ci: extract minimum environment needed to run functional tests

kwvg · kwvg · commit 837d10a998f3 · 2025-03-22T10:09:34.000Z
We don't need multiple (cross) compilers to run tests and GitHub Actions
currently hamstrings our ability to thin down the runner using
conventional means, so we thin down the container itself.
diff --git a/.dockerignore b/.dockerignore
@@ -1,4 +1,5 @@
 **
 !contrib/containers/ci/ci.Dockerfile
+!contrib/containers/ci/ci-slim.Dockerfile
 !contrib/containers/deploy/Dockerfile
 !contrib/containers/develop/Dockerfile
diff --git a/contrib/containers/ci/ci-slim.Dockerfile b/contrib/containers/ci/ci-slim.Dockerfile
@@ -0,0 +1,118 @@
+# Builder for cppcheck
+FROM debian:bookworm-slim AS cppcheck-builder
+ARG CPPCHECK_VERSION=2.13.0
+RUN set -ex; \
+    apt-get update && apt-get install -y --no-install-recommends \
+        curl \
+        ca-certificates \
+        cmake \
+        make \
+        g++ \
+    && rm -rf /var/lib/apt/lists/*; \
+    echo "Downloading Cppcheck version: ${CPPCHECK_VERSION}"; \
+    curl -fL "https://github.com/danmar/cppcheck/archive/${CPPCHECK_VERSION}.tar.gz" -o /tmp/cppcheck.tar.gz; \
+    mkdir -p /src/cppcheck && tar -xzf /tmp/cppcheck.tar.gz -C /src/cppcheck --strip-components=1; \
+    rm /tmp/cppcheck.tar.gz; \
+    cd /src/cppcheck; \
+    mkdir build && cd build && cmake .. && cmake --build . -j"$(nproc)"; \
+    strip bin/cppcheck
+
+# Main image
+FROM ubuntu:noble
+
+# Include built assets
+COPY --from=cppcheck-builder /src/cppcheck/build/bin/cppcheck /usr/local/bin/cppcheck
+COPY --from=cppcheck-builder /src/cppcheck/cfg /usr/local/share/Cppcheck/cfg
+ENV PATH="/usr/local/bin:${PATH}"
+
+# Needed to prevent tzdata hanging while expecting user input
+ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"
+
+# Build and base stuff
+ENV APT_ARGS="-y --no-install-recommends --no-upgrade"
+
+# Packages needed to build Python and extract artifacts
+RUN set -ex; \
+    apt-get update && apt-get install ${APT_ARGS} \
+    build-essential \
+    ca-certificates \
+    curl \
+    g++ \
+    git \
+    libbz2-dev \
+    libffi-dev \
+    liblzma-dev \
+    libncurses5-dev \
+    libncursesw5-dev \
+    libreadline-dev \
+    libsqlite3-dev \
+    libssl-dev \
+    make \
+    tk-dev \
+    xz-utils \
+    zlib1g-dev \
+    zstd \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Python and set it as default
+ENV PYENV_ROOT="/usr/local/pyenv"
+ENV PATH="${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${PATH}"
+# PYTHON_VERSION should match the value in .python-version
+ARG PYTHON_VERSION=3.9.18
+RUN set -ex; \
+    curl https://pyenv.run | bash \
+    && pyenv update \
+    && pyenv install ${PYTHON_VERSION} \
+    && pyenv global ${PYTHON_VERSION} \
+    && pyenv rehash
+
+# Install Python packages
+RUN set -ex; \
+    pip3 install --no-cache-dir \
+    codespell==1.17.1 \
+    flake8==3.8.3 \
+    jinja2 \
+    lief==0.13.2 \
+    multiprocess \
+    mypy==0.910 \
+    pyzmq==22.3.0 \
+    vulture==2.3
+
+# Install packages relied on by tests
+ARG DASH_HASH_VERSION=1.4.0
+RUN set -ex; \
+    cd /tmp; \
+    git clone --depth 1 --no-tags --branch=${DASH_HASH_VERSION} https://github.com/dashpay/dash_hash; \
+    cd dash_hash && pip3 install -r requirements.txt .; \
+    cd .. && rm -rf dash_hash
+
+ARG SHELLCHECK_VERSION=v0.7.1
+RUN set -ex; \
+    curl -fL "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" -o /tmp/shellcheck.tar.xz; \
+    mkdir -p /opt/shellcheck && tar -xf /tmp/shellcheck.tar.xz -C /opt/shellcheck --strip-components=1 && rm /tmp/shellcheck.tar.xz
+ENV PATH="/opt/shellcheck:${PATH}"
+
+# Packages needed to be able to run sanitizer builds
+ARG LLVM_VERSION=18
+RUN set -ex; \
+    . /etc/os-release; \
+    curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key > /etc/apt/trusted.gpg.d/apt.llvm.org.asc; \
+    echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${UBUNTU_CODENAME}/  llvm-toolchain-${UBUNTU_CODENAME}-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.list; \
+    apt-get update && apt-get install ${APT_ARGS} \
+    "llvm-${LLVM_VERSION}-dev"; \
+    rm -rf /var/lib/apt/lists/*;
+
+# Setup unprivileged user and configuration files
+ARG USER_ID=1000 \
+    GROUP_ID=1000
+RUN set -ex; \
+    groupmod -g ${GROUP_ID} -n dash ubuntu; \
+    usermod -u ${USER_ID} -md /home/dash -l dash ubuntu; \
+    chown ${USER_ID}:${GROUP_ID} -R /home/dash; \
+    mkdir -p /src/dash && \
+    chown ${USER_ID}:${GROUP_ID} /src && \
+    chown ${USER_ID}:${GROUP_ID} -R /src
+
+WORKDIR /src/dash
+
+USER dash
diff --git a/contrib/containers/ci/ci.Dockerfile b/contrib/containers/ci/ci.Dockerfile
@@ -1,36 +1,10 @@
-# cppcheck builder
-FROM debian:bookworm-slim AS cppcheck-builder
-ARG CPPCHECK_VERSION=2.13.0
-RUN set -ex; \
-    apt-get update && apt-get install -y --no-install-recommends \
-        curl \
-        ca-certificates \
-        cmake \
-        make \
-        g++ \
-    && rm -rf /var/lib/apt/lists/*; \
-    echo "Downloading Cppcheck version: ${CPPCHECK_VERSION}"; \
-    curl -fL "https://github.com/danmar/cppcheck/archive/${CPPCHECK_VERSION}.tar.gz" -o /tmp/cppcheck.tar.gz; \
-    mkdir -p /src/cppcheck && tar -xzf /tmp/cppcheck.tar.gz -C /src/cppcheck --strip-components=1; \
-    rm /tmp/cppcheck.tar.gz; \
-    cd /src/cppcheck; \
-    mkdir build && cd build && cmake .. && cmake --build . -j"$(nproc)"; \
-    strip bin/cppcheck
-
-# Final Image
-FROM ubuntu:noble
-COPY --from=cppcheck-builder /src/cppcheck/build/bin/cppcheck /usr/local/bin/cppcheck
-COPY --from=cppcheck-builder /src/cppcheck/cfg /usr/local/share/Cppcheck/cfg
+# syntax = devthefuture/dockerfile-x
 
