + libgcrypt20-dev + libgd-dev + libgdbm-dev + libgeoip-dev + libglib2.0-dev + libgnutls28-dev + libgs-dev + libheif-dev + libicu-dev + libidn11-dev + libjpeg-dev + libkeyutils-dev + libkmod-dev + libkrb5-dev + libldap2-dev + liblz4-dev + liblzf-dev + libmagic-dev + libmagickwand-dev + libmcrypt-dev + libmemcached-dev + libmysqlclient-dev + libncurses5-dev + libncursesw5-dev + libnetpbm10-dev + libonig-dev + libpam0g-dev + libpopt-dev + libpq-dev + librabbitmq-dev + libreadline-dev + librtmp-dev + libseccomp-dev + libselinux1-dev + libsemanage-dev + libsodium-dev + libssl-dev + libsystemd-dev + libtool + libudev-dev + libuv1-dev + libwrap0-dev + libxml2-dev + libxslt-dev + libyaml-dev + libzip-dev + libzstd-dev + mercurial + patchelf + python3-dev + zlib1g-dev +) + apt-get update --error-on=any -apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - bison \ - build-essential \ - bzr \ - cmake \ - gettext \ - git \ - jq \ - libacl1-dev \ - libapt-pkg-dev \ - libargon2-dev \ - libattr1-dev \ - libaudit-dev \ - libbsd-dev \ - libbz2-dev \ - libc-client2007e-dev \ - libcairo2-dev \ - libcap-dev \ - libcurl4-openssl-dev \ - libdb-dev \ - libev-dev \ - libevent-dev \ - libexif-dev \ - libffi-dev \ - libgcrypt20-dev \ - libgd-dev \ - libgdbm-dev \ - libgeoip-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libgs-dev \ - libheif-dev \ - libicu-dev \ - libidn11-dev \ - libjpeg-dev \ - libkeyutils-dev \ - libkmod-dev \ - libkrb5-dev \ - libldap2-dev \ - liblz4-dev \ - liblzf-dev \ - libmagic-dev \ - libmagickwand-dev \ - libmcrypt-dev \ - libmemcached-dev \ - libmysqlclient-dev \ - libncurses5-dev \ - libncursesw5-dev \ - libnetpbm10-dev \ - libonig-dev \ - libpam0g-dev \ - libpopt-dev \ - libpq-dev \ - librabbitmq-dev \ - libreadline-dev \ - librtmp-dev \ - libseccomp-dev \ - libselinux1-dev \ - libsemanage-dev \ - libsodium-dev \ - libssl-dev \ - libsystemd-dev \ - libtool \ - libudev-dev \ - libuv1-dev \ - libwrap0-dev \ - libxml2-dev \ - libxslt-dev \ - libyaml-dev \ - libzip-dev \ - libzstd-dev \ - mercurial \ - patchelf \ - python3-dev \ - zlib1g-dev \ +apt-get install -y --no-install-recommends "${packages[@]}" rm -rf /root/* rm -rf /tmp/* diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh index 0e628801..282140f9 100755 --- a/heroku-22/setup.sh +++ b/heroku-22/setup.sh @@ -1,10 +1,6 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive @@ -30,132 +26,136 @@ apt-key add /build/postgresql-ACCC4CF8.asc apt-get update --error-on=any apt-get upgrade -y -apt-get install -y --no-install-recommends \ - apt-transport-https \ - apt-utils \ - bind9-host \ - bzip2 \ - coreutils \ - curl \ - dnsutils \ - ed \ - file \ - fontconfig \ - gcc \ - geoip-database \ - gettext-base \ - ghostscript \ - gir1.2-harfbuzz-0.0 \ - git \ - gsfonts \ - imagemagick \ - iproute2 \ - iputils-tracepath \ - language-pack-en \ - less \ - libaom3 \ - libargon2-1 \ - libass9 \ - libc-client2007e \ - libc6-dev \ - libcairo2 \ - libcurl4 \ - libdatrie1 \ - libdav1d5 \ - libev4 \ - libevent-2.1-7 \ - libevent-core-2.1-7 \ - libevent-extra-2.1-7 \ - libevent-openssl-2.1-7 \ - libevent-pthreads-2.1-7 \ - libexif12 \ - libfreetype6 \ - libfribidi0 \ - libgd3 \ - libgdk-pixbuf2.0-0 \ - libgdk-pixbuf2.0-common \ - libgnutls-openssl27 \ - libgnutls30 \ - libgnutlsxx28 \ - libgraphite2-3 \ - libgraphite2-3 \ - libgs9 \ - libharfbuzz-gobject0 \ - libharfbuzz-icu0 \ - libharfbuzz0b \ - libheif1 \ - liblzf1 \ - libmagickcore-6.q16-3-extra \ - libmcrypt4 \ - libmemcached11 \ - libmp3lame0 \ - libmysqlclient21 \ - libnuma1 \ - libogg0 \ - libonig5 \ - libopencore-amrnb0 \ - libopencore-amrwb0 \ - libopus0 \ - libpango-1.0-0 \ - libpangocairo-1.0-0 \ - libpangoft2-1.0-0 \ - libpixman-1-0 \ - librabbitmq4 \ - librsvg2-2 \ - librsvg2-common \ - libsasl2-modules \ - libseccomp2 \ - libsodium23 \ - libspeex1 \ - libsvtav1enc0 \ - libthai-data \ - libthai0 \ - libtheora0 \ - libunistring2 \ - libuv1 \ - libvips42 \ - libvorbis0a \ - libvorbisenc2 \ - libvorbisfile3 \ - libvpx7 \ - libwebp7 \ - libwebpdemux2 \ - libwebpmux3 \ - libx264-163 \ - libx265-199 \ - libxcb-render0 \ - libxcb-shm0 \ - libxrender1 \ - libxslt1.1 \ - libyaml-0-2 \ - libzip4 \ - libzstd1 \ - locales \ - lsb-release \ - make \ - netcat-openbsd \ - openssh-client \ - openssh-server \ - patch \ - poppler-utils \ - postgresql-client-15 \ - python-is-python3 \ - python3 \ - rename \ - rsync \ - shared-mime-info \ - socat \ - stunnel \ - syslinux \ - tar \ - telnet \ - tzdata \ - unzip \ - wget \ - xz-utils \ - zip \ - zlib1g \ - zstd \ + +packages=( + apt-transport-https + apt-utils + bind9-host + bzip2 + coreutils + curl + dnsutils + ed + file + fontconfig + gcc + geoip-database + gettext-base + ghostscript + gir1.2-harfbuzz-0.0 + git + gsfonts + imagemagick + iproute2 + iputils-tracepath + language-pack-en + less + libaom3 + libargon2-1 + libass9 + libc-client2007e + libc6-dev + libcairo2 + libcurl4 + libdatrie1 + libdav1d5 + libev4 + libevent-2.1-7 + libevent-core-2.1-7 + libevent-extra-2.1-7 + libevent-openssl-2.1-7 + libevent-pthreads-2.1-7 + libexif12 + libfreetype6 + libfribidi0 + libgd3 + libgdk-pixbuf2.0-0 + libgdk-pixbuf2.0-common + libgnutls-openssl27 + libgnutls30 + libgnutlsxx28 + libgraphite2-3 + libgraphite2-3 + libgs9 + libharfbuzz-gobject0 + libharfbuzz-icu0 + libharfbuzz0b + libheif1 + liblzf1 + libmagickcore-6.q16-3-extra + libmcrypt4 + libmemcached11 + libmp3lame0 + libmysqlclient21 + libnuma1 + libogg0 + libonig5 + libopencore-amrnb0 + libopencore-amrwb0 + libopus0 + libpango-1.0-0 + libpangocairo-1.0-0 + libpangoft2-1.0-0 + libpixman-1-0 + librabbitmq4 + librsvg2-2 + librsvg2-common + libsasl2-modules + libseccomp2 + libsodium23 + libspeex1 + libsvtav1enc0 + libthai-data + libthai0 + libtheora0 + libunistring2 + libuv1 + libvips42 + libvorbis0a + libvorbisenc2 + libvorbisfile3 + libvpx7 + libwebp7 + libwebpdemux2 + libwebpmux3 + libx264-163 + libx265-199 + libxcb-render0 + libxcb-shm0 + libxrender1 + libxslt1.1 + libyaml-0-2 + libzip4 + libzstd1 + locales + lsb-release + make + netcat-openbsd + openssh-client + openssh-server + patch + poppler-utils + postgresql-client-15 + python-is-python3 + python3 + rename + rsync + shared-mime-info + socat + stunnel + syslinux + tar + telnet + tzdata + unzip + wget + xz-utils + zip + zlib1g + zstd +) + +apt-get install -y --no-install-recommends "${packages[@]}" cp /build/imagemagick-policy.xml /etc/ImageMagick-6/policy.xml diff --git a/heroku-24-build/setup.sh b/heroku-24-build/setup.sh index 42f0b50e..f51b4477 100755 --- a/heroku-24-build/setup.sh +++ b/heroku-24-build/setup.sh @@ -1,87 +1,86 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive +packages=( + autoconf + automake + bison + build-essential + cmake + gettext + git + jq + libacl1-dev + libapt-pkg-dev + libargon2-dev + libattr1-dev + libaudit-dev + libbsd-dev + libbz2-dev + libc-client2007e-dev + libcairo2-dev + libcap-dev + libcurl4-openssl-dev + libdb-dev + libev-dev + libevent-dev + libexif-dev + libffi-dev + libgcrypt20-dev + libgd-dev + libgdbm-dev + libgeoip-dev + libglib2.0-dev + libgnutls28-dev + libheif-dev + libicu-dev + libidn11-dev + libjpeg-dev + libkeyutils-dev + libkmod-dev + libkrb5-dev + libldap2-dev + liblz4-dev + liblzf-dev + libmagic-dev + libmagickwand-dev + libmcrypt-dev + libmemcached-dev + libmysqlclient-dev + libncurses5-dev + libncursesw5-dev + libnetpbm10-dev + libonig-dev + libpam0g-dev + libpopt-dev + libpq-dev + librabbitmq-dev + libreadline-dev + librtmp-dev + libseccomp-dev + libselinux1-dev + libsemanage-dev + libsodium-dev + libssl-dev + libsystemd-dev + libtool + libudev-dev + libuv1-dev + libwrap0-dev + libxml2-dev + libxslt-dev + libyaml-dev + libzip-dev + libzstd-dev + patchelf + zlib1g-dev +) + apt-get update --error-on=any -apt-get install -y --no-install-recommends \ - autoconf \ - automake \ - bison \ - build-essential \ - cmake \ - gettext \ - git \ - jq \ - libacl1-dev \ - libapt-pkg-dev \ - libargon2-dev \ - libattr1-dev \ - libaudit-dev \ - libbsd-dev \ - libbz2-dev \ - libc-client2007e-dev \ - libcairo2-dev \ - libcap-dev \ - libcurl4-openssl-dev \ - libdb-dev \ - libev-dev \ - libevent-dev \ - libexif-dev \ - libffi-dev \ - libgcrypt20-dev \ - libgd-dev \ - libgdbm-dev \ - libgeoip-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libheif-dev \ - libicu-dev \ - libidn11-dev \ - libjpeg-dev \ - libkeyutils-dev \ - libkmod-dev \ - libkrb5-dev \ - libldap2-dev \ - liblz4-dev \ - liblzf-dev \ - libmagic-dev \ - libmagickwand-dev \ - libmcrypt-dev \ - libmemcached-dev \ - libmysqlclient-dev \ - libncurses5-dev \ - libncursesw5-dev \ - libnetpbm10-dev \ - libonig-dev \ - libpam0g-dev \ - libpopt-dev \ - libpq-dev \ - librabbitmq-dev \ - libreadline-dev \ - librtmp-dev \ - libseccomp-dev \ - libselinux1-dev \ - libsemanage-dev \ - libsodium-dev \ - libssl-dev \ - libsystemd-dev \ - libtool \ - libudev-dev \ - libuv1-dev \ - libwrap0-dev \ - libxml2-dev \ - libxslt-dev \ - libyaml-dev \ - libzip-dev \ - libzstd-dev \ - patchelf \ - zlib1g-dev \ +apt-get install -y --no-install-recommends "${packages[@]}" rm -rf /root/* rm -rf /tmp/* diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index b1e8cc71..968db775 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -1,10 +1,6 @@ #!/usr/bin/env bash -set -euo pipefail - -# Redirect stderr to stdout since tracing/apt-get/dpkg spam it for things that aren't errors. -exec 2>&1 -set -x +set -euxo pipefail export DEBIAN_FRONTEND=noninteractive @@ -55,126 +51,130 @@ apt-key add /build/postgresql-ACCC4CF8.asc apt-get update --error-on=any apt-get upgrade -y --no-install-recommends -apt-get install -y --no-install-recommends \ - apt-transport-https \ - apt-utils \ - bind9-host \ - bzip2 \ - coreutils \ - curl \ - dnsutils \ - ed \ - file \ - fontconfig \ - gcc \ - geoip-database \ - gettext-base \ - gir1.2-harfbuzz-0.0 \ - git \ - imagemagick \ - iproute2 \ - iputils-tracepath \ - less \ - libaom3 \ - libargon2-1 \ - libass9 \ - libc-client2007e \ - libc6-dev \ - libcairo2 \ - libcurl4 \ - libdatrie1 \ - libdav1d7 \ - libev4 \ - libevent-2.1-7 \ - libevent-core-2.1-7 \ - libevent-extra-2.1-7 \ - libevent-openssl-2.1-7 \ - libevent-pthreads-2.1-7 \ - libexif12 \ - libfreetype6 \ - libfribidi0 \ - libgd3 \ - libgdk-pixbuf2.0-0 \ - libgdk-pixbuf2.0-common \ - libgnutls-openssl27 \ - libgnutls30 \ - libgraphite2-3 \ - libgraphite2-3 \ - libharfbuzz-gobject0 \ - libharfbuzz-icu0 \ - libharfbuzz0b \ - libheif1 \ - liblzf1 \ - libmagickcore-6.q16-7-extra \ - libmcrypt4 \ - libmemcached11 \ - libmp3lame0 \ - libmysqlclient21 \ - libnuma1 \ - libogg0 \ - libonig5 \ - libopencore-amrnb0 \ - libopencore-amrwb0 \ - libopus0 \ - libpango-1.0-0 \ - libpangocairo-1.0-0 \ - libpangoft2-1.0-0 \ - libpixman-1-0 \ - librabbitmq4 \ - librsvg2-2 \ - librsvg2-common \ - libsasl2-modules \ - libseccomp2 \ - libsodium23 \ - libspeex1 \ - libsvtav1enc1d1 \ - libthai-data \ - libthai0 \ - libtheora0 \ - libunistring5 \ - libuv1 \ - libvips42 \ - libvorbis0a \ - libvorbisenc2 \ - libvorbisfile3 \ - libvpx8 \ - libwebp7 \ - libwebpdemux2 \ - libwebpmux3 \ - libx264-164 \ - libx265-199 \ - libxcb-render0 \ - libxcb-shm0 \ - libxrender1 \ - libxslt1.1 \ - libyaml-0-2 \ - libzip4 \ - libzstd1 \ - locales \ - lsb-release \ - make \ - netcat-openbsd \ - openssh-client \ - openssh-server \ - patch \ - poppler-utils \ - postgresql-client-16 \ - python-is-python3 \ - python3 \ - rename \ - rsync \ - shared-mime-info \ - socat \ - stunnel \ - tar \ - telnet \ - tzdata \ - unzip \ - wget \ - xz-utils \ - zip \ - zlib1g \ - zstd \ + +packages=( + apt-transport-https + apt-utils + bind9-host + bzip2 + coreutils + curl + dnsutils + ed + file + fontconfig + gcc + geoip-database + gettext-base + gir1.2-harfbuzz-0.0 + git + imagemagick + iproute2 + iputils-tracepath + less + libaom3 + libargon2-1 + libass9 + libc-client2007e + libc6-dev + libcairo2 + libcurl4 + libdatrie1 + libdav1d7 + libev4 + libevent-2.1-7 + libevent-core-2.1-7 + libevent-extra-2.1-7 + libevent-openssl-2.1-7 + libevent-pthreads-2.1-7 + libexif12 + libfreetype6 + libfribidi0 + libgd3 + libgdk-pixbuf2.0-0 + libgdk-pixbuf2.0-common + libgnutls-openssl27 + libgnutls30 + libgraphite2-3 + libgraphite2-3 + libharfbuzz-gobject0 + libharfbuzz-icu0 + libharfbuzz0b + libheif1 + liblzf1 + libmagickcore-6.q16-7-extra + libmcrypt4 + libmemcached11 + libmp3lame0 + libmysqlclient21 + libnuma1 + libogg0 + libonig5 + libopencore-amrnb0 + libopencore-amrwb0 + libopus0 + libpango-1.0-0 + libpangocairo-1.0-0 + libpangoft2-1.0-0 + libpixman-1-0 + librabbitmq4 + librsvg2-2 + librsvg2-common + libsasl2-modules + libseccomp2 + libsodium23 + libspeex1 + libsvtav1enc1d1 + libthai-data + libthai0 + libtheora0 + libunistring5 + libuv1 + libvips42 + libvorbis0a + libvorbisenc2 + libvorbisfile3 + libvpx8 + libwebp7 + libwebpdemux2 + libwebpmux3 + libx264-164 + libx265-199 + libxcb-render0 + libxcb-shm0 + libxrender1 + libxslt1.1 + libyaml-0-2 + libzip4 + libzstd1 + locales + lsb-release + make + netcat-openbsd + openssh-client + openssh-server + patch + poppler-utils + postgresql-client-16 + python-is-python3 + python3 + rename + rsync + shared-mime-info + socat + stunnel + tar + telnet + tzdata + unzip + wget + xz-utils + zip + zlib1g + zstd +) + +apt-get install -y --no-install-recommends "${packages[@]}" # Generate locale data for "en_US", which is not available by default. Ubuntu # ships only with "C" and "POSIX" locales. From 150553dd1ffa515c142e4f585568e09aa3275c84 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:09:15 +0000 Subject: [PATCH 05/24] Remove `CNB_TARGET_*` env vars workaround (#260) These were added recently in #251 to work around this upstream `lifecycle` bug: https://github.com/buildpacks/lifecycle/issues/1308 The fix for that has since been released in lifecycle 0.19.0: https://github.com/buildpacks/lifecycle/releases/tag/v0.19.0 Which our builder images are now using: https://github.com/heroku/cnb-builder-images/pull/475 As such, we no longer need the workaround here (and in fact, setting these env vars now cannot have an effect, since `lifecycle` now ignores them). GUS-W-15225541. --- heroku-20-cnb-build/Dockerfile | 2 -- heroku-22-cnb-build/Dockerfile | 2 -- heroku-24-build/Dockerfile | 2 -- 3 files changed, 6 deletions(-) diff --git a/heroku-20-cnb-build/Dockerfile b/heroku-20-cnb-build/Dockerfile index a003925b..fda7a796 100644 --- a/heroku-20-cnb-build/Dockerfile +++ b/heroku-20-cnb-build/Dockerfile @@ -10,8 +10,6 @@ RUN mkdir /app && \ ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 ENV CNB_STACK_ID "heroku-20" -ENV CNB_TARGET_OS="linux" -ENV CNB_TARGET_ARCH="amd64" LABEL io.buildpacks.stack.id="heroku-20" diff --git a/heroku-22-cnb-build/Dockerfile b/heroku-22-cnb-build/Dockerfile index ba6c1c16..1567eabb 100644 --- a/heroku-22-cnb-build/Dockerfile +++ b/heroku-22-cnb-build/Dockerfile @@ -10,8 +10,6 @@ RUN mkdir /app && \ ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 ENV CNB_STACK_ID "heroku-22" -ENV CNB_TARGET_OS="linux" -ENV CNB_TARGET_ARCH="amd64" LABEL io.buildpacks.stack.id="heroku-22" diff --git a/heroku-24-build/Dockerfile b/heroku-24-build/Dockerfile index 09546961..c281348f 100644 --- a/heroku-24-build/Dockerfile +++ b/heroku-24-build/Dockerfile @@ -8,5 +8,3 @@ USER 1002 ENV CNB_USER_ID=1002 ENV CNB_GROUP_ID=1000 ENV CNB_STACK_ID "heroku-24" -ENV CNB_TARGET_OS=$TARGETOS -ENV CNB_TARGET_ARCH=$TARGETARCH From 2af43b30d64c89aa6a0b725e81e99665996491c9 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 11 Mar 2024 15:26:58 +0000 Subject: [PATCH 06/24] Heroku-24: Stop using deprecated `apt-key add` (#259) Switches to the new method for importing/specifying keys: https://wiki.postgresql.org/wiki/Apt#Manual_Repository_Configuration This improves security, since now instead of the Postgres key being allowed to sign any package (including those from Ubuntu's APT repo), it's only trusted for packages from `apt.postgresql.org`. This resolves: ``` W: http://apt.postgresql.org/pub/repos/apt/dists/noble-pgdg/InRelease: Key is stored in legacy trusted.gpg keyring (/etc/apt/trusted.gpg), see the DEPRECATION section in apt-key(8) for details. ``` We're also using the new deb822 format, instead of the one-line format, see: https://manpages.ubuntu.com/manpages/noble/man5/sources.list.5.html Now that we're not using `apt-key add` the `gnupg` package no longer needs to be installed earlier than the other packages, so has been moved to the main package install step. We do need `ca-certificates` installed early however, so that `apt-get update` can pull the HTTPS Postgres source (whilst `apt.postgresql.org` supports HTTP too and signing makes HTTPS less important, HTTPS is what's now used in the upstream setup docs, so we've switched to using HTTPS). Fixes #248. GUS-W-15213125. --- heroku-24/setup.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 968db775..180e0ca7 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -38,16 +38,21 @@ EOF apt-get update --error-on=any -# Required by apt-key and does not exist in the base image on newer Ubuntu. -apt-get install -y --no-install-recommends gnupg +# We have to install certificates first, so that APT can use HTTPS for apt.postgresql.org. +apt-get install -y --no-install-recommends ca-certificates # In order to support all features offered by Heroku Postgres, we need newer postgresql-client # than is available in the Ubuntu repository, so use the upstream APT repository instead: # https://wiki.postgresql.org/wiki/Apt -cat >>/etc/apt/sources.list </etc/apt/sources.list.d/pgdg.sources <<'EOF' +Types: deb +URIs: https://apt.postgresql.org/pub/repos/apt +Suites: noble-pgdg +Components: main +Signed-By: /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc EOF -apt-key add /build/postgresql-ACCC4CF8.asc +mkdir -p /usr/share/postgresql-common/pgdg/ +cp /build/postgresql-ACCC4CF8.asc /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc apt-get update --error-on=any apt-get upgrade -y --no-install-recommends @@ -68,6 +73,7 @@ packages=( gettext-base gir1.2-harfbuzz-0.0 git + gnupg imagemagick iproute2 iputils-tracepath From 05959643282a9397fde242a8fdb1bcb224010f28 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 13 Mar 2024 17:18:59 +0000 Subject: [PATCH 07/24] Test `.img` file generation in CI on PRs and `main` too (#261) The base images are built as Docker images and on release, uploaded to Docker Hub. However, the Heroku platform currently doesn't use those images directly, instead using a custom `.img` file from S3. Previously this `.img` file generation was only performed on release, meaning that the CI for PRs and on `main` wouldn't test that code-path, so we might not find out about breakage until time of release. Now, the generation (but not S3 upload) is performed for PRs/`main` too. This will allow us to more easily iterate on optimising the image generation in later PRs. GUS-W-15244492. --- .github/workflows/ci.yml | 3 +-- tools/bin/capture-docker-stack | 14 ++++---------- tools/bin/update-manifest | 1 + 3 files changed, 6 insertions(+), 12 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 82946046..2a80806b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -57,6 +57,5 @@ jobs: - name: Unpublish temp tags from this run run: bin/unpublish-tags.sh if: always() - - name: Convert docker image and release to Heroku staging + - name: Convert docker image and for Git tags release to Heroku staging run: bin/convert-and-publish-to-heroku.sh - if: success() && github.ref_type == 'tag' diff --git a/tools/bin/capture-docker-stack b/tools/bin/capture-docker-stack index 04f23fb7..16b0a5c0 100755 --- a/tools/bin/capture-docker-stack +++ b/tools/bin/capture-docker-stack @@ -12,12 +12,6 @@ STACK_VERSION=$(echo "${STACK}" | cut -d '-' -f 2-) DOCKER_IMAGE=heroku/$STACK_NAME:$STACK_VERSION DOCKER_IMAGE_VERSION=$(docker inspect "${DOCKER_IMAGE}" | jq .[].Id | cut -d ':' -f 2 | cut -b 1-12) -if [[ ${GITHUB_REF_TYPE} == 'tag' ]]; then - GIT_REF=${GITHUB_REF_NAME:?'Error: GITHUB_REF_NAME must be set!'} -else - abort "Error: Cannot publish without a Git tag!" -fi - IMG_BASE=${STACK_NAME}64-$STACK_VERSION-$DOCKER_IMAGE_VERSION IMG=/tmp/$IMG_BASE.img IMG_MNT=/tmp/$IMG_BASE @@ -47,12 +41,12 @@ display "SHA256ing and gzipping image" make-image-archive "${IMG}" "${IMG_SHA256}" |& indent cat "${IMG_SHA256}" +display "Capture Package Versions" +capture-package-versions "${DOCKER_IMAGE}" "${IMG_PKG_VERSIONS}" + if update-manifest; then - display "Starting push at $(date)" - display "Capture Package Versions" - capture-package-versions "${DOCKER_IMAGE}" "${IMG_PKG_VERSIONS}" display "Uploading files" - upload-image "${IMG_GZ}" "${IMG_SHA256}" "${IMG_MANIFEST}" "${STACK}" "${DOCKER_IMAGE_VERSION}" "${IMG_PKG_VERSIONS}" "${GIT_REF}" |& indent + upload-image "${IMG_GZ}" "${IMG_SHA256}" "${IMG_MANIFEST}" "${STACK}" "${DOCKER_IMAGE_VERSION}" "${IMG_PKG_VERSIONS}" "${GITHUB_REF_NAME}" |& indent else display "Skipping image upload" fi diff --git a/tools/bin/update-manifest b/tools/bin/update-manifest index d55cfc36..9c4babfd 100755 --- a/tools/bin/update-manifest +++ b/tools/bin/update-manifest @@ -2,5 +2,6 @@ set -euo pipefail +[[ "${GITHUB_REF_TYPE:-}" == 'tag' ]] || { echo "Skipping upload since GITHUB_REF_TYPE != 'tag'" && exit 1; } [[ -v MANIFEST_APP_URL ]] || { echo "Missing manifest app url" && exit 1; } [[ -v MANIFEST_APP_TOKEN ]] || { echo "Missing manifest app token" && exit 1; } From 6338dbbbb7b2426d4e609e4f8c3e50f09d2059b8 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 13 Mar 2024 17:39:41 +0000 Subject: [PATCH 08/24] Improve image tools local development workflow (#262) The scripts under `tools/` are used for the conversion of Docker images to the Heroku-specific `.img` file format. As of #261 we now test those in CI, however, there were still a few rough edges when using them locally, which have been improved here. GUS-W-15245136. --- BUILD.md | 21 ++++++++------------- tools/Dockerfile | 11 +++++------ tools/bin/capture-package-versions | 2 +- tools/bin/convert-to-heroku-stack-image | 10 +++++++--- tools/bin/docker-entrypoint | 5 ----- tools/bin/export-docker-image | 2 +- 6 files changed, 22 insertions(+), 29 deletions(-) delete mode 100755 tools/bin/docker-entrypoint diff --git a/BUILD.md b/BUILD.md index eeb5592a..86cc02e0 100644 --- a/BUILD.md +++ b/BUILD.md @@ -46,19 +46,14 @@ of 4 images: We use GitHub Actions to build and release Heroku Base Images: * Any push to `main` will build the images and push the nightly Docker tag variants (such as `heroku/heroku:22-build.nightly`). -* Any new Git tag will build the image and push the latest Docker tag (such as `heroku/heroku:22-build`), as well as a versioned tag (such as `heroku/heroku:22-build.v89`). +* Any new Git tag will build the image and push the latest Docker tag (such as `heroku/heroku:22-build`), + as well as a versioned tag (such as `heroku/heroku:22-build.v123`). The Docker image will then also be + converted to a Heroku-specific `.img` format and uploaded to S3 for consumption by the runtime hosts. -# Releasing Heroku Base Images Locally (Prime) +# Generating `.img` format Base Images locally -When building Heroku Base Images for release locally, you'll need a number of additional steps. +To test the generation of the Heroku-specific `.img` file: -NOTE: These steps do *not* apply to `*cnb*` images. - - export DOCKER_DEFAULT_PLATFORM=linux/amd64 - # Build the base image(s) as you would above - # … - docker build ./tools -t heroku/image-tools - # SET MANIFEST_APP_URL and MANIFEST_APP_TOKEN values, this is the app that controls the bucket for images and metadata about the images (Cheverny) - docker run -it --rm --privileged -v /var/run/docker.sock:/var/run/docker.sock -e "MANIFEST_APP_URL=$MANIFEST_APP_URL" -e "MANIFEST_APP_TOKEN=$MANIFEST_APP_TOKEN" heroku/image-tools STACK - # this will use your local docker image and convert it to a heroku base image - # it will then upload this image and the staging manifest via the MANIFEST_APP +1. Build the Docker images for your chosen stack as normal above. +2. `docker build --platform=linux/amd64 ./tools -t heroku-image-tools` +3. `docker run -it --rm --platform=linux/amd64 --privileged -v /var/run/docker.sock:/var/run/docker.sock heroku-image-tools STACK` (where `STACK` is the full stack name like `heroku-22`) diff --git a/tools/Dockerfile b/tools/Dockerfile index 6bd5aedc..88d6a19b 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -1,12 +1,11 @@ # This Docker image is used only for local testing and not by the CI-based releases. -FROM ubuntu:20.04 +# See BUILD.md for usage instructions. +FROM ubuntu:22.04 -RUN apt-get update -RUN apt-get install docker.io -y -RUN apt-get install jq -y -RUN apt-get install curl -y +RUN apt-get update --error-on=any \ + && apt-get install -y --no-install-recommends docker.io jq curl COPY bin /usr/local/bin VOLUME ["/var/run/docker.sock"] -ENTRYPOINT ["/usr/local/bin/docker-entrypoint"] +ENTRYPOINT ["/usr/local/bin/convert-to-heroku-stack-image"] diff --git a/tools/bin/capture-package-versions b/tools/bin/capture-package-versions index 250a75a9..1a31a6de 100755 --- a/tools/bin/capture-package-versions +++ b/tools/bin/capture-package-versions @@ -5,4 +5,4 @@ set -euo pipefail DOCKER_IMAGE=$1 OUTPUT_FILE=$2 -docker run --rm "${DOCKER_IMAGE}" dpkg-query -W -f "\${package},\${version}\n" | jq -s -R -f /usr/local/bin/csv-to-array.jq > "${OUTPUT_FILE}" +docker run --platform=linux/amd64 --rm "${DOCKER_IMAGE}" dpkg-query -W -f "\${package},\${version}\n" | jq -s -R -f /usr/local/bin/csv-to-array.jq > "${OUTPUT_FILE}" diff --git a/tools/bin/convert-to-heroku-stack-image b/tools/bin/convert-to-heroku-stack-image index 938ade4e..e9c72f1b 100755 --- a/tools/bin/convert-to-heroku-stack-image +++ b/tools/bin/convert-to-heroku-stack-image @@ -2,11 +2,15 @@ set -euo pipefail +STACK="${1:-}" + +[[ "${STACK}" =~ ^heroku-[0-9]+$ ]] || abort "fatal: invalid STACK" + VERSION_PREFIX=$(date '+%Y%m%d-%H%M%S') while [ $# -gt 0 ]; do - capture-docker-stack "$1" "$VERSION_PREFIX" - capture-docker-stack "$1-build" "$VERSION_PREFIX" + capture-docker-stack "${STACK}" "$VERSION_PREFIX" + capture-docker-stack "${STACK}-build" "$VERSION_PREFIX" shift done @@ -15,4 +19,4 @@ if update-manifest; then publish-manifests else display "Skipping manifest update" -fi \ No newline at end of file +fi diff --git a/tools/bin/docker-entrypoint b/tools/bin/docker-entrypoint deleted file mode 100755 index 49b2e7b7..00000000 --- a/tools/bin/docker-entrypoint +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -set -euo pipefail - -convert-to-heroku-stack-image "$@" diff --git a/tools/bin/export-docker-image b/tools/bin/export-docker-image index cf0b8ea0..02c9edc0 100755 --- a/tools/bin/export-docker-image +++ b/tools/bin/export-docker-image @@ -5,7 +5,7 @@ set -euo pipefail DOCKER_IMAGE="$1" MNT="$2" -CONTAINER="$(docker create "$DOCKER_IMAGE")" +CONTAINER="$(docker create --platform linux/amd64 "$DOCKER_IMAGE")" trap 'docker rm "$CONTAINER" > /dev/null' EXIT docker export "$CONTAINER" | tar -x -C "$MNT" --exclude=lib/modules bin etc lib lib64 sbin usr var/lib From bb17881e30f49a9fa12403f52f7ae258a978c6da Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Fri, 15 Mar 2024 12:49:06 +0000 Subject: [PATCH 09/24] Significantly reduce size of ext3 `.img` assets (#263) Our base images are built as Docker images and on release, published to Docker Hub. However, the Heroku platform currently doesn't use those images directly. Instead, during release `ext3` formatted `.img` files are generated from each Docker image, which are gzipped and uploaded to S3. At runtime these are then mounted as a loopback device. For more background on this, see: https://github.com/heroku/base-images/pull/42#issuecomment-250837783 Previously each `.img` file was created at a fixed size of 2400 MiB, thanks to the `bs=100M count=24` arguments to `dd` (24 x 100 MiB blocks): https://manpages.ubuntu.com/manpages/jammy/en/man1/dd.1.html However, this is significantly oversized - for example with Heroku-22's run image utilisation is at 29%: ``` $ df --human-readable /tmp/heroku-20 Filesystem Size Used Avail Use% Mounted on /dev/loop3 2.3G 654M 1.6G 29% /tmp/heroku-20 ``` This 1.6 GiB of free space is not required, since the image will be mounted as read-only at runtime (the app's own storage lives in separate mounts). At first glance this over-sizing might not seem like an issue, since `dd` was invoked with `if=/dev/zero` so the empty space is zeroed out, and therefore compresses very well (the Heroku-22 run image gzips down to 216 MiB) - meaning bytes over the wire and S3 storage costs are not impacted. However, on the runtime hosts these images have to be stored/used uncompressed - and in large quantity due to the number of permutations of stack versions/variants we've accumulated over time (`cedar{,-14}`, `heroku-{16,18,20,22,24}{,-build}`). In addition, during a base image release, the Common Runtime hosts have to store both the old and new releases on disk side by side until old dynos cycle - meaning the high water mark for disk usage is doubled for each non-EOL stack. With the addition of Heroku-24 to staging recently (which increased the storage requirements high water mark by 9.4 GiB due to the above), this resulted in disk space exhaustion on one partition of some of the single-dyno dedicated instance types: https://salesforce-internal.slack.com/archives/C01R6FJ738U/p1710236577625989 I did some research to check whether there was a specific reason for over-sizing, and found that the current `bs=100M count=24` arguments date back to 2011: https://github.com/heroku/capturestack/commit/8821890894a7521791e81e8bf8f6ab2b31c93c8e The 2400 MiB figure seems to have been picked fairly arbitrarily - to roughly fit the larger images at that time with some additional headroom. In addition, I doubt disk usage was a concern since back then there weren't the single-dyno instance types (which have less allocated storage than the multi-tenant instances) or the 12x stack versions /variants we've accumulated since. As such, rather than increase the allocated EBS storage fleet-wide to support the Heroku-24 rollout, we can offset the increase for Heroku-24 (and in fact reduce overall storage requirements significantly), by instead dynamically sizing the `.img` files - basing their size on that of the base image contents they hold. To do this I've chosen to create the `.img` file at an appropriate size up-front rather than try to shrink it afterwards, since the process of shrinking would be fairly involved (eg: https://superuser.com/a/1771500), require a lot more research/testing, and only gain us a couple of MiB additional savings. The `.img` file format will also eventually be sunset with the move to CNBs / OCI images instead of slugs. I've also added the printing of disk utilisation during the `.img` generation process, which allows us to see the changes in image size: ### Before ``` Filesystem Size Used Avail Use% Mounted on /dev/loop3 2.3G 654M 1.6G 29% /tmp/heroku-20 /dev/loop3 2.3G 1.5G 770M 67% /tmp/heroku-20-build /dev/loop3 2.3G 661M 1.6G 30% /tmp/heroku-22 /dev/loop3 2.3G 1.1G 1.2G 46% /tmp/heroku-22-build /dev/loop3 2.3G 669M 1.6G 30% /tmp/heroku-24 /dev/loop3 2.3G 1.2G 1.1G 51% /tmp/heroku-24-build Total: 14400 MiB ``` ### After ``` Filesystem Size Used Avail Use% Mounted on /dev/loop3 670M 654M 8.7M 99% /tmp/heroku-20 /dev/loop3 1.6G 1.5G 23M 99% /tmp/heroku-20-build /dev/loop3 678M 660M 11M 99% /tmp/heroku-22 /dev/loop3 1.1G 1.1G 6.8M 100% /tmp/heroku-22-build /dev/loop3 686M 669M 10M 99% /tmp/heroku-24 /dev/loop3 1.2G 1.2G 11M 100% /tmp/heroku-24-build Total: 6027 MiB ``` Across those 6 actively updated (non-EOL) stack variants we save 8.2 GiB, which translates to a 16.4 GiB reduction in the high-water mark storage requirements for every Common Runtime instance in the fleet, and an 8.2 GiB reduction for every Private Spaces runtime node (which receive updates via the AMI so don't have double the images during new releases). There is also potentially another ~6.5 GiB savings to be had from repacking the `.img` files for the last release of each of the 6 EOL stacks versions/variants, however, since those stacks are no longer built/released that would need a more involved repacking approach. (Plus since these stacks aren't updated, they don't cause double the usage requirements for Common Runtime during releases, so the realised overall storage requirements reduction would be less.) Docs for the various related tools: https://manpages.ubuntu.com/manpages/jammy/en/man1/du.1.html https://manpages.ubuntu.com/manpages/jammy/en/man1/df.1.html https://manpages.ubuntu.com/manpages/jammy/en/man1/dd.1.html https://manpages.ubuntu.com/manpages/jammy/en/man1/fallocate.1.html GUS-W-15245261. --- tools/bin/capture-docker-stack | 8 +++++++- tools/bin/make-filesystem-image | 17 ++++++++++++++++- 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/tools/bin/capture-docker-stack b/tools/bin/capture-docker-stack index 16b0a5c0..8df9d7df 100755 --- a/tools/bin/capture-docker-stack +++ b/tools/bin/capture-docker-stack @@ -11,6 +11,11 @@ STACK_VERSION=$(echo "${STACK}" | cut -d '-' -f 2-) DOCKER_IMAGE=heroku/$STACK_NAME:$STACK_VERSION DOCKER_IMAGE_VERSION=$(docker inspect "${DOCKER_IMAGE}" | jq .[].Id | cut -d ':' -f 2 | cut -b 1-12) +# Using `du` rather than the `Size` attribute from Docker inspect, since the latter appears to: +# - Under-report usage slightly when using the overlay2 storage driver +# - Be the compressed image size (instead of uncompressed) when using the containerd snapshotter +# The `--user root` is required since the images for newer stacks default to a non-root user. +DOCKER_IMAGE_SIZE_IN_MB=$(docker run --rm --platform linux/amd64 --user root "${DOCKER_IMAGE}" du -sx --block-size=M | cut -d 'M' -f 1) IMG_BASE=${STACK_NAME}64-$STACK_VERSION-$DOCKER_IMAGE_VERSION IMG=/tmp/$IMG_BASE.img @@ -23,7 +28,7 @@ IMG_PKG_VERSIONS=/tmp/$IMG_BASE.pkg.versions display "Starting capture for ${STACK} ${DOCKER_IMAGE_VERSION} at $(date)" display "Creating image file ${IMG}" -make-filesystem-image "${IMG}" |& indent +make-filesystem-image "${IMG}" "${DOCKER_IMAGE_SIZE_IN_MB}" |& indent display "Mounting image ${IMG_MNT}" mount-filesystem-image "${IMG}" "${IMG_MNT}" |& indent @@ -35,6 +40,7 @@ display "Modifying image directories and files" install-heroku-files "${IMG_MNT}" |& indent display "Unmounting image" +df --human-readable "${IMG_MNT}" |& indent umount "${IMG_MNT}" |& indent display "SHA256ing and gzipping image" diff --git a/tools/bin/make-filesystem-image b/tools/bin/make-filesystem-image index d3ad7802..932d77b0 100755 --- a/tools/bin/make-filesystem-image +++ b/tools/bin/make-filesystem-image @@ -3,8 +3,23 @@ set -euo pipefail IMG="$1" +DOCKER_IMAGE_SIZE_IN_MB="$2" + +# We have to pick a fixed size in advance for the .img file we create, so base it on the size +# of the original Docker image to avoid either wasting space or having the later tar extraction +# step fail with out of disk space errors. The image will be mounted read-only at runtime, so +# does not need free space for app files (separate mounts are used for those). The multiplier +# here is to account for the 5-6% loss of usable space due to ext3 filesystem overhead, as well +# as to ensure a few MB additional free space headroom. +IMG_SIZE_IN_MB=$((DOCKER_IMAGE_SIZE_IN_MB * 107 / 100)) mkdir -p "$(dirname "$IMG")" -dd if=/dev/zero of="$IMG" bs=100M count=24 + +# Create an empty file of the specified size. +# Using `fallocate` instead of `dd` since it's faster, simpler for this use-case, and doesn't +# suffer from `dd`'s non-determinism when attempting to copy an exact number of bytes: +# https://unix.stackexchange.com/a/121888 +fallocate --length "${IMG_SIZE_IN_MB}MiB" "${IMG}" + mkfs -t ext3 -m 1 "$IMG" tune2fs -c 0 -i 0 "$IMG" From 6af6d3a1b20b684402691b59f9bb360766935f97 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Mon, 18 Mar 2024 09:05:58 +0000 Subject: [PATCH 10/24] Misc image tool script improvements (#264) * Removes the redundant `64` suffix from the image filenames/mount directories on disk. This doesn't affect the filename on S3. * Adds comments to the `mkfs` / `tune2fs` usages, since their purpose and arguments are IMO not immediately obvious. Docs for the related tools: https://manpages.ubuntu.com/manpages/jammy/en/man8/mkfs.8.html https://manpages.ubuntu.com/manpages/jammy/en/man8/tune2fs.8.html Split out of #263. GUS-W-15245261. --- tools/bin/capture-docker-stack | 2 +- tools/bin/make-filesystem-image | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/tools/bin/capture-docker-stack b/tools/bin/capture-docker-stack index 8df9d7df..540fca3c 100755 --- a/tools/bin/capture-docker-stack +++ b/tools/bin/capture-docker-stack @@ -17,7 +17,7 @@ DOCKER_IMAGE_VERSION=$(docker inspect "${DOCKER_IMAGE}" | jq .