Modernize Docker build and update PG to 2.20.1

Multi-stage Dockerfile (Ubuntu 24.04, Node 22) cuts image size from
~1.5GB to ~770MB. Builder stage compiles XS modules and JS assets;
runtime stage copies only what's needed to serve requests.

- Add cpanfile for reproducible Perl dependency installs
- Add .dockerignore to exclude docs, tests, git metadata from context
- Update PG submodule to 2.20.1 (PG-2.20 tag + 21 hotfixes)
- Update pg_config.yml for PG 2.20 macro/context paths
- Rewrite README with configuration reference, deployment topologies,
  and JWT documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: drdrew42

.dockerignore

@@ -1,3 +1,44 @@
+# Version control
 .git
 .gitignore
+.gitattributes
+.gitmodules
+.github
+
+# Documentation & metadata
+README.md
+LICENSE.md
+CLAUDE.md
+docs/
+
+# Kubernetes manifests
+k8/
+
+# IDE & OS files
+.idea/
+*.swp
+*.swo
+*~
 **/.DS_Store
+
+# Build artifacts & temp files
+*.o
+*.bs
+*.pid
+*.pm.tdy
+logs/*
+tmp/*
+
+# Local data (mounted at runtime, not baked in)
+webwork-open-problem-library/
+private/
+
+# Node modules (npm install runs in Dockerfile)
+node_modules
+public/node_modules
+lib/PG/htdocs/node_modules
+
+# Generated assets (built in Dockerfile)
+public/**/*.min.js
+public/**/*.min.css
+public/static-assets.json

Dockerfile

@@ -1,4 +1,5 @@
-FROM ubuntu:20.04
+# Stage 1: Builder — install all build tools, compile Perl XS modules, generate JS/CSS assets
+FROM ubuntu:24.04 AS builder
 LABEL org.opencontainers.image.source=https://github.com/openwebwork/renderer
 
 WORKDIR /usr/app
@@ -41,12 +42,13 @@ RUN apt-get update \
     libdata-structure-util-perl \
     liblocale-maketext-lexicon-perl \
     libyaml-libyaml-perl \
-    && curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && apt-get install -y --no-install-recommends --no-install-suggests nodejs \
     && apt-get clean \
     && rm -fr /var/lib/apt/lists/* /tmp/*
 
-RUN cpanm install Mojo::Base Statistics::R::IO::Rserve Date::Format Future::AsyncAwait Crypt::JWT IO::Socket::SSL CGI::Cookie \
+COPY cpanfile .
+RUN cpanm --installdeps . \
     && rm -fr ./cpanm /root/.cpanm /tmp/*
 
 COPY . .
@@ -55,12 +57,61 @@ RUN cp renderer.conf.dist renderer.conf
 
 RUN cp conf/pg_config.yml lib/PG/conf/pg_config.yml
 
-RUN cd public/ && npm install && cd ..
+# Install all npm deps (including devDependencies for asset generation),
+# then prune to production-only for the runtime image.
+RUN cd public/ && npm install && npm prune --omit=dev && cd ..
 
-RUN cd lib/PG/htdocs && npm install && cd ../../..
+RUN cd lib/PG/htdocs && npm install && npm prune --omit=dev && cd ../../..
+
+# Stage 2: Runtime — only what's needed to serve requests
+FROM ubuntu:24.04
+
+LABEL org.opencontainers.image.source=https://github.com/openwebwork/renderer
+
+WORKDIR /usr/app
+ARG DEBIAN_FRONTEND=noninteractive
+ENV TZ=America/New_York
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends --no-install-suggests \
+    apt-utils \
+    curl \
+    dvipng \
+    openssl \
+    libgd-perl \
+    imagemagick \
+    libdbi-perl \
+    libjson-perl \
+    libcgi-pm-perl \
+    libjson-xs-perl \
+    ca-certificates \
+    libstorable-perl \
+    libdatetime-perl \
+    libuuid-tiny-perl \
+    libtie-ixhash-perl \
+    libhttp-async-perl \
+    libnet-ssleay-perl \
+    libarchive-zip-perl \
+    libcrypt-ssleay-perl \
+    libclass-accessor-perl \
+    libstring-shellquote-perl \
+    libproc-processtable-perl \
+    libmath-random-secure-perl \
+    libdata-structure-util-perl \
+    liblocale-maketext-lexicon-perl \
+    libyaml-libyaml-perl \
+    && apt-get clean \
+    && rm -fr /var/lib/apt/lists/* /tmp/*
+
+# Copy cpanm-installed Perl modules (XS .so + pure Perl) and Mojo binaries.
+# Copies all of /usr/local/ to stay architecture-independent (avoids hardcoding aarch64/x86_64 paths).
+COPY --from=builder /usr/local /usr/local
+
+# Copy the full app tree (includes pruned node_modules and generated assets)
+COPY --from=builder /usr/app /usr/app
 