-# Set Path
-ENV PATH="/usr/local/bin:${PATH}"
+FROM ./ci-slim.Dockerfile
 
-# Needed to prevent tzdata hanging while expecting user input
-ENV DEBIAN_FRONTEND="noninteractive" TZ="Europe/London"
-
-# Build and base stuff
-# (zlib1g-dev is needed for the Qt host binary builds, but should not be used by target binaries)
-ENV APT_ARGS="-y --no-install-recommends --no-upgrade"
+# The inherited Dockerfile switches to non-privileged context and we've
+# just started configuring this image, give us root access
+USER root
 
 # Install common packages
 RUN set -ex; \
@@ -41,28 +15,18 @@ RUN set -ex; \
     autoconf \
     bear \
     bison \
-    build-essential \
     bsdmainutils \
-    curl \
     ccache \
     cmake \
-    g++ \
     gettext \
-    git \
     libtool \
     unzip \
     m4 \
     pkg-config \
-    zlib1g-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Install Clang+LLVM and set it as default
-ARG LLVM_VERSION=18
+# Install Clang + LLVM and set it as default
 RUN set -ex; \
-    echo "Installing LLVM and Clang ${LLVM_VERSION}..."; \
-    . /etc/os-release; \
-    curl -fsSL https://apt.llvm.org/llvm-snapshot.gpg.key > /etc/apt/trusted.gpg.d/apt.llvm.org.asc; \
-    echo "deb [signed-by=/etc/apt/trusted.gpg.d/apt.llvm.org.asc] http://apt.llvm.org/${UBUNTU_CODENAME}/  llvm-toolchain-${UBUNTU_CODENAME}-${LLVM_VERSION} main" > /etc/apt/sources.list.d/llvm.list; \
     apt-get update && apt-get install ${APT_ARGS} \
     "clang-${LLVM_VERSION}" \
     "clangd-${LLVM_VERSION}" \
@@ -73,8 +37,7 @@ RUN set -ex; \
     "libclang-${LLVM_VERSION}-dev" \
     "libclang-rt-${LLVM_VERSION}-dev" \
     "lld-${LLVM_VERSION}" \
-    "lldb-${LLVM_VERSION}" \
-    "llvm-${LLVM_VERSION}-dev"; \
+    "lldb-${LLVM_VERSION}"; \
     rm -rf /var/lib/apt/lists/*; \
     echo "Setting defaults..."; \
     lldbUpdAltArgs="update-alternatives --install /usr/bin/llvm-config llvm-config /usr/bin/llvm-config-${LLVM_VERSION} 100"; \
@@ -88,48 +51,6 @@ RUN set -ex; \
 # LD_LIBRARY_PATH is empty by default, this is the first entry
 ENV LD_LIBRARY_PATH="/usr/lib/llvm-${LLVM_VERSION}/lib"
 