[].Id | cut -d ':' # The `--user root` is required since the images for newer stacks default to a non-root user. DOCKER_IMAGE_SIZE_IN_MB=$(docker run --rm --platform linux/amd64 --user root "${DOCKER_IMAGE}" du -sx --block-size=M | cut -d 'M' -f 1) -IMG_BASE=${STACK_NAME}64-$STACK_VERSION-$DOCKER_IMAGE_VERSION +IMG_BASE=${STACK_NAME}-$STACK_VERSION-$DOCKER_IMAGE_VERSION IMG=/tmp/$IMG_BASE.img IMG_MNT=/tmp/$IMG_BASE IMG_GZ=/tmp/$IMG_BASE.img.gz diff --git a/tools/bin/make-filesystem-image b/tools/bin/make-filesystem-image index 932d77b0..e093daa3 100755 --- a/tools/bin/make-filesystem-image +++ b/tools/bin/make-filesystem-image @@ -21,5 +21,13 @@ mkdir -p "$(dirname "$IMG")" # https://unix.stackexchange.com/a/121888 fallocate --length "${IMG_SIZE_IN_MB}MiB" "${IMG}" +# Format that file as an ext3 filesystem. +# The `-m` argument reduces reserved-blocks-percentage from its default of 5% to 1%. +# TODO: Switch to calling `mkfs.ext3` or `mke2fs -t ext3` since the `mkfs` alias is deprecated: +# https://manpages.ubuntu.com/manpages/jammy/en/man8/mkfs.8.html mkfs -t ext3 -m 1 "$IMG" + +# Adjust the filesystem parameters for improved performance on runtime instances. +# The `-c` and `-i` arguments disable automatic filesystem checks, which are otherwise run based +# on number of times the image is mounted, or how much time has passed since the last check. tune2fs -c 0 -i 0 "$IMG" From ef636fe910688379662b28bb522abec91eee4075 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Tue, 19 Mar 2024 00:10:59 +0000 Subject: [PATCH 11/24] Add missing OCI image labels from CNB spec (#265) Adds the following labels: - `io.buildpacks.base.distro.name` - `io.buildpacks.base.distro.version` - `io.buildpacks.base.homepage` - `io.buildpacks.base.maintainer` Of note, adding the `io.buildpacks.base.distro.*` labels unblocks CNBs being able to determine the distro name/version from within detect/build, allowing our CNBs to migrate from stacks to targets, and thus to start using Buildpack API 0.10. See: https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#target-data Fixes #249. GUS-W-15213143. --- heroku-20-cnb-build/Dockerfile | 11 ++++++++++- heroku-20-cnb/Dockerfile | 11 ++++++++++- heroku-22-cnb-build/Dockerfile | 11 ++++++++++- heroku-22-cnb/Dockerfile | 11 ++++++++++- heroku-24-build/Dockerfile | 6 +++++- heroku-24/Dockerfile | 9 ++++++++- 6 files changed, 53 insertions(+), 6 deletions(-) diff --git a/heroku-20-cnb-build/Dockerfile b/heroku-20-cnb-build/Dockerfile index fda7a796..ca237dbe 100644 --- a/heroku-20-cnb-build/Dockerfile +++ b/heroku-20-cnb-build/Dockerfile @@ -7,10 +7,19 @@ RUN groupadd heroku --gid 1000 && \ RUN mkdir /app && \ chown heroku:heroku /app +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 -ENV CNB_STACK_ID "heroku-20" +# Note: This image doesn't inherit from the CNB run image variant so we have +# to redeclare the labels present in the CNB run image again here. +LABEL io.buildpacks.base.distro.name="ubuntu" +LABEL io.buildpacks.base.distro.version="20.04" +LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" +LABEL io.buildpacks.base.maintainer="Heroku" +# Stack IDs are deprecated, but we still set these for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels +ENV CNB_STACK_ID "heroku-20" LABEL io.buildpacks.stack.id="heroku-20" USER heroku diff --git a/heroku-20-cnb/Dockerfile b/heroku-20-cnb/Dockerfile index 0cc60257..0d1c134f 100644 --- a/heroku-20-cnb/Dockerfile +++ b/heroku-20-cnb/Dockerfile @@ -6,6 +6,15 @@ RUN ln -s /workspace /app RUN groupadd heroku --gid 1000 && \ useradd heroku -u 1000 -g 1000 -s /bin/bash -m -LABEL io.buildpacks.stack.id="heroku-20" +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku +LABEL io.buildpacks.base.distro.name="ubuntu" +LABEL io.buildpacks.base.distro.version="20.04" +LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" +LABEL io.buildpacks.base.maintainer="Heroku" + +# Stack IDs are deprecated, but we still set this for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels +LABEL io.buildpacks.stack.id="heroku-20" + ENV HOME /app diff --git a/heroku-22-cnb-build/Dockerfile b/heroku-22-cnb-build/Dockerfile index 1567eabb..9b00281b 100644 --- a/heroku-22-cnb-build/Dockerfile +++ b/heroku-22-cnb-build/Dockerfile @@ -7,10 +7,19 @@ RUN groupadd heroku --gid 1000 && \ RUN mkdir /app && \ chown heroku:heroku /app +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 -ENV CNB_STACK_ID "heroku-22" +# Note: This image doesn't inherit from the CNB run image variant so we have +# to redeclare the labels present in the CNB run image again here. +LABEL io.buildpacks.base.distro.name="ubuntu" +LABEL io.buildpacks.base.distro.version="22.04" +LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" +LABEL io.buildpacks.base.maintainer="Heroku" +# Stack IDs are deprecated, but we still set these for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels +ENV CNB_STACK_ID "heroku-22" LABEL io.buildpacks.stack.id="heroku-22" USER heroku diff --git a/heroku-22-cnb/Dockerfile b/heroku-22-cnb/Dockerfile index 91edd682..c2b7e207 100644 --- a/heroku-22-cnb/Dockerfile +++ b/heroku-22-cnb/Dockerfile @@ -6,6 +6,15 @@ RUN ln -s /workspace /app RUN groupadd heroku --gid 1000 && \ useradd heroku -u 1000 -g 1000 -s /bin/bash -m -LABEL io.buildpacks.stack.id="heroku-22" +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku +LABEL io.buildpacks.base.distro.name="ubuntu" +LABEL io.buildpacks.base.distro.version="22.04" +LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" +LABEL io.buildpacks.base.maintainer="Heroku" + +# Stack IDs are deprecated, but we still set this for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels +LABEL io.buildpacks.stack.id="heroku-22" + ENV HOME /app diff --git a/heroku-24-build/Dockerfile b/heroku-24-build/Dockerfile index c281348f..7573f246 100644 --- a/heroku-24-build/Dockerfile +++ b/heroku-24-build/Dockerfile @@ -3,8 +3,12 @@ FROM $BASE_IMAGE USER root RUN --mount=target=/build /build/setup.sh -# https://github.com/buildpacks/spec/blob/main/platform.md#build-image +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image +# The `io.buildpacks.base.*` labels are inherited from the run image, so don't need to be repeated here. USER 1002 ENV CNB_USER_ID=1002 ENV CNB_GROUP_ID=1000 + +# Stack IDs are deprecated, but we still set this for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels ENV CNB_STACK_ID "heroku-24" diff --git a/heroku-24/Dockerfile b/heroku-24/Dockerfile index 403601c8..7fe699ca 100644 --- a/heroku-24/Dockerfile +++ b/heroku-24/Dockerfile @@ -1,6 +1,13 @@ FROM ubuntu:24.04 RUN --mount=target=/build /build/setup.sh -# https://github.com/buildpacks/spec/blob/main/platform.md#run-image +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER 1001 +LABEL io.buildpacks.base.distro.name="ubuntu" +LABEL io.buildpacks.base.distro.version="24.04" +LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" +LABEL io.buildpacks.base.maintainer="Heroku" + +# Stack IDs are deprecated, but we still set this for backwards compatibility: +# https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels LABEL io.buildpacks.stack.id="heroku-24" From b3c12a9dd311f54b5c3794555f2bd8357d7a2a21 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Tue, 19 Mar 2024 19:31:48 +0000 Subject: [PATCH 12/24] Misc Dockerfile improvements (#267) * Combines a few `RUN` statements to reduce number of image layers. * Switches remaining `ENV` usages to the form that uses `=` for consistency and per recommendation here: https://docs.docker.com/reference/dockerfile/#env * Uses long form CLI arguments for `useradd` to make their purpose clearer. GUS-W-15213143. --- heroku-20-cnb-build/Dockerfile | 11 +++++------ heroku-20-cnb/Dockerfile | 9 ++++----- heroku-22-cnb-build/Dockerfile | 11 +++++------ heroku-22-cnb/Dockerfile | 9 ++++----- heroku-24-build/Dockerfile | 4 +++- heroku-24/Dockerfile | 1 + heroku-24/setup.sh | 4 ++-- 7 files changed, 24 insertions(+), 25 deletions(-) diff --git a/heroku-20-cnb-build/Dockerfile b/heroku-20-cnb-build/Dockerfile index ca237dbe..33928801 100644 --- a/heroku-20-cnb-build/Dockerfile +++ b/heroku-20-cnb-build/Dockerfile @@ -1,11 +1,10 @@ ARG BASE_IMAGE=heroku/heroku:20-build FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 && \ - useradd heroku -u 1000 -g 1000 -s /bin/bash -m - -RUN mkdir /app && \ - chown heroku:heroku /app +RUN groupadd heroku --gid 1000 \ + && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ + && mkdir /app \ + && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image ENV CNB_USER_ID=1000 @@ -19,7 +18,7 @@ LABEL io.buildpacks.base.maintainer="Heroku" # Stack IDs are deprecated, but we still set these for backwards compatibility: # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels -ENV CNB_STACK_ID "heroku-20" +ENV CNB_STACK_ID="heroku-20" LABEL io.buildpacks.stack.id="heroku-20" USER heroku diff --git a/heroku-20-cnb/Dockerfile b/heroku-20-cnb/Dockerfile index 0d1c134f..1e829420 100644 --- a/heroku-20-cnb/Dockerfile +++ b/heroku-20-cnb/Dockerfile @@ -1,10 +1,9 @@ ARG BASE_IMAGE=heroku/heroku:20 FROM $BASE_IMAGE -RUN ln -s /workspace /app - -RUN groupadd heroku --gid 1000 && \ - useradd heroku -u 1000 -g 1000 -s /bin/bash -m +RUN groupadd heroku --gid 1000 \ + && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ + && ln -s /workspace /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku @@ -17,4 +16,4 @@ LABEL io.buildpacks.base.maintainer="Heroku" # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels LABEL io.buildpacks.stack.id="heroku-20" -ENV HOME /app +ENV HOME=/app diff --git a/heroku-22-cnb-build/Dockerfile b/heroku-22-cnb-build/Dockerfile index 9b00281b..f1e6b502 100644 --- a/heroku-22-cnb-build/Dockerfile +++ b/heroku-22-cnb-build/Dockerfile @@ -1,11 +1,10 @@ ARG BASE_IMAGE=heroku/heroku:22-build FROM $BASE_IMAGE -RUN groupadd heroku --gid 1000 && \ - useradd heroku -u 1000 -g 1000 -s /bin/bash -m - -RUN mkdir /app && \ - chown heroku:heroku /app +RUN groupadd heroku --gid 1000 \ + && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ + && mkdir /app \ + && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image ENV CNB_USER_ID=1000 @@ -19,7 +18,7 @@ LABEL io.buildpacks.base.maintainer="Heroku" # Stack IDs are deprecated, but we still set these for backwards compatibility: # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels -ENV CNB_STACK_ID "heroku-22" +ENV CNB_STACK_ID="heroku-22" LABEL io.buildpacks.stack.id="heroku-22" USER heroku diff --git a/heroku-22-cnb/Dockerfile b/heroku-22-cnb/Dockerfile index c2b7e207..0eda9154 100644 --- a/heroku-22-cnb/Dockerfile +++ b/heroku-22-cnb/Dockerfile @@ -1,10 +1,9 @@ ARG BASE_IMAGE=heroku/heroku:22 FROM $BASE_IMAGE -RUN ln -s /workspace /app - -RUN groupadd heroku --gid 1000 && \ - useradd heroku -u 1000 -g 1000 -s /bin/bash -m +RUN groupadd heroku --gid 1000 \ + && useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home \ + && ln -s /workspace /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image USER heroku @@ -17,4 +16,4 @@ LABEL io.buildpacks.base.maintainer="Heroku" # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels LABEL io.buildpacks.stack.id="heroku-22" -ENV HOME /app +ENV HOME=/app diff --git a/heroku-24-build/Dockerfile b/heroku-24-build/Dockerfile index 7573f246..3f19763c 100644 --- a/heroku-24-build/Dockerfile +++ b/heroku-24-build/Dockerfile @@ -1,5 +1,7 @@ ARG BASE_IMAGE=heroku/heroku:24 FROM $BASE_IMAGE + +# We have to temporarily switch back to root, since the run image sets a non-root default USER. USER root RUN --mount=target=/build /build/setup.sh @@ -11,4 +13,4 @@ ENV CNB_GROUP_ID=1000 # Stack IDs are deprecated, but we still set this for