perf(gnocchi): slim runtime image by ~50%

Cuts the Gnocchi container from ~4.8 GB uncompressed (1.6 GiB on GHCR)
to roughly 2.5 GB by removing files and packages the service never
uses at runtime.

Changes
- Strip unused Ceph libs from the dependency stage before they get
  copied into the runtime: librbd, librgw, libcephfs, libcephsqlite.
  Per upstream gnocchi setup.cfg the [ceph] extra has no python deps
  and only requires librados via python3-rados, so RBD, CephFS, and
  the RADOS gateway are dead weight (~1.3 GB).
- Drop server packages that snuck into the runtime image: postgresql
  (server daemon — psycopg2 only needs libpq5, kept), memcached
  (server daemon — tooz uses pymemcache, kept), and the full ceph
  metapackage (replaced by librados from the dependency stage plus
  python3-rados, both kept). The PostgreSQL, memcached, and Ceph
  client paths are fully preserved.
- Fix the no-op `apt-get purge -y --auto-remove` by passing an
  explicit BUILD_DEPS list (apache2-dev, build-essential, *-dev
  headers, pkg-config, python3-dev). These were previously installed
  to compile mod_wsgi and then never removed.
- Drop runtime-irrelevant packages: git, wget, docutils-common,
  gettext, libjs-sphinxdoc, libjs-underscore.
- Add `--no-cache-dir` to pip installs and clean /root/.cache,
  /tmp, and /var/tmp at the end of each stage.

Not changed
- ceph-libs base image (shared by other services, separate fix).
- /usr/local/lib/ceph/ plugin tree is kept so librados can load
  erasure-code and compressor plugins for EC/compressed pools.
- scripts/gnocchi-cve-patching.sh runs identically.
- Trivy scanning workflow is untouched.

Author: LukeRepko

ContainerFiles/gnocchi

@@ -10,7 +10,7 @@ ARG OS_CONSTRAINTS=master
 RUN export DEBIAN_FRONTEND=noninteractive
 RUN curl -fsSL -o /tmp/upper-constraints.txt https://opendev.org/openstack/requirements/raw/branch/${OS_CONSTRAINTS}/upper-constraints.txt \
   && sed -i '/^gnocchi===.*/d' /tmp/upper-constraints.txt \
-  && /var/lib/openstack/bin/pip install --constraint /tmp/upper-constraints.txt \
+  && /var/lib/openstack/bin/pip install -vvv --no-cache-dir --constraint /tmp/upper-constraints.txt \
                                         "gnocchi[postgresql,ceph,keystone,redis] @ git+https://github.com/gnocchixyz/gnocchi.git@${GNOCCHI_VERSION}" \
                                         gnocchiclient \
                                         PyMySQL \
@@ -23,12 +23,21 @@ RUN curl -fsSL -o /tmp/upper-constraints.txt https://opendev.org/openstack/requi
 COPY scripts/gnocchi-cve-patching.sh /opt/
 RUN bash /opt/gnocchi-cve-patching.sh
 
+# Strip Ceph runtime libraries Gnocchi never uses. Per upstream setup.cfg the
+# `[ceph]` extra has no Python deps and relies on python3-rados, which only
+# needs librados. RBD (block device), CephFS, RGW (object gateway), and the
+# Ceph SQLite VFS are unrelated and account for ~1.3 GB on their own.
 RUN find / -name '*.pyc' -delete \
   && find / -name '*.pyo' -delete \
   && find / -name '__pycache__' -delete \
   && find / -name '*.whl' -delete \
   && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/client.key \
   && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \
+  && rm -f /usr/local/lib/librbd.so* \
+  && rm -f /usr/local/lib/librgw.so* \
+  && rm -f /usr/local/lib/libcephfs.so* \
+  && rm -f /usr/local/lib/libcephsqlite.so* \
+  && rm -rf /root/.cache /tmp/* /var/tmp/* \
   && for f in /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA; do \
        if [ -f "$f" ]; then \
          sed -i '/^Usage/,/^Documentation\n^-.*$/d' "$f"; \
@@ -45,54 +54,31 @@ COPY --from=dependency_build /usr/lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu
 COPY --from=dependency_build /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages
 COPY --from=dependency_build /var/lib/openstack /var/lib/openstack
 RUN export DEBIAN_FRONTEND=noninteractive \
+  && BUILD_DEPS="apache2-dev build-essential libffi-dev libldap2-dev libpq-dev libsasl2-dev libsnappy-dev libprotobuf-dev libssl-dev libsystemd-dev libxml2-dev libxslt1-dev librados-dev liberasurecode-dev pkg-config python3-dev" \
   && apt-get update && apt-get upgrade -y \
   && apt-get install --no-install-recommends -y \
                                              apache2 \
-                                             apache2-dev \
+                                             bash \
+                                             brotli \
+                                             curl \
                                              libffi8 \
                                              libpq5 \
                                              libsnappy1v5 \
                                              libxml2 \
+                                             libxslt1.1 \
+                                             locales \
                                              python3 \
-                                             python3-dev \
                                              python3-memcache \
-                                             bash \
-                                             brotli \
-                                             build-essential \
-                                             curl \
-                                             wget \
-                                             locales \
-                                             docutils-common \
-                                             gettext \
-                                             git \
-                                             libffi-dev \
-                                             libjs-sphinxdoc \
-                                             libjs-underscore \
-                                             libldap2-dev \
-                                             libpq-dev \
-                                             postgresql \
-                                             memcached \
-                                             librados-dev \
-                                             liberasurecode-dev \
                                              python3-rados \
-                                             ceph \
-                                             libsasl2-dev \
-                                             libsnappy-dev \
-                                             libprotobuf-dev \
-                                             libssl-dev \
-                                             libsystemd-dev \
-                                             libxml2-dev \
-                                             libxslt1-dev \
-                                             libxslt1.1 \
-                                             pkg-config \
                                              ssl-cert \
                                              xmlsec1 \
-  && /var/lib/openstack/bin/pip install --upgrade mod_wsgi \
+                                             $BUILD_DEPS \
+  && /var/lib/openstack/bin/pip install --no-cache-dir --upgrade mod_wsgi \
   && /var/lib/openstack/bin/mod_wsgi-express module-config > /etc/apache2/mods-available/wsgi.load \
   && a2enmod wsgi \
-  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false $BUILD_DEPS \
   && apt-get clean -y \
-  && rm -rf /var/lib/apt/lists/* \
+  && rm -rf /var/lib/apt/lists/* /root/.cache /tmp/* /var/tmp/* \
   && find / -name '*.pyc' -delete \
   && find / -name '*.pyo' -delete \
   && find / -name '__pycache__' -delete \