upd(container): reduce image size and build time

Cache packages, remove unused packages, and prevent installation of
apt recommended packages.

Author: matthewjmarangoni

.gitignore

@@ -185,3 +185,6 @@ infra/tests/*
 
 # Unikraft
 .unikraft
+
+# mise-en-place
+.mise.toml

images/chromium-headful/Dockerfile

@@ -7,27 +7,35 @@ ENV CGO_ENABLED=0
 
 COPY server/go.mod ./
 COPY server/go.sum ./
-RUN go mod download
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    go mod download
 
 COPY server/ .
-RUN GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
     go build -ldflags="-s -w" -o /out/kernel-images-api ./cmd/api
 
 # webrtc client
 FROM node:22-bullseye-slim AS client
 WORKDIR /src
 COPY images/chromium-headful/client/package*.json ./
-RUN npm install
+RUN --mount=type=cache,target=/root/.npm npm install
 COPY images/chromium-headful/client/ .
-RUN npm run build
+RUN --mount=type=cache,target=/root/.npm npm run build
 
 # xorg dependencies
 FROM docker.io/ubuntu:22.04 AS xorg-deps
 WORKDIR /xorg
 ENV DEBIAN_FRONTEND=noninteractive
-RUN set -eux; \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
+    set -eux; \
     apt-get update; \
-    apt-get install -y \
+    apt-get --no-install-recommends -y install \
     git gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev \
     && rm -rf /var/lib/apt/lists/*;
 COPY images/chromium-headful/xorg-deps/ /xorg/
@@ -54,9 +62,14 @@ FROM docker.io/ubuntu:22.04
 ENV DEBIAN_FRONTEND=noninteractive
 ENV DEBIAN_PRIORITY=high
 
-RUN apt-get update && \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
+    apt-get update && \
     apt-get -y upgrade && \
-    apt-get -y install \
+    apt-get --no-install-recommends -y install  \
+    gpg-agent \
     # UI Requirements
     xvfb \
     xterm \
@@ -88,39 +101,44 @@ RUN apt-get update && \
     software-properties-common && \
     # Userland apps
     sudo add-apt-repository ppa:mozillateam/ppa && \
-    sudo apt-get install -y --no-install-recommends \
-    chromium-browser \
-    libreoffice \
+    sudo apt-get --no-install-recommends -y install \
     x11-apps \
-    xpdf \
-    gedit \
-    xpaint \
     tint2 \
-    galculator \
-    pcmanfm \
     wget \
     xdg-utils \
     libvulkan1 \
     fonts-liberation \
-    unzip && \
-    apt-get clean
+    unzip;
 
 # install ffmpeg manually since the version available in apt is from the 4.x branch due to #drama.
 # as of writing these static builds will be the latest 7.0.x release.
-RUN set -eux; \
+RUN --mount=type=cache,target=/tmp/cache/ffmpeg,id=ffmpeg \
+    set -eux; \
     URL="https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz"; \
-    echo "Downloading FFmpeg static build from $URL"; \
-    curl -fsSL "$URL" -o /tmp/ffmpeg.tar.xz; \
-    tar -xJf /tmp/ffmpeg.tar.xz -C /tmp; \
+    echo "Downloading FFmpeg MD5 checksum"; \
+    curl -fsSL "${URL}.md5" -o /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    sed -i -e 's/ .*$/ \/tmp\/cache\/ffmpeg\/ffmpeg.tar.xz/' /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    echo "Checking cache for FFmpeg archive and validating MD5 checksum"; \
+    if md5sum --check /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; then \
+        echo "Checksum validated, using cached FFmpeg archive"; \
+    else \
+        echo "Downloading FFmpeg static build from $URL"; \
+        curl -fsSL "$URL" -o /tmp/cache/ffmpeg/ffmpeg.tar.xz; \
+        echo "Validating MD5 checksum of FFmpeg static build download"; \
+        md5sum --check /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    fi; \
+    tar -xJf /tmp/cache/ffmpeg/ffmpeg.tar.xz -C /tmp; \
     install -m755 /tmp/ffmpeg-*/ffmpeg  /usr/local/bin/ffmpeg; \
     install -m755 /tmp/ffmpeg-*/ffprobe /usr/local/bin/ffprobe; \
     rm -rf /tmp/ffmpeg*
 