backwards compatibility: # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels -ENV CNB_STACK_ID "heroku-24" +ENV CNB_STACK_ID="heroku-24" diff --git a/heroku-24/Dockerfile b/heroku-24/Dockerfile index 7fe699ca..fd896b6f 100644 --- a/heroku-24/Dockerfile +++ b/heroku-24/Dockerfile @@ -1,4 +1,5 @@ FROM ubuntu:24.04 + RUN --mount=target=/build /build/setup.sh # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 180e0ca7..f9100bac 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -197,8 +197,8 @@ apt-get purge -y openjdk-8-jre-headless apt-get autoremove -y --purge test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore" -useradd heroku -u 1001 -g 1000 -s /bin/bash -m -useradd heroku-build -u 1002 -g 1000 -s /bin/bash -m +useradd heroku --uid 1001 --gid 1000 --shell /bin/bash --create-home +useradd heroku-build --uid 1002 --gid 1000 --shell /bin/bash --create-home groupmod --new-name heroku ubuntu deluser --remove-home ubuntu From d135cbeed2910a67c9d981456a5dee41328566af Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 20 Mar 2024 09:36:21 +0000 Subject: [PATCH 13/24] Skip running the "unpublish temp tags" step in CI for PRs (#270) Currently the "unpublish temp tags" GitHub Actions step is always run, even if no tags were generated that run (such as for PRs, where we don't publish anything). Whilst this doesn't cause any harm normally, when contributors open a PR from a fork, the "unpublish temp tags" will fail since it doesn't have access to the secrets required to perform the (redundant) unpublish. As such, the step now uses the same `if` ref-related conditionals that the publish step itself uses (so we only try to unpublish if this was a job type that publishes something). This fixes the failures seen in #269: https://github.com/heroku/base-images/actions/runs/8351455845/job/22859813877?pr=269 GUS-W-15292389. --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2a80806b..1e467cd3 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -56,6 +56,6 @@ jobs: if: success() && (github.ref_name == 'main' || github.ref_type == 'tag') - name: Unpublish temp tags from this run run: bin/unpublish-tags.sh - if: always() + if: always() && (github.ref_name == 'main' || github.ref_type == 'tag') - name: Convert docker image and for Git tags release to Heroku staging run: bin/convert-and-publish-to-heroku.sh From bda9bd76128fd637b16cb4934ebd038049632610 Mon Sep 17 00:00:00 2001 From: Brittany Jones Date: Wed, 20 Mar 2024 02:57:06 -0700 Subject: [PATCH 14/24] Upgrade Heroku-20 and Heroku-22 to PostgreSQL 16 (#269) updating to major postgres version 16 pg16 Release notes: https://www.postgresql.org/docs/release/16.0/ GUS-W-15288386. --- heroku-20-build/installed-packages.txt | 4 ++-- heroku-20-build/setup.sh | 2 +- heroku-20/installed-packages.txt | 2 +- heroku-20/setup.sh | 2 +- heroku-22-build/installed-packages.txt | 2 +- heroku-22/installed-packages.txt | 2 +- heroku-22/setup.sh | 2 +- 7 files changed, 8 insertions(+), 8 deletions(-) diff --git a/heroku-20-build/installed-packages.txt b/heroku-20-build/installed-packages.txt index a4c004d8..78e3fa1a 100644 --- a/heroku-20-build/installed-packages.txt +++ b/heroku-20-build/installed-packages.txt @@ -561,10 +561,10 @@ pinentry-curses pkg-config poppler-data poppler-utils -postgresql-client-15 +postgresql-client-16 postgresql-client-common postgresql-common -postgresql-server-dev-15 +postgresql-server-dev-16 procps python-is-python3 python2 diff --git a/heroku-20-build/setup.sh b/heroku-20-build/setup.sh index d79b87a6..6d865919 100755 --- a/heroku-20-build/setup.sh +++ b/heroku-20-build/setup.sh @@ -78,7 +78,7 @@ packages=( libzstd-dev mercurial patchelf - postgresql-server-dev-15 + postgresql-server-dev-16 python3-dev ruby-dev zlib1g-dev diff --git a/heroku-20/installed-packages.txt b/heroku-20/installed-packages.txt index 5657c1ce..591b54c8 100644 --- a/heroku-20/installed-packages.txt +++ b/heroku-20/installed-packages.txt @@ -355,7 +355,7 @@ perl-modules-5.30 pinentry-curses poppler-data poppler-utils -postgresql-client-15 +postgresql-client-16 postgresql-client-common procps python-is-python3 diff --git a/heroku-20/setup.sh b/heroku-20/setup.sh index 367e8e35..e11f90d2 100755 --- a/heroku-20/setup.sh +++ b/heroku-20/setup.sh @@ -132,7 +132,7 @@ packages=( openssh-server patch poppler-utils - postgresql-client-15 + postgresql-client-16 python-is-python3 python3 rename diff --git a/heroku-22-build/installed-packages.txt b/heroku-22-build/installed-packages.txt index 6ba39f0a..f0c310bc 100644 --- a/heroku-22-build/installed-packages.txt +++ b/heroku-22-build/installed-packages.txt @@ -560,7 +560,7 @@ pinentry-curses pkg-config poppler-data poppler-utils -postgresql-client-15 +postgresql-client-16 postgresql-client-common procps python-is-python3 diff --git a/heroku-22/installed-packages.txt b/heroku-22/installed-packages.txt index bf487f4f..8127a061 100644 --- a/heroku-22/installed-packages.txt +++ b/heroku-22/installed-packages.txt @@ -360,7 +360,7 @@ perl-modules-5.34 pinentry-curses poppler-data poppler-utils -postgresql-client-15 +postgresql-client-16 postgresql-client-common procps python-is-python3 diff --git a/heroku-22/setup.sh b/heroku-22/setup.sh index 282140f9..cda1bb7e 100755 --- a/heroku-22/setup.sh +++ b/heroku-22/setup.sh @@ -135,7 +135,7 @@ packages=( openssh-server patch poppler-utils - postgresql-client-15 + postgresql-client-16 python-is-python3 python3 rename From 947dcb738fd9118fc51e27d37d175fa125c0554f Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:03:59 +0000 Subject: [PATCH 15/24] Always use the `default` usage type with `mkfs` (#271) When creating an `ext3` filesystem with `mkfs` (which underneath calls `mke2fs` via the `mkfs.ext3` alias) various default filesystem settings (such as the inode ratio and block size) are chosen based on the "usage type" of the filesystem. If not explicitly specified, this "usage type" is determined based on the size of the filesystem. For example, the `default` profile is used for filesystems between 512 MB and 4 TB, and the `small` profile is used for filesystems between 3 MB and 512 MB. See: https://manpages.ubuntu.com/manpages/jammy/en/man8/mkfs.ext3.8.html For #266 I have several local changes for making the Heroku-24 images smaller, however, image generation was failing since the slimmer images now fall under the 512 MB threshold, causing `mke2fs` to use the `small` profile instead. This `small` profile uses a drastically different `inode_ratio`, which is very inefficient for our use-case - resulting in a filesystem overhead of over 11%, which throws off the `.img` size calculation. Whilst we could work around this by adjusting the `.img` size calculations, it makes more sense to force the usage of the `default` profile, so all of our base images use the same filesystem settings, rather than relying on `mke2fs`'s size heuristics. I've also enabled verbose output (which shows the profile being used) and added additional file size logging. GUS-W-15292800. --- tools/bin/make-filesystem-image | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/bin/make-filesystem-image b/tools/bin/make-filesystem-image index e093daa3..19a0c838 100755 --- a/tools/bin/make-filesystem-image +++ b/tools/bin/make-filesystem-image @@ -13,6 +13,8 @@ DOCKER_IMAGE_SIZE_IN_MB="$2" # as to ensure a few MB additional free space headroom. IMG_SIZE_IN_MB=$((DOCKER_IMAGE_SIZE_IN_MB * 107 / 100)) +echo "Using file size of ${IMG_SIZE_IN_MB} MB based on Docker image size of ${DOCKER_IMAGE_SIZE_IN_MB} MB" + mkdir -p "$(dirname "$IMG")" # Create an empty file of the specified size. @@ -22,10 +24,12 @@ mkdir -p "$(dirname "$IMG")" fallocate --length "${IMG_SIZE_IN_MB}MiB" "${IMG}" # Format that file as an ext3 filesystem. +# The `-T` argument forces the 'default' config profile to be used, since otherwise if the filesystem size +# is less than 512 MB (as is the case for Heroku-24's run image) the 'small' profile would be used instead. # The `-m` argument reduces reserved-blocks-percentage from its default of 5% to 1%. # TODO: Switch to calling `mkfs.ext3` or `mke2fs -t ext3` since the `mkfs` alias is deprecated: # https://manpages.ubuntu.com/manpages/jammy/en/man8/mkfs.8.html -mkfs -t ext3 -m 1 "$IMG" +mkfs -t ext3 -T default -m 1 -v "$IMG" # Adjust the filesystem parameters for improved performance on runtime instances. # The `-c` and `-i` arguments disable automatic filesystem checks, which are otherwise run based From 908d26680aa7769488039bf8831045c23f41f2ca Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 20 Mar 2024 11:35:26 +0000 Subject: [PATCH 16/24] Adjust image descriptions in README (#272) Removes the "Base" term from the image descriptions/types listed in the README, to improve readability. --- README.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/README.md b/README.md index d8418b96..cdab9223 100644 --- a/README.md +++ b/README.md @@ -5,20 +5,20 @@ This repository holds recipes for building the base images for [Heroku stacks](https://devcenter.heroku.com/articles/stack). The recipes are also rendered into Docker images that are available on Docker Hub: -| Image | Base | Type | Status | -|-------------------------------------------|---------------------------------------|-------------------------|-------------| -| [heroku/heroku:18][heroku-tags] | [ubuntu:18.04][ubuntu-tags] | Heroku Base Run Image | End-of-life | -| [heroku/heroku:18-build][heroku-tags] | [heroku/heroku:18][heroku-tags] | Heroku Base Build Image | End-of-life | -| [heroku/heroku:18-cnb][heroku-tags] | [heroku/heroku:18][heroku-tags] | CNB Base Run Image | End-of-life | -| [heroku/heroku:18-cnb-build][heroku-tags] | [heroku/heroku:18-build][heroku-tags] | CNB Base Build Image | End-of-life | -| [heroku/heroku:20][heroku-tags] | [ubuntu:20.04][ubuntu-tags] | Heroku Base Run Image | Available | -| [heroku/heroku:20-build][heroku-tags] | [heroku/heroku:20][heroku-tags] | Heroku Base Build Image | Available | -| [heroku/heroku:20-cnb][heroku-tags] | [heroku/heroku:20][heroku-tags] | CNB Base Run Image | Available | -| [heroku/heroku:20-cnb-build][heroku-tags] | [heroku/heroku:20-build][heroku-tags] | CNB Base Build Image | Available | -| [heroku/heroku:22][heroku-tags] | [ubuntu:22.04][ubuntu-tags] | Heroku Base Run Image | Recommended | -| [heroku/heroku:22-build][heroku-tags] | [heroku/heroku:22][heroku-tags] | Heroku Base Build Image | Recommended | -| [heroku/heroku:22-cnb][heroku-tags] | [heroku/heroku:22][heroku-tags] | CNB Base Run Image | Recommended | -| [heroku/heroku:22-cnb-build][heroku-tags] | [heroku/heroku:22-build][heroku-tags] | CNB Base Build Image | Recommended | +| Image | Base | Type | Status | +|-------------------------------------------|---------------------------------------|--------------------|-------------| +| [heroku/heroku:18][heroku-tags] | [ubuntu:18.04][ubuntu-tags] | Heroku Run Image | End-of-life | +| [heroku/heroku:18-build][heroku-tags] | [heroku/heroku:18][heroku-tags] | Heroku Build Image | End-of-life | +| [heroku/heroku:18-cnb][heroku-tags] | [heroku/heroku:18][heroku-tags] | CNB Run Image | End-of-life | +| [heroku/heroku:18-cnb-build][heroku-tags] | [heroku/heroku:18-build][heroku-tags] | CNB Build Image | End-of-life | +| [heroku/heroku:20][heroku-tags] | [ubuntu:20.04][ubuntu-tags] | Heroku Run Image | Available | +| [heroku/heroku:20-build][heroku-tags] | [heroku/heroku:20][heroku-tags] | Heroku Build Image | Available | +| [heroku/heroku:20-cnb][heroku-tags] | [heroku/heroku:20][heroku-tags] | CNB Run Image | Available | +| [heroku/heroku:20-cnb-build][heroku-tags] | [heroku/heroku:20-build][heroku-tags] | CNB Build Image | Available | +| [heroku/heroku:22][heroku-tags] | [ubuntu:22.04][ubuntu-tags] | Heroku Run Image | Recommended | +| [heroku/heroku:22-build][heroku-tags] | [heroku/heroku:22][heroku-tags] | Heroku Build Image | Recommended | +| [heroku/heroku:22-cnb][heroku-tags] | [heroku/heroku:22][heroku-tags] | CNB Run Image | Recommended | +| [heroku/heroku:22-cnb-build][heroku-tags] | [heroku/heroku:22-build][heroku-tags] | CNB Build Image | Recommended | ### Learn more From 