 EXPOSE 3000
 
 HEALTHCHECK CMD curl -I localhost:3000/health
 
-CMD hypnotoad -f ./script/renderer
+CMD ["hypnotoad", "-f", "./script/renderer"]

Dockerfile_with_OPL

@@ -1,4 +1,5 @@
-FROM ubuntu:20.04
+# Stage 1: Builder — install all build tools, compile Perl XS modules, generate JS/CSS assets
+FROM ubuntu:24.04 AS builder
 LABEL org.opencontainers.image.source=https://github.com/openwebwork/renderer
 
 WORKDIR /usr/app
@@ -41,12 +42,13 @@ RUN apt-get update \
     libdata-structure-util-perl \
     liblocale-maketext-lexicon-perl \
     libyaml-libyaml-perl \
-    && curl -fsSL https://deb.nodesource.com/setup_16.x | bash - \
+    && curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
     && apt-get install -y --no-install-recommends --no-install-suggests nodejs \
     && apt-get clean \
     && rm -fr /var/lib/apt/lists/* /tmp/*
 
-RUN cpanm install Mojo::Base Statistics::R::IO::Rserve Date::Format Future::AsyncAwait Crypt::JWT IO::Socket::SSL CGI::Cookie \
+COPY cpanfile .
+RUN cpanm --installdeps . \
     && rm -fr ./cpanm /root/.cpanm /tmp/*
 
 ENV MOJO_MODE=production
@@ -66,12 +68,62 @@ RUN cp renderer.conf.dist renderer.conf
 
 RUN cp conf/pg_config.yml lib/PG/conf/pg_config.yml
 
-RUN npm install
+# Install all npm deps (including devDependencies for asset generation),
+# then prune to production-only for the runtime image.
+RUN cd public/ && npm install && npm prune --omit=dev && cd ..
 
-RUN cd lib/PG/htdocs && npm install && cd ../../..
+RUN cd lib/PG/htdocs && npm install && npm prune --omit=dev && cd ../../..
+
+# Stage 2: Runtime — only what's needed to serve requests
+FROM ubuntu:24.04
+
+LABEL org.opencontainers.image.source=https://github.com/openwebwork/renderer
+
+WORKDIR /usr/app
+ARG DEBIAN_FRONTEND=noninteractive
+ENV TZ=America/New_York
+ENV MOJO_MODE=production
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends --no-install-suggests \
+    apt-utils \
+    curl \
+    dvipng \
+    openssl \
+    libgd-perl \
+    imagemagick \
+    libdbi-perl \
+    libjson-perl \
+    libcgi-pm-perl \
+    libjson-xs-perl \
+    ca-certificates \
+    libstorable-perl \
+    libdatetime-perl \
+    libuuid-tiny-perl \
+    libtie-ixhash-perl \
+    libhttp-async-perl \
+    libnet-ssleay-perl \
+    libarchive-zip-perl \
+    libcrypt-ssleay-perl \
+    libclass-accessor-perl \
+    libstring-shellquote-perl \
+    libproc-processtable-perl \
+    libmath-random-secure-perl \
+    libdata-structure-util-perl \
+    liblocale-maketext-lexicon-perl \
+    libyaml-libyaml-perl \
+    && apt-get clean \
+    && rm -fr /var/lib/apt/lists/* /tmp/*
+
+# Copy cpanm-installed Perl modules (XS .so + pure Perl) and Mojo binaries.
+# Copies all of /usr/local/ to stay architecture-independent (avoids hardcoding aarch64/x86_64 paths).
+COPY --from=builder /usr/local /usr/local
+
+# Copy the full app tree (includes OPL, pruned node_modules, and generated assets)
+COPY --from=builder /usr/app /usr/app
 
 EXPOSE 3000
 
 HEALTHCHECK CMD curl -I localhost:3000/health
 
-CMD hypnotoad -f ./script/renderer
+CMD ["hypnotoad", "-f", "./script/renderer"]