 # runtime
 ENV USERNAME=root
-RUN set -eux; \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    set -eux; \
     apt-get update; \
-    apt-get install -y --no-install-recommends \
+    apt-get --no-install-recommends -y install \
     wget ca-certificates python2 supervisor xclip xdotool \
     pulseaudio dbus-x11 xserver-xorg-video-dummy \
     libcairo2 libxcb1 libxrandr2 libxv1 libopus0 libvpx7 \
@@ -131,7 +149,7 @@ RUN set -eux; \
     # install libxcvt0 (not available in debian:bullseye)
     ARCH=$(dpkg --print-architecture); \
     wget http://ftp.de.debian.org/debian/pool/main/libx/libxcvt/libxcvt0_0.1.2-1_${ARCH}.deb; \
-    apt-get install --no-install-recommends ./libxcvt0_0.1.2-1_${ARCH}.deb; \
+    apt-get --no-install-recommends install ./libxcvt0_0.1.2-1_${ARCH}.deb; \
     rm ./libxcvt0_0.1.2-1_${ARCH}.deb; \
     #
     # workaround for an X11 problem: http://blog.tigerteufel.de/?p=476
@@ -146,14 +164,15 @@ RUN set -eux; \
     /home/$USERNAME/.local/share/xorg; \
     chmod 1777 /var/log/neko; \
     chown $USERNAME /var/log/neko/ /tmp/runtime-$USERNAME; \
-    chown -R $USERNAME:$USERNAME /home/$USERNAME; \
-    # clean up
-    apt-get clean -y; \
-    rm -rf /var/lib/apt/lists/* /var/cache/apt/
+    chown -R $USERNAME:$USERNAME /home/$USERNAME;
 
 # install chromium and sqlite3 for debugging the cookies file
-RUN add-apt-repository -y ppa:xtradeb/apps
-RUN apt update -y && apt install -y chromium sqlite3
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    add-apt-repository -y ppa:xtradeb/apps;
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    apt update -y && apt --no-install-recommends -y install chromium sqlite3;
 
 # setup desktop env & app
 ENV DISPLAY_NUM=1

images/chromium-headful/client/Dockerfile

@@ -6,12 +6,12 @@ WORKDIR /src
 #
 # install dependencies
 COPY package*.json ./
-RUN npm install
+RUN --mount=type=cache,target=/root/.npm npm install
 
 #
 # build client
 COPY . .
-RUN npm run build
+RUN --mount=type=cache,target=/root/.npm npm run build
 
 #
 # artifacts from this stage

images/chromium-headful/xorg-deps/Dockerfile

@@ -4,11 +4,15 @@ FROM $BASE_IMAGE AS xorg-deps
 WORKDIR /xorg
 
 ENV DEBIAN_FRONTEND=noninteractive
-RUN set -eux; \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
+    set -eux; \
     apt-get update; \
-    apt-get install -y \
-        git gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev \
-    && rm -rf /var/lib/apt/lists/*;
+    apt-get install --no-install-recommends -y \
+    git gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev;
+
 
 COPY . /xorg/
 

images/chromium-headful/xorg-deps/xf86-input-neko/Dockerfile

@@ -2,11 +2,14 @@ FROM debian:bullseye-slim
 
 ENV DEBIAN_FRONTEND=noninteractive
 
-RUN set -eux; \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=debian-bullseye-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=debian-bullseye-aptlib \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
+    set -eux; \
     apt-get update; \
-    apt-get install -y \
-        gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev \
-    && rm -rf /var/lib/apt/lists/*;
+    apt-get install --no-install-recommends -y \
+        gcc pkgconf autoconf automake libtool make xorg-dev xutils-dev;
 