270aad4b263919f21617d8ce54558a5f50392bb8 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Thu, 21 Mar 2024 15:03:38 +0000 Subject: [PATCH 17/24] Heroku-24: Remove gcc, make and libc6-dev from run image (#273) GCC was added to our run images back in #127 in order to support Ruby 2.6's then new MJIT feature: https://www.ruby-lang.org/en/news/2018/12/25/ruby-2-6-0-released/ However, since then: - The Ruby MJIT feature hasn't really resulted in significant performance benefits for real world use-cases like a Rails app. - Ruby's MJIT has since been superseded by YJIT, which is faster and doesn't need GCC at runtime: https://shopify.engineering/yjit-just-in-time-compiler-cruby https://shopify.engineering/ruby-yjit-is-production-ready - The image size impact of including build tools in our run images has increased considerably (#127 quoted it as 84 MB, but measuring now it's 203 MB). - In a CNB world, image size is much more of a concern than in the S3 `.img` + slug model, so we need to be more selective over what packages we include. As such, this removes `gcc`, `make` and `libc6-dev` from the run image for a 203 MB saving (they are still present in the build image, hence zero changes to `installed-packages-*.txt` for that image). Richard (Ruby owner) has confirmed he's fine with this change. Note: I'm intentionally not adding `binutils` back (which was a transitive dependency), since its 15 MB cost is not worth it for the ~once a year platform operator debugging use-case. Before: ``` -----> Size breakdown... heroku/heroku:24 661MB heroku/heroku:24-build 1.13GB ``` After: ``` -----> Size breakdown... heroku/heroku:24 458MB heroku/heroku:24-build 1.13GB ``` Towards #266. GUS-W-15159536. --- heroku-24-build/setup.sh | 1 + heroku-24/installed-packages-amd64.txt | 38 -------------------------- heroku-24/installed-packages-arm64.txt | 37 ------------------------- heroku-24/setup.sh | 3 -- 4 files changed, 1 insertion(+), 78 deletions(-) diff --git a/heroku-24-build/setup.sh b/heroku-24-build/setup.sh index f51b4477..3fc34f01 100755 --- a/heroku-24-build/setup.sh +++ b/heroku-24-build/setup.sh @@ -8,6 +8,7 @@ packages=( autoconf automake bison + # Includes gcc, g++, make, patch, libc6-dev etc. build-essential cmake gettext diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt index 2a689550..878f2fa4 100644 --- a/heroku-24/installed-packages-amd64.txt +++ b/heroku-24/installed-packages-amd64.txt @@ -9,18 +9,11 @@ bash bind9-dnsutils bind9-host bind9-libs -binutils -binutils-common -binutils-x86-64-linux-gnu bsdutils bzip2 ca-certificates ca-certificates-java coreutils -cpp -cpp-13 -cpp-13-x86-64-linux-gnu -cpp-x86-64-linux-gnu curl dash debconf @@ -37,12 +30,8 @@ fontconfig fontconfig-config fonts-dejavu-core fonts-dejavu-mono -gcc -gcc-13 gcc-13-base -gcc-13-x86-64-linux-gnu gcc-14-base -gcc-x86-64-linux-gnu geoip-database gettext-base gir1.2-freedesktop @@ -77,14 +66,11 @@ libapparmor1 libapt-pkg6.0 libarchive13 libargon2-1 -libasan8 libass9 libassuan0 -libatomic1 libattr1 libaudit-common libaudit1 -libbinutils libblkid1 libbpf1 libbrotli1 @@ -92,24 +78,18 @@ libbsd0 libbz2-1.0 libc-bin libc-client2007e -libc-dev-bin libc6 -libc6-dev libcairo-gobject2 libcairo2 libcap-ng0 libcap2 libcap2-bin libcbor0.10 -libcc1-0 libcfitsio10 libcgif0 libcom-err2 -libcrypt-dev libcrypt1 libcryptsetup12 -libctf-nobfd0 -libctf0 libcurl3-gnutls libcurl4 libdatrie1 @@ -140,7 +120,6 @@ libfido2-1 libfontconfig1 libfreetype6 libfribidi0 -libgcc-13-dev libgcc-s1 libgcrypt20 libgd3 @@ -156,7 +135,6 @@ libgnutls-openssl27 libgnutls30 libgomp1 libgpg-error0 -libgprofng0 libgraphite2-3 libgssapi-krb5-2 libharfbuzz-gobject0 @@ -168,15 +146,11 @@ libheif-plugin-dav1d libheif-plugin-libde265 libheif1 libhogweed6 -libhwasan0 libhwy1 libicu74 libidn2-0 libimagequant0 libimath-3-1-29 -libisl23 -libitm1 -libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 @@ -193,7 +167,6 @@ libldap2 liblerc4 liblmdb0 liblqr-1-0 -liblsan0 libltdl7 liblz4-1 liblzf1 @@ -211,14 +184,11 @@ libmemcached11 libmnl0 libmount1 libmp3lame0 -libmpc3 -libmpfr6 libmysqlclient21 libncursesw6 libnettle8 libnghttp2-14 libnpth0 -libnsl-dev libnsl2 libnspr4 libnss3 @@ -252,7 +222,6 @@ libpsl5 libpython3-stdlib libpython3.12-minimal libpython3.12-stdlib -libquadmath0 librabbitmq4 libraw23 libreadline8 @@ -267,7 +236,6 @@ libselinux1 libsemanage-common libsemanage2 libsepol2 -libsframe1 libsharpyuv0 libsmartcols1 libsodium23 @@ -289,10 +257,7 @@ libtheora0 libtiff6 libtinfo6 libtirpc-common -libtirpc-dev libtirpc3 -libtsan2 -libubsan1 libudev1 libunibreak5 libunistring5 @@ -327,12 +292,10 @@ libxxhash0 libyaml-0-2 libzip4 libzstd1 -linux-libc-dev locales login logsave lsb-release -make mawk media-types mlock @@ -363,7 +326,6 @@ python3.12 python3.12-minimal readline-common rename -rpcsvc-proto rsync sed sensible-utils diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt index cfb3f745..878f2fa4 100644 --- a/heroku-24/installed-packages-arm64.txt +++ b/heroku-24/installed-packages-arm64.txt @@ -9,18 +9,11 @@ bash bind9-dnsutils bind9-host bind9-libs -binutils -binutils-aarch64-linux-gnu -binutils-common bsdutils bzip2 ca-certificates ca-certificates-java coreutils -cpp -cpp-13 -cpp-13-aarch64-linux-gnu -cpp-aarch64-linux-gnu curl dash debconf @@ -37,12 +30,8 @@ fontconfig fontconfig-config fonts-dejavu-core fonts-dejavu-mono -gcc -gcc-13 -gcc-13-aarch64-linux-gnu gcc-13-base gcc-14-base -gcc-aarch64-linux-gnu geoip-database gettext-base gir1.2-freedesktop @@ -77,14 +66,11 @@ libapparmor1 libapt-pkg6.0 libarchive13 libargon2-1 -libasan8 libass9 libassuan0 -libatomic1 libattr1 libaudit-common libaudit1 -libbinutils libblkid1 libbpf1 libbrotli1 @@ -92,24 +78,18 @@ libbsd0 libbz2-1.0 libc-bin libc-client2007e -libc-dev-bin libc6 -libc6-dev libcairo-gobject2 libcairo2 libcap-ng0 libcap2 libcap2-bin libcbor0.10 -libcc1-0 libcfitsio10 libcgif0 libcom-err2 -libcrypt-dev libcrypt1 libcryptsetup12 -libctf-nobfd0 -libctf0 libcurl3-gnutls libcurl4 libdatrie1 @@ -140,7 +120,6 @@ libfido2-1 libfontconfig1 libfreetype6 libfribidi0 -libgcc-13-dev libgcc-s1 libgcrypt20 libgd3 @@ -156,7 +135,6 @@ libgnutls-openssl27 libgnutls30 libgomp1 libgpg-error0 -libgprofng0 libgraphite2-3 libgssapi-krb5-2 libharfbuzz-gobject0 @@ -168,15 +146,11 @@ libheif-plugin-dav1d libheif-plugin-libde265 libheif1 libhogweed6 -libhwasan0 libhwy1 libicu74 libidn2-0 libimagequant0 libimath-3-1-29 -libisl23 -libitm1 -libjansson4 libjbig0 libjpeg-turbo8 libjpeg8 @@ -193,7 +167,6 @@ libldap2 liblerc4 liblmdb0 liblqr-1-0 -liblsan0 libltdl7 liblz4-1 liblzf1 @@ -211,14 +184,11 @@ libmemcached11 libmnl0 libmount1 libmp3lame0 -libmpc3 -libmpfr6 libmysqlclient21 libncursesw6 libnettle8 libnghttp2-14 libnpth0 -libnsl-dev libnsl2 libnspr4 libnss3 @@ -266,7 +236,6 @@ libselinux1 libsemanage-common libsemanage2 libsepol2 -libsframe1 libsharpyuv0 libsmartcols1 libsodium23 @@ -288,10 +257,7 @@ libtheora0 libtiff6 libtinfo6 libtirpc-common -libtirpc-dev libtirpc3 -libtsan2 -libubsan1 libudev1 libunibreak5 libunistring5 @@ -326,12 +292,10 @@ libxxhash0 libyaml-0-2 libzip4 libzstd1 -linux-libc-dev locales login logsave lsb-release -make mawk media-types mlock @@ -362,7 +326,6 @@ python3.12 python3.12-minimal readline-common rename -rpcsvc-proto rsync sed sensible-utils diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index f9100bac..ba47b845 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -68,7 +68,6 @@ packages=( ed file fontconfig - gcc geoip-database gettext-base gir1.2-harfbuzz-0.0 @@ -82,7 +81,6 @@ packages=( libargon2-1 libass9 libc-client2007e - libc6-dev libcairo2 libcurl4 libdatrie1 @@ -155,7 +153,6 @@ packages=( libzstd1 locales lsb-release - make netcat-openbsd openssh-client openssh-server From f177eea379982816e1b5aeff9b04df769de326ba Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:25:40 +0000 Subject: [PATCH 18/24] Heroku-24: Remove git from the run image (#274) Since: - Most Git use-cases are for cloning dependencies during the build. - On Heroku at runtime there is no `.git/` metadata to query the local project's repo anyway (since the directory isn't preserved during the build). - It saves 17 MB, and in a CNB world image size is a much bigger concern, so we need to be more selective about what packages we include. - Once Heroku-24 GAs we can't remove packages (since it will break backwards compatibility given stack rebasing), however, we can add packages - so we should err on the side of removing packages now. Before: ``` -----> Size breakdown... heroku/heroku:24 458MB heroku/heroku:24-build 1.13GB ``` After: ``` -----> Size breakdown... heroku/heroku:24 441MB heroku/heroku:24-build 1.13GB ``` Towards #266. GUS-W-15159536. --- heroku-24/installed-packages-amd64.txt | 3 --- heroku-24/installed-packages-arm64.txt | 3 --- heroku-24/setup.sh | 1 - 3 files changed, 7 deletions(-) diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt index 878f2fa4..a2b88c8a 100644 --- a/heroku-24/installed-packages-amd64.txt +++ b/heroku-24/installed-packages-amd64.txt @@ -37,8 +37,6 @@ gettext-base gir1.2-freedesktop gir1.2-glib-2.0 gir1.2-harfbuzz-0.0 -git -git-man gnupg gnupg-utils gpg @@ -103,7 +101,6 @@ libdjvulibre-text libdjvulibre21 libedit2 libelf1 -liberror-perl libev4 libevent-2.1-7 libevent-core-2.1-7 diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt index 878f2fa4..a2b88c8a 100644 --- a/heroku-24/installed-packages-arm64.txt +++ b/heroku-24/installed-packages-arm64.txt @@ -37,8 +37,6 @@ gettext-base gir1.2-freedesktop gir1.2-glib-2.0 gir1.2-harfbuzz-0.0 -git -git-man gnupg gnupg-utils gpg @@ -103,7 +101,6 @@ libdjvulibre-text libdjvulibre21 libedit2 libelf1 -liberror-perl libev4 libevent-2.1-7 libevent-core-2.1-7 diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index ba47b845..9b80e366 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -71,7 +71,6 @@ packages=( geoip-database gettext-base gir1.2-harfbuzz-0.0 - git gnupg imagemagick iproute2 From b1e183896fef016828e2b76cc30da0160e9080fd Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:52:12 +0000 Subject: [PATCH 19/24] Heroku-24: Remove stunnel (#275) Since: - `heroku-buildpack-pgbouncer` hasn't used stunnel since 2018: https://github.com/heroku/heroku-buildpack-pgbouncer/pull/104 - Redis 6 and newer support native TLS, making `heroku-buildpack-redis` redundant: https://github.com/heroku/heroku-buildpack-redis/pull/40 (The buildpack can be sunset now that old Redis instances have been shut down) - If any other less common use-case needs stunnel, they can install it using APT. - It reduces the run and build image sizes by 17 MB, and in a CNB world image size is a much bigger concern, so we need to be more selective about what packages we include. - Once Heroku-24 GAs we can't remove packages (since it will break backwards compatibility given stack rebasing), however, we can add packages - so we should err on the side of trying out removing packages now. Before: ``` -----> Size breakdown... heroku/heroku:24 441MB heroku/heroku:24-build 1.13GB ``` After: ``` -----> Size breakdown... heroku/heroku:24 424MB heroku/heroku:24-build 1.11GB ``` Towards #266. GUS-W-15159536. --- heroku-24-build/installed-packages-amd64.txt | 8 -------- heroku-24-build/installed-packages-arm64.txt | 8 -------- heroku-24/installed-packages-amd64.txt | 9 --------- heroku-24/installed-packages-arm64.txt | 9 --------- heroku-24/setup.sh | 1 - 5 files changed, 35 deletions(-) diff --git a/heroku-24-build/installed-packages-amd64.txt b/heroku-24-build/installed-packages-amd64.txt index 4d997ea1..fb905086 100644 --- a/heroku-24-build/installed-packages-amd64.txt +++ b/heroku-24-build/installed-packages-amd64.txt @@ -95,7 +95,6 @@ libacl1-dev libaec0 libaom-dev libaom3 -libapparmor1 libapt-pkg-dev libapt-pkg6.0 libarchive13 @@ -144,7 +143,6 @@ libcgif0 libcom-err2 libcrypt-dev libcrypt1 -libcryptsetup12 libctf-nobfd0 libctf0 libcurl3-gnutls @@ -161,7 +159,6 @@ libde265-dev libdebconfclient0 libdeflate-dev libdeflate0 -libdevmapper1.02.1 libdjvulibre-dev libdjvulibre-text libdjvulibre21 @@ -182,7 +179,6 @@ libexif12 libexpat1 libexpat1-dev libext2fs2 -libfdisk1 libffi-dev libffi8 libfftw3-double3 @@ -434,7 +430,6 @@ libstdc++-13-dev libstdc++6 libsvtav1enc1d1 libsystemd-dev -libsystemd-shared libsystemd0 libsz2 libtasn1-6 @@ -566,9 +561,6 @@ sed sensible-utils shared-mime-info socat -stunnel4 -systemd -systemd-dev sysvinit-utils tar telnet diff --git a/heroku-24-build/installed-packages-arm64.txt b/heroku-24-build/installed-packages-arm64.txt index 9d596f1f..6518b137 100644 --- a/heroku-24-build/installed-packages-arm64.txt +++ b/heroku-24-build/installed-packages-arm64.txt @@ -95,7 +95,6 @@ libacl1-dev libaec0 libaom-dev libaom3 -libapparmor1 libapt-pkg-dev libapt-pkg6.0 libarchive13 @@ -144,7 +143,6 @@ libcgif0 libcom-err2 libcrypt-dev libcrypt1 -libcryptsetup12 libctf-nobfd0 libctf0 libcurl3-gnutls @@ -161,7 +159,6 @@ libde265-dev libdebconfclient0 libdeflate-dev libdeflate0 -libdevmapper1.02.1 libdjvulibre-dev libdjvulibre-text libdjvulibre21 @@ -182,7 +179,6 @@ libexif12 libexpat1 libexpat1-dev libext2fs2 -libfdisk1 libffi-dev libffi8 libfftw3-double3 @@ -433,7 +429,6 @@ libstdc++-13-dev libstdc++6 libsvtav1enc1d1 libsystemd-dev -libsystemd-shared libsystemd0 libsz2 libtasn1-6 @@ -565,9 +560,6 @@ sed sensible-utils shared-mime-info socat -stunnel4 -systemd -systemd-dev sysvinit-utils tar telnet diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt index a2b88c8a..608a1a55 100644 --- a/heroku-24/installed-packages-amd64.txt +++ b/heroku-24/installed-packages-amd64.txt @@ -60,7 +60,6 @@ less libacl1 libaec0 libaom3 -libapparmor1 libapt-pkg6.0 libarchive13 libargon2-1 @@ -87,7 +86,6 @@ libcfitsio10 libcgif0 libcom-err2 libcrypt1 -libcryptsetup12 libcurl3-gnutls libcurl4 libdatrie1 @@ -96,7 +94,6 @@ libdb5.3 libde265-0 libdebconfclient0 libdeflate0 -libdevmapper1.02.1 libdjvulibre-text libdjvulibre21 libedit2 @@ -110,7 +107,6 @@ libevent-pthreads-2.1-7 libexif12 libexpat1 libext2fs2 -libfdisk1 libffi8 libfftw3-double3 libfido2-1 @@ -155,7 +151,6 @@ libjson-c5 libjxl0.7 libk5crypto3 libkeyutils1 -libkmod2 libkrb5-3 libkrb5support0 libksba8 @@ -244,7 +239,6 @@ libssh-4 libssl3 libstdc++6 libsvtav1enc1d1 -libsystemd-shared libsystemd0 libsz2 libtasn1-6 @@ -328,9 +322,6 @@ sed sensible-utils shared-mime-info socat -stunnel4 -systemd -systemd-dev sysvinit-utils tar telnet diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt index a2b88c8a..608a1a55 100644 --- a/heroku-24/installed-packages-arm64.txt +++ b/heroku-24/installed-packages-arm64.txt @@ -60,7 +60,6 @@ less libacl1 libaec0 libaom3 -libapparmor1 libapt-pkg6.0 libarchive13 libargon2-1 @@ -87,7 +86,6 @@ libcfitsio10 libcgif0 libcom-err2 libcrypt1 -libcryptsetup12 libcurl3-gnutls libcurl4 libdatrie1 @@ -96,7 +94,6 @@ libdb5.3 libde265-0 libdebconfclient0 libdeflate0 -libdevmapper1.02.1 libdjvulibre-text libdjvulibre21 libedit2 @@ -110,7 +107,6 @@ libevent-pthreads-2.1-7 libexif12 libexpat1 libext2fs2 -libfdisk1 libffi8 libfftw3-double3 libfido2-1 @@ -155,7 +151,6 @@ libjson-c5 libjxl0.7 libk5crypto3 libkeyutils1 -libkmod2 libkrb5-3 libkrb5support0 libksba8 @@ -244,7 +239,6 @@ libssh-4 libssl3 libstdc++6 libsvtav1enc1d1 -libsystemd-shared libsystemd0 libsz2 libtasn1-6 @@ -328,9 +322,6 @@ sed sensible-utils shared-mime-info socat -stunnel4 -systemd -systemd-dev sysvinit-utils tar telnet diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 9b80e366..ea248432 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -164,7 +164,6 @@ packages=( rsync shared-mime-info socat - stunnel tar telnet tzdata From f6a1b295608518a6f2d42bd71a3ad7062102dd58 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Thu, 21 Mar 2024 16:57:27 +0000 Subject: [PATCH 20/24] Heroku-24: Remove Python from the run image (#276) Since: - Python apps will (or should be) be using Python provided by the Python buildpack instead. - Non-Python buildpacks/apps typically don't need Python at runtime. - Having Python in the run image has caused confusion in support tickets where the Python buildpack wasn't present (such as it being accidentally replaced when adding second buildpack), since at runtime apps then fail with a less obvious `ModuleNotFound` error instead of `python: command not found`. - None of our other officially supported languages (that have their own buildpacks) are also installed as system packages in the base image. - Removing Python reduces the run image size by 34 MB, and in a CNB world image size is a much bigger concern, so we need to be more selective about what packages we include. - Once Heroku-24 GAs we can't remove packages (since it will break backwards compatibility given stack rebasing), however, we can add packages - so we should err on the side of trying out removing packages now. Python is still in the build image since various non-Python use-cases need it (for example Node.js packages that use node-gyp require Python at install time), plus several other system packages in the build image depend on it anyway. I've intentionally removed the `python-is-python3` package entirely (rather than still including it in the build image), since the vast majority of tooling will (or should be) checking for the presence of `python3` directly (given that's the default name on Ubuntu unless the backward compat package is installed). And for most end-user/app use-cases we would prefer they use the Python buildpack (rather than system Python), so a `python: command not found` will nudge them in that direction. We can always add `python-is-python3` back later if this turns out to be a bigger issue than expected. Note: The classic PHP buildpack does use Python in its `heroku-php-apache2` and `heroku-php-nginx` scripts, however, it's only used when `realpath` doesn't exist (eg macOS), so is unused on Heroku. The buildpack will need to adjust for the `python-is-python3` removal, but arguably should have done that previously (given during the Python 2 -> 3 transition the major version of `python` changed). (If it needs to support environments where only the command `python` exists, and not `python3`, then it can use something like: `PYTHON=$(which python3 || which python)`) Before (once the other PRs are merged): ``` -----> Size breakdown... heroku/heroku:24 424MB heroku/heroku:24-build 1.11GB ``` After: ``` -----> Size breakdown... heroku/heroku:24 390MB (34 MB reduction) heroku/heroku:24-build 1.11GB (unchanged) ``` Towards #266. GUS-W-15159536. --- heroku-24-build/installed-packages-amd64.txt | 1 - heroku-24-build/installed-packages-arm64.txt | 1 - heroku-24-build/setup.sh | 3 +++ heroku-24/installed-packages-amd64.txt | 9 --------- heroku-24/installed-packages-arm64.txt | 9 --------- heroku-24/setup.sh | 2 -- 6 files changed, 3 insertions(+), 22 deletions(-) diff --git a/heroku-24-build/installed-packages-amd64.txt b/heroku-24-build/installed-packages-amd64.txt index fb905086..65237693 100644 --- a/heroku-24-build/installed-packages-amd64.txt +++ b/heroku-24-build/installed-packages-amd64.txt @@ -542,7 +542,6 @@ poppler-utils postgresql-client-16 postgresql-client-common procps -python-is-python3 python3 python3-imath python3-minimal diff --git a/heroku-24-build/installed-packages-arm64.txt b/heroku-24-build/installed-packages-arm64.txt index 6518b137..63227103 100644 --- a/heroku-24-build/installed-packages-arm64.txt +++ b/heroku-24-build/installed-packages-arm64.txt @@ -541,7 +541,6 @@ poppler-utils postgresql-client-16 postgresql-client-common procps -python-is-python3 python3 python3-imath python3-minimal diff --git a/heroku-24-build/setup.sh b/heroku-24-build/setup.sh index 3fc34f01..4f6fb8f7 100755 --- a/heroku-24-build/setup.sh +++ b/heroku-24-build/setup.sh @@ -77,6 +77,9 @@ packages=( libzip-dev libzstd-dev patchelf + # Python is often needed during the build for non-Python apps, which aren't using the + # Python buildpack. e.g. Node.js packages that use node-gyp require Python during install. + python3 zlib1g-dev ) diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt index 608a1a55..211c1bb7 100644 --- a/heroku-24/installed-packages-amd64.txt +++ b/heroku-24/installed-packages-amd64.txt @@ -211,9 +211,6 @@ libpopt0 libpq5 libproc2-0 libpsl5 -libpython3-stdlib -libpython3.12-minimal -libpython3.12-stdlib librabbitmq4 libraw23 libreadline8 @@ -288,7 +285,6 @@ login logsave lsb-release mawk -media-types mlock mount mysql-common @@ -310,11 +306,6 @@ poppler-utils postgresql-client-16 postgresql-client-common procps -python-is-python3 -python3 -python3-minimal -python3.12 -python3.12-minimal readline-common rename rsync diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt index 608a1a55..211c1bb7 100644 --- a/heroku-24/installed-packages-arm64.txt +++ b/heroku-24/installed-packages-arm64.txt @@ -211,9 +211,6 @@ libpopt0 libpq5 libproc2-0 libpsl5 -libpython3-stdlib -libpython3.12-minimal -libpython3.12-stdlib librabbitmq4 libraw23 libreadline8 @@ -288,7 +285,6 @@ login logsave lsb-release mawk -media-types mlock mount mysql-common @@ -310,11 +306,6 @@ poppler-utils postgresql-client-16 postgresql-client-common procps -python-is-python3 -python3 -python3-minimal -python3.12 -python3.12-minimal readline-common rename rsync diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index ea248432..585286e6 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -158,8 +158,6 @@ packages=( patch poppler-utils postgresql-client-16 - python-is-python3 - python3 rename rsync shared-mime-info From 4c78f3736334763b08d44a6ea4dec26157a27f3f Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Thu, 21 Mar 2024 17:21:17 +0000 Subject: [PATCH 21/24] Fix publish-manifest script (#278) At the very end of the image publishing process, Cheverny is notified that the images have been uploaded and the staging manifest should be updated, via the `publish-manifests` script. For the v123 release, this script silently didn't publish the manifests: https://github.com/heroku/base-images/actions/runs/8366257519/job/22906072260#step:7:123 Compare to the previous release: https://github.com/heroku/base-images/actions/runs/8229492350/job/22500811676#step:7:101 It turns out this is due to: - The script relying on the glob `/tmp/*64-*.manifest` to determine which stacks were built. - That glob no longer matching after #264 (where the `64` bit reference was removed). To make things worse, the script not only doesn't fail if no manifests are found, but it also piped any errors to `/dev/null` in: `ls /tmp/*64-*.manifest >& /dev/null` As such, I've: - updated the glob to match the new manifest filename format - removed the conditional (since there is no scenario in which the manifests being missing is expected) - for completeness, added `--exit-status` to the `jq` usage, to make it exit non-zero in more cases (jq would have exited non-zero for this no-files-matched case anyway, so this is just for completeness) See: https://jqlang.github.io/jq/manual/#invoking-jq GUS-W-15304768. --- tools/bin/publish-manifests | 30 ++++++++++++++---------------- 1 file changed, 14 insertions(+), 16 deletions(-) diff --git a/tools/bin/publish-manifests b/tools/bin/publish-manifests index f16c219a..2cb14eda 100755 --- a/tools/bin/publish-manifests +++ b/tools/bin/publish-manifests @@ -2,19 +2,17 @@ set -euo pipefail -if ls /tmp/*64-*.manifest >& /dev/null; then - jq --null-input \ - '[inputs] - | map({ - name: .name, - image_id: .id - }) | {stacks: .}' \ - /tmp/*64-*.manifest | - curl \ - --fail --user-agent 'Base Image Tools' \ - --header "Authorization: Bearer $MANIFEST_APP_TOKEN" \ - --header "Content-Type: application/json" \ - --request PATCH \ - --data @- \ - "$MANIFEST_APP_URL/manifest/staging" -fi +jq --null-input --exit-status \ + '[inputs] + | map({ + name: .name, + image_id: .id + }) | {stacks: .