-# Python setup
-# PYTHON_VERSION should match the value in .python-version
-ARG PYTHON_VERSION=3.9.18
-RUN apt-get update && apt-get install $APT_ARGS \
-    ca-certificates \
-    libbz2-dev \
-    libffi-dev \
-    liblzma-dev \
-    libncurses5-dev \
-    libncursesw5-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    make \
-    tk-dev \
-    xz-utils \
-    && rm -rf /var/lib/apt/lists/*
-
-ENV PYENV_ROOT="/usr/local/pyenv"
-ENV PATH="${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${PATH}"
-RUN curl https://pyenv.run | bash \
-    && pyenv update \
-    && pyenv install $PYTHON_VERSION \
-    && pyenv global $PYTHON_VERSION \
-    && pyenv rehash
-RUN pip3 install --no-cache-dir \
-    codespell==1.17.1 \
-    flake8==3.8.3 \
-    jinja2 \
-    lief==0.13.2 \
-    multiprocess \
-    mypy==0.910 \
-    pyzmq==22.3.0 \
-    vulture==2.3
-
-ARG DASH_HASH_VERSION=1.4.0
-RUN set -ex; \
-    cd /tmp; \
-    git clone --depth 1 --no-tags --branch=${DASH_HASH_VERSION} https://github.com/dashpay/dash_hash; \
-    cd dash_hash && pip3 install -r requirements.txt .; \
-    cd .. && rm -rf dash_hash
-
 RUN set -ex; \
     git clone --depth=1 "https://github.com/include-what-you-use/include-what-you-use" -b "clang_${LLVM_VERSION}" /opt/iwyu; \
     cd /opt/iwyu; \
@@ -138,22 +59,6 @@ RUN set -ex; \
     make install -j "$(( $(nproc) - 1 ))"; \
     cd /opt && rm -rf /opt/iwyu;
 
-ARG SHELLCHECK_VERSION=v0.7.1
-RUN set -ex; \
-    curl -fL "https://github.com/koalaman/shellcheck/releases/download/${SHELLCHECK_VERSION}/shellcheck-${SHELLCHECK_VERSION}.linux.x86_64.tar.xz" -o /tmp/shellcheck.tar.xz; \
-    mkdir -p /opt/shellcheck && tar -xf /tmp/shellcheck.tar.xz -C /opt/shellcheck --strip-components=1 && rm /tmp/shellcheck.tar.xz
-ENV PATH="/opt/shellcheck:${PATH}"
-
-# Setup unprivileged user and configuration files
-ARG USER_ID=1000 \
-    GROUP_ID=1000
-RUN set -ex; \
-    groupmod -g ${GROUP_ID} -n dash ubuntu; \
-    usermod -u ${USER_ID} -md /home/dash -l dash ubuntu; \
-    mkdir -p /home/dash/.config/gdb; \
-    echo "add-auto-load-safe-path /usr/lib/llvm-${LLVM_VERSION}/lib" | tee /home/dash/.config/gdb/gdbinit; \
-    chown ${USER_ID}:${GROUP_ID} -R /home/dash
-
 # Packages needed for all target builds
 RUN apt-get update && apt-get install $APT_ARGS \
     bc \
@@ -171,7 +76,6 @@ RUN apt-get update && apt-get install $APT_ARGS \
     wine-stable \
     wine64 \
     zip \
-    zstd \
     && rm -rf /var/lib/apt/lists/*
 
 # Make sure std::thread and friends is available
@@ -181,15 +85,11 @@ RUN \
   exit 0
 
 RUN \
-  mkdir -p /src/dash && \
   mkdir -p /cache/ccache && \
   mkdir /cache/depends && \
   mkdir /cache/sdk-sources && \
-  chown ${USER_ID}:${GROUP_ID} /src && \
-  chown ${USER_ID}:${GROUP_ID} -R /src && \
   chown ${USER_ID}:${GROUP_ID} /cache && \
   chown ${USER_ID}:${GROUP_ID} -R /cache
 
-WORKDIR /src/dash
-
+# We're done, switch back to non-privileged user
 USER dash
diff --git a/contrib/containers/develop/Dockerfile b/contrib/containers/develop/Dockerfile
@@ -41,7 +41,10 @@ RUN set -ex; \
 #
 RUN groupadd docker && \
     usermod -aG sudo dash && \
-    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
+    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers; \
+    mkdir -p /home/dash/.config/gdb; \
+    echo "add-auto-load-safe-path /usr/lib/llvm-${LLVM_VERSION}/lib" | tee /home/dash/.config/gdb/gdbinit; \
+    chown ${USER_ID}:${GROUP_ID} -R /home/dash
 
 # Disable noninteractive mode
 ENV DEBIAN_FRONTEND="dialog"