 WORKDIR /app
 

images/chromium-headless/image/Dockerfile

@@ -9,18 +9,25 @@ ENV CGO_ENABLED=0
 # Go module dependencies first for better layer caching
 COPY server/go.mod ./
 COPY server/go.sum ./
-RUN go mod download
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    go mod download
 
 # Copy the rest of the server source and build the binary
 COPY server/ .
-RUN GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
+RUN --mount=type=cache,target=/root/.cache/go-build \
+    --mount=type=cache,target=/go/pkg/mod \
+    GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH:-amd64} \
     go build -ldflags="-s -w" -o /out/kernel-images-api ./cmd/api
 
 FROM docker.io/ubuntu:22.04
-
-RUN set -xe; \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    rm -f /etc/apt/apt.conf.d/docker-clean; \
+    echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache; \
+    set -xe; \
     apt-get -yqq update; \
-    apt-get -yqq install \
+    apt-get -yqq --no-install-recommends install \
     libcups2 \
     libnss3 \
     libatk1.0-0 \
@@ -37,12 +44,13 @@ RUN set -xe; \
     libxrandr2 \
     libgbm1 \
     libnss3; \
-    apt-get -yqq install \
+    apt-get -yqq --no-install-recommends install \
     ca-certificates \
     curl \
     build-essential \
     libssl-dev \
     git \
+    gpg-agent \
     dbus \
     dbus-x11 \
     xvfb \
@@ -51,21 +59,38 @@ RUN set -xe; \
     supervisor;
 
 # install chromium and sqlite3 for debugging the cookies file
-RUN add-apt-repository -y ppa:xtradeb/apps
-RUN apt update -y && apt install -y chromium sqlite3
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    add-apt-repository -y ppa:xtradeb/apps
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    apt-get update -y && apt-get --no-install-recommends install -y chromium sqlite3
 
 # Install FFmpeg (latest static build) for the recording server
-RUN set -eux; \
+RUN --mount=type=cache,target=/tmp/cache/ffmpeg,id=ffmpeg \
+    set -eux; \
     URL="https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz"; \
-    echo "Downloading FFmpeg static build from $URL"; \
-    curl -fsSL "$URL" -o /tmp/ffmpeg.tar.xz; \
-    tar -xJf /tmp/ffmpeg.tar.xz -C /tmp; \
+    echo "Downloading FFmpeg MD5 checksum"; \
+    curl -fsSL "${URL}.md5" -o /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    sed -i -e 's/ .*$/ \/tmp\/cache\/ffmpeg\/ffmpeg.tar.xz/' /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    echo "Checking cache for FFmpeg archive and validating MD5 checksum"; \
+    if md5sum --check /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; then \
+        echo "Checksum validated, using cached FFmpeg archive"; \
+    else \
+        echo "Downloading FFmpeg static build from $URL"; \
+        curl -fsSL "$URL" -o /tmp/cache/ffmpeg/ffmpeg.tar.xz; \
+        echo "Validating MD5 checksum of FFmpeg static build download"; \
+        md5sum --check /tmp/cache/ffmpeg/ffmpeg.tar.xz.md5; \
+    fi; \
+    tar -xJf /tmp/cache/ffmpeg/ffmpeg.tar.xz -C /tmp; \
     install -m755 /tmp/ffmpeg-*/ffmpeg  /usr/local/bin/ffmpeg; \
     install -m755 /tmp/ffmpeg-*/ffprobe /usr/local/bin/ffprobe; \
     rm -rf /tmp/ffmpeg*
 
 # Remove upower to prevent spurious D-Bus activations and logs
-RUN apt-get -yqq purge upower || true && rm -rf /var/lib/apt/lists/*
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked,id=ubuntu2204-aptcache \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked,id=ubuntu2204-aptlib \
+    apt-get -yqq purge upower || true
 
 ENV WITHDOCKER=true