}' \ + /tmp/*.manifest \ + | curl \ + --fail --user-agent 'Base Image Tools' \ + --header "Authorization: Bearer $MANIFEST_APP_TOKEN" \ + --header "Content-Type: application/json" \ + --request PATCH \ + --data @- \ + "$MANIFEST_APP_URL/manifest/staging" From 2898429ebe8fe76691a6f3abf322099fe90a2631 Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Fri, 22 Mar 2024 16:09:45 +0000 Subject: [PATCH 22/24] Heroku-24: Migrate away from transitional packages (#279) Several of the packages being installed were actually transitional packages, that is, the package itself is either a complete no-op (since the functionality of the package is no needed), or else the package only exists to depend on another package of a new name (to support people who are still installing the package by its old name). For the former, we can drop the dependency entirely, and for the latter we should use the new package name directly. Specifically: - `apt-transport-https`: APT supports HTTPS natively (and has since Ubuntu 18.04), so this package doesn't do anything: https://packages.ubuntu.com/focal/apt-transport-https https://packages.ubuntu.com/focal/all/apt-transport-https/filelist - `dnsutils` -> `bind9-dnsutils`: https://packages.ubuntu.com/noble/dnsutils https://packages.ubuntu.com/noble/all/dnsutils/filelist - `bind9-host`: Is part of `bind9-dnsutils`, so we don't need to depoend on it directly: https://packages.ubuntu.com/noble/bind9-dnsutils - `telnet` -> `inetutils-telnet`: https://packages.ubuntu.com/noble/telnet https://packages.ubuntu.com/noble/all/telnet/filelist Note: The `libgeoip1` -> `libgeoip1t64` rename is to make CI pass since the package has been renamed upstream as part of the 64-bit time_t transition: https://lists.debian.org/debian-devel-announce/2024/02/msg00005.html --- heroku-24-build/installed-packages-amd64.txt | 5 +---- heroku-24-build/installed-packages-arm64.txt | 5 +---- heroku-24/installed-packages-amd64.txt | 3 --- heroku-24/installed-packages-arm64.txt | 3 --- heroku-24/setup.sh | 7 +++---- 5 files changed, 5 insertions(+), 18 deletions(-) diff --git a/heroku-24-build/installed-packages-amd64.txt b/heroku-24-build/installed-packages-amd64.txt index 65237693..e014d42e 100644 --- a/heroku-24-build/installed-packages-amd64.txt +++ b/heroku-24-build/installed-packages-amd64.txt @@ -1,7 +1,6 @@ # List of packages present in the final image. Regenerate using bin/build.sh adduser apt -apt-transport-https apt-utils autoconf automake @@ -35,7 +34,6 @@ debconf debianutils diffutils dirmngr -dnsutils dpkg dpkg-dev e2fsprogs @@ -204,7 +202,7 @@ libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgeoip-dev -libgeoip1 +libgeoip1t64 libgfortran5 libgirepository-2.0-0 libglib2.0-0 @@ -562,7 +560,6 @@ shared-mime-info socat sysvinit-utils tar -telnet tzdata ubuntu-keyring ucf diff --git a/heroku-24-build/installed-packages-arm64.txt b/heroku-24-build/installed-packages-arm64.txt index 63227103..9d6b8636 100644 --- a/heroku-24-build/installed-packages-arm64.txt +++ b/heroku-24-build/installed-packages-arm64.txt @@ -1,7 +1,6 @@ # List of packages present in the final image. Regenerate using bin/build.sh adduser apt -apt-transport-https apt-utils autoconf automake @@ -35,7 +34,6 @@ debconf debianutils diffutils dirmngr -dnsutils dpkg dpkg-dev e2fsprogs @@ -204,7 +202,7 @@ libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgeoip-dev -libgeoip1 +libgeoip1t64 libgfortran5 libgirepository-2.0-0 libglib2.0-0 @@ -561,7 +559,6 @@ shared-mime-info socat sysvinit-utils tar -telnet tzdata ubuntu-keyring ucf diff --git a/heroku-24/installed-packages-amd64.txt b/heroku-24/installed-packages-amd64.txt index 211c1bb7..5a23497f 100644 --- a/heroku-24/installed-packages-amd64.txt +++ b/heroku-24/installed-packages-amd64.txt @@ -1,7 +1,6 @@ # List of packages present in the final image. Regenerate using bin/build.sh adduser apt -apt-transport-https apt-utils base-files base-passwd @@ -20,7 +19,6 @@ debconf debianutils diffutils dirmngr -dnsutils dpkg e2fsprogs ed @@ -315,7 +313,6 @@ shared-mime-info socat sysvinit-utils tar -telnet tzdata ubuntu-keyring ucf diff --git a/heroku-24/installed-packages-arm64.txt b/heroku-24/installed-packages-arm64.txt index 211c1bb7..5a23497f 100644 --- a/heroku-24/installed-packages-arm64.txt +++ b/heroku-24/installed-packages-arm64.txt @@ -1,7 +1,6 @@ # List of packages present in the final image. Regenerate using bin/build.sh adduser apt -apt-transport-https apt-utils base-files base-passwd @@ -20,7 +19,6 @@ debconf debianutils diffutils dirmngr -dnsutils dpkg e2fsprogs ed @@ -315,7 +313,6 @@ shared-mime-info socat sysvinit-utils tar -telnet tzdata ubuntu-keyring ucf diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index 585286e6..b80d3538 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -58,13 +58,12 @@ apt-get update --error-on=any apt-get upgrade -y --no-install-recommends packages=( - apt-transport-https apt-utils - bind9-host + # For dig, host and nslookup. + bind9-dnsutils bzip2 coreutils curl - dnsutils ed file fontconfig @@ -73,6 +72,7 @@ packages=( gir1.2-harfbuzz-0.0 gnupg imagemagick + inetutils-telnet iproute2 iputils-tracepath less @@ -163,7 +163,6 @@ packages=( shared-mime-info socat tar - telnet tzdata unzip wget From 46b68ce4c39566aaadc29d8581440bd7ca65c72f Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Tue, 26 Mar 2024 13:48:51 +0000 Subject: [PATCH 23/24] Heroku-24: Update packages list for upstream changes (#280) Upstream changes have meant the list of installed packages has changed (`libc6-dev` used to depend upon `libnsl-dev`, but no longer does). We don't need this package, so won't install it explicitly: https://packages.ubuntu.com/noble/libnsl-dev This updates the list of packages installed in the image to match reality, and to make CI pass. GUS-W-15159536. --- heroku-24-build/installed-packages-amd64.txt | 2 -- heroku-24-build/installed-packages-arm64.txt | 2 -- 2 files changed, 4 deletions(-) diff --git a/heroku-24-build/installed-packages-amd64.txt b/heroku-24-build/installed-packages-amd64.txt index e014d42e..7eba01d9 100644 --- a/heroku-24-build/installed-packages-amd64.txt +++ b/heroku-24-build/installed-packages-amd64.txt @@ -332,7 +332,6 @@ libnetpbm11 libnettle8 libnghttp2-14 libnpth0 -libnsl-dev libnsl2 libnspr4 libnss3 @@ -440,7 +439,6 @@ libtiff6 libtiffxx6 libtinfo6 libtirpc-common -libtirpc-dev libtirpc3 libtool libtsan2 diff --git a/heroku-24-build/installed-packages-arm64.txt b/heroku-24-build/installed-packages-arm64.txt index 9d6b8636..026cded2 100644 --- a/heroku-24-build/installed-packages-arm64.txt +++ b/heroku-24-build/installed-packages-arm64.txt @@ -332,7 +332,6 @@ libnetpbm11 libnettle8 libnghttp2-14 libnpth0 -libnsl-dev libnsl2 libnspr4 libnss3 @@ -439,7 +438,6 @@ libtiff6 libtiffxx6 libtinfo6 libtirpc-common -libtirpc-dev libtirpc3 libtool libtsan2 From 76c7ea948d7c0e0dde018972e2d32ccceda3bcbf Mon Sep 17 00:00:00 2001 From: Ed Morley <501702+edmorley@users.noreply.github.com> Date: Wed, 27 Mar 2024 14:34:59 +0000 Subject: [PATCH 24/24] Heroku-24: Use the same user for the run and build images (#281) The upstream CNB spec recently changed to say that build and run images `SHOULD` use a separate Linux user for each image: https://github.com/buildpacks/rfcs/blob/main/text/0085-run-uid.md https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image However, this causes a number of compatibility issues with existing apps and parts of the ecosystem (see #268). Whilst we can (and will) adjust our own buildpacks to do the right thing (not write to `/layers/` or the app source directory at runtime), it's going to be some time before existing apps/frameworks/... make similar changes. In addition, the failure modes are not easy for users to debug or solve (they will have to know that seeing access denied errors means needing to use `chmod` to make directories group writeable in an inline buildpack step or similar). As such, we're deferring making this switch for now, and will revisit in the future (either for Heroku-26, or as an opt-in feature for Heroku-24), when the various third party language ecosystems are more ready for this. We will still be in compliance with the spec, since it says `SHOULD` not `MUST`. We will also add integration testing to our own CNBs to ensure that they operate correctly in environments that do run split build/run users. As part of this change, I've also switched the `heroku` user's ID back to 1000, for consistency with the Heroku-20/22 CNB base images. I've also switched back to the `USER ` syntax instead of `USER `, since both are permitted by the OCI and CNB specs, and the former is (a) IMO more intuitive (eg for users needing to switch to `root` and back in their own `Dockerfile`), (b) matches what Heroku-20/22 do. See also: https://manpages.ubuntu.com/manpages/noble/en/man8/userdel.8.html https://manpages.ubuntu.com/manpages/noble/en/man8/groupadd.8.html Closes #268. GUS-W-15342842. --- heroku-20-cnb-build/Dockerfile | 3 +-- heroku-22-cnb-build/Dockerfile | 3 +-- heroku-24-build/Dockerfile | 6 +++--- heroku-24/Dockerfile | 2 +- heroku-24/setup.sh | 10 ++++++---- 5 files changed, 12 insertions(+), 12 deletions(-) diff --git a/heroku-20-cnb-build/Dockerfile b/heroku-20-cnb-build/Dockerfile index 33928801..c5a62f7c 100644 --- a/heroku-20-cnb-build/Dockerfile +++ b/heroku-20-cnb-build/Dockerfile @@ -7,6 +7,7 @@ RUN groupadd heroku --gid 1000 \ && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image +USER heroku ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 # Note: This image doesn't inherit from the CNB run image variant so we have @@ -20,5 +21,3 @@ LABEL io.buildpacks.base.maintainer="Heroku" # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels ENV CNB_STACK_ID="heroku-20" LABEL io.buildpacks.stack.id="heroku-20" - -USER heroku diff --git a/heroku-22-cnb-build/Dockerfile b/heroku-22-cnb-build/Dockerfile index f1e6b502..b1c018ac 100644 --- a/heroku-22-cnb-build/Dockerfile +++ b/heroku-22-cnb-build/Dockerfile @@ -7,6 +7,7 @@ RUN groupadd heroku --gid 1000 \ && chown heroku:heroku /app # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image +USER heroku ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 # Note: This image doesn't inherit from the CNB run image variant so we have @@ -20,5 +21,3 @@ LABEL io.buildpacks.base.maintainer="Heroku" # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#iobuildpacksstack-labels ENV CNB_STACK_ID="heroku-22" LABEL io.buildpacks.stack.id="heroku-22" - -USER heroku diff --git a/heroku-24-build/Dockerfile b/heroku-24-build/Dockerfile index 3f19763c..a965f590 100644 --- a/heroku-24-build/Dockerfile +++ b/heroku-24-build/Dockerfile @@ -1,14 +1,14 @@ ARG BASE_IMAGE=heroku/heroku:24 FROM $BASE_IMAGE -# We have to temporarily switch back to root, since the run image sets a non-root default USER. +# We have to temporarily switch back to root, since the run image sets a non-root default `USER`. USER root RUN --mount=target=/build /build/setup.sh # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#build-image # The `io.buildpacks.base.*` labels are inherited from the run image, so don't need to be repeated here. -USER 1002 -ENV CNB_USER_ID=1002 +USER heroku +ENV CNB_USER_ID=1000 ENV CNB_GROUP_ID=1000 # Stack IDs are deprecated, but we still set this for backwards compatibility: diff --git a/heroku-24/Dockerfile b/heroku-24/Dockerfile index fd896b6f..476e6549 100644 --- a/heroku-24/Dockerfile +++ b/heroku-24/Dockerfile @@ -3,7 +3,7 @@ FROM ubuntu:24.04 RUN --mount=target=/build /build/setup.sh # https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image -USER 1001 +USER heroku LABEL io.buildpacks.base.distro.name="ubuntu" LABEL io.buildpacks.base.distro.version="24.04" LABEL io.buildpacks.base.homepage="https://github.com/heroku/base-images" diff --git a/heroku-24/setup.sh b/heroku-24/setup.sh index b80d3538..fc460ca2 100755 --- a/heroku-24/setup.sh +++ b/heroku-24/setup.sh @@ -189,10 +189,12 @@ apt-get purge -y openjdk-8-jre-headless apt-get autoremove -y --purge test "$(file -b /etc/ssl/certs/java/cacerts)" = "Java KeyStore" -useradd heroku --uid 1001 --gid 1000 --shell /bin/bash --create-home -useradd heroku-build --uid 1002 --gid 1000 --shell /bin/bash --create-home -groupmod --new-name heroku ubuntu -deluser --remove-home ubuntu +# Ubuntu 24.04 ships with a default user and group named 'ubuntu' (with user+group ID of 1000) +# that we have to remove before creating our own (`userdel` will remove the group too). +userdel ubuntu --remove + +groupadd heroku --gid 1000 +useradd heroku --uid 1000 --gid 1000 --shell /bin/bash --create-home rm -rf /root/* rm -rf /tmp/*