images-rb/src/engines/ruby/1.9/Dockerfile.gnu at 438b5f392a00d1e69a70b00bace4fe5c1ae2a165 · DataDog/images-rb · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
# platforms: linux/x86_64
# strip-tags: gnu
# append-tags: gcc

# Debian 11 (bullseye)
FROM public.ecr.aws/docker/library/debian:11

# A few RUN actions in Dockerfiles are subject to uncontrollable outside
# variability: an identical command would be the same from `docker build`'s
# point of view but does not indicate the result would be identical at
# different points in time.
#
# This causes two possible issues:
#
# - one wants to capture a new state and so wants the identical
#   non-reproducible command to produce a new result. This could be achieved
#   with --no-cache but this affects every single operation in a Dockerfile
# - one wants to identify a specific state and leverage caching at that
#   specific state.
#
# To that end a BUILD_ARG is introduced to capture an arbitrary identifier of
# that state (typically time) that is introduced in non-reproducible commands
# to make them appear different to Docker.
#
# Of course it only works when caching data is available: two independent
# builds with the same value and no cache shared would produce different
# results.
ARG REPRO_RUN_KEY=0

# Configure apt retries to improve automation reliability
RUN echo 'Acquire::Retries "3";' > /etc/apt/apt.conf.d/80-retries

# `apt-get update` is uncontrolled and fetches whatever is today's index.
# For the sake of reproducibility subsequent steps (including in dependent
# images) should not do `apt-get update`, instead this base image should be
# updated by changing the `REPRO_RUN_KEY`.
RUN true "${REPRO_RUN_KEY}" && apt-get update

# Install locale and timezone support first
RUN apt-get install -y locales tzdata --no-install-recommends

# Ensure sane locale (Uncomment `en_US.UTF-8` from `/etc/locale.gen` before running `locale-gen`)
RUN sed -i '/en_US.UTF-8/s/^# //g' /etc/locale.gen && locale-gen

# Ensure consistent timezone
RUN ln -sf /usr/share/zoneinfo/Etc/UTC /etc/localtime

# Skip installing gem documentation
COPY <<GEMRC /usr/local/etc/gemrc
install: --no-document
update: --no-document
GEMRC

ENV LANG="en_US.UTF-8"                                                                      \
    LANGUAGE="en_US:en"                                                                     \
    RUBY_MAJOR="1.9"                                                                        \
    RUBY_VERSION="1.9.3-p551"                                                               \
    RUBY_DOWNLOAD_SHA256="44228297861f4dfdf23a47372a3e3c4c5116fbf5b0e10883417f2379874b55c6"

# - Compile Ruby with `--disable-shared`
# - Update gem version

RUN <<SHELL
set -eux

apt-get install -y \
    curl \
    ca-certificates \
    gcc \
    g++ \
    make \
    autoconf \
    bison \
    patch \
    libc6-dev \
    build-essential \
    git \
    xz-utils \
    zlib1g-dev \
    libyaml-dev \
    libgdbm-dev \
    libreadline-dev \
    libncurses5-dev \
    libffi-dev \
    --no-install-recommends

# Ruby 1.9 needs OpenSSL 1.0.x; Debian 11's OpenSSL 1.1.x is incompatible
OPENSSL_VERSION='1.0.2u'
OPENSSL_SHA256='ecd0c6ffb493dd06707d38b14bb4d8c2288bb7033735606569d8f90f89669d16'

curl -L -o openssl.tar.gz "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz"
echo "$OPENSSL_SHA256 *openssl.tar.gz" | sha256sum --check --strict
mkdir -p /usr/src/openssl
tar -xzf openssl.tar.gz -C /usr/src/openssl --strip-components=1
rm openssl.tar.gz

cd /usr/src/openssl

./config \
    --prefix=/usr/local/ssl \
    --openssldir=/usr/local/ssl \
    shared \
    zlib
make
make install

echo "/usr/local/ssl/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig

# point OpenSSL to the system CA certificates so SSL verification works
rmdir /usr/local/ssl/certs
ln -s /etc/ssl/certs /usr/local/ssl/certs

cd /
rm -r /usr/src/openssl

curl -o ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz"
echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict
mkdir -p /usr/src/ruby
tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1
rm ruby.tar.xz

cd /usr/src/ruby

# hack in "ENABLE_PATH_CHECK" disabling to suppress:
#   warning: Insecure world writable dir
{
    echo '#define ENABLE_PATH_CHECK 0'
    echo
    cat file.c
} > file.c.new
mv file.c.new file.c

autoconf

gnuArch="$(gcc -dumpmachine)"
./configure \
    --build="$gnuArch" \
    --disable-install-doc \
    --disable-shared \
    --with-openssl-dir=/usr/local/ssl
# parallel make causes race conditions in old Ruby's extension build system so we don't use `-j $(nproc)`
make
make install

cd /
rm -r /usr/src/ruby

# verify ruby is not installed via apt
if dpkg -l ruby 2>/dev/null | grep -q '^ii'; then exit 1; fi

# update gem version
gem update --system 2.7.11
gem install bundler --version 1.17.3 --force

# rough smoke test
ruby --version
gem --version
bundle --version

# clean up apt lists
rm -rf /var/lib/apt/lists/*

SHELL

# don't create ".bundle" in all our apps
ENV GEM_HOME=/usr/local/bundle
ENV BUNDLE_SILENCE_ROOT_WARNING=1 \
    BUNDLE_APP_CONFIG="$GEM_HOME"
ENV PATH=$GEM_HOME/bin:$PATH

# adjust permissions of a few directories for running "gem install" as an arbitrary user
RUN mkdir -p "$GEM_HOME" && chmod 1777 "$GEM_HOME"

CMD [ "irb" ]