diff --git a/ci/builder/Dockerfile b/ci/builder/Dockerfile index 4586764b394ff..7836a2a8f34a4 100644 --- a/ci/builder/Dockerfile +++ b/ci/builder/Dockerfile @@ -56,12 +56,14 @@ RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-ge RUN curl -fsSL https://github.com/trufflesecurity/trufflehog/releases/download/v3.91.0/trufflehog_3.91.0_linux_$ARCH_GO.tar.gz > trufflehog.tar.gz \ && if [ $ARCH_GO = amd64 ]; then echo '694c5c8791c9a30d8ee295cbe991fc6e7c5f4bd8f5dbe8ada100dfe2ece9a628 trufflehog.tar.gz' | sha256sum --check; fi \ && if [ $ARCH_GO = arm64 ]; then echo '58f627f07e7b94c5269db2958c57209f190a7f15c01d8126eac9b3b1d7ae23b3 trufflehog.tar.gz' | sha256sum --check; fi \ - && tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog + && tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog \ + && rm trufflehog.tar.gz # Install Python dependencies. These are necessary to run some of our base tooling. COPY requirements.txt /workdir/ RUN curl -LsSf https://astral.sh/uv/0.9.10/install.sh | UV_INSTALL_DIR=/usr/local/bin UV_UNMANAGED_INSTALL=1 sh \ - && uv pip install --system --break-system-packages -r /workdir/requirements.txt && rm /workdir/requirements*.txt + && uv pip install --system --break-system-packages -r /workdir/requirements.txt && rm /workdir/requirements*.txt \ + && rm -rf /root/.cache/uv # Install extra tools not available in apt repositories. @@ -173,7 +175,8 @@ RUN gpg --dearmor < nodesource.asc > /etc/apt/keyrings/nodesource.gpg \ && apt-get update \ && apt-get install -y --no-install-recommends nodejs \ && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + && rm -rf /var/lib/apt/lists/* \ + && rm -rf /usr/share/doc/nodejs RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.$ARCH_GCC.tar.xz > shellcheck.tar.xz \ && tar -xJf shellcheck.tar.xz -C /usr/local/bin --strip-components 1 shellcheck-v0.11.0/shellcheck \ @@ -219,6 +222,10 @@ RUN mkdir rust \ && mkdir -p /usr/local/lib/rustlib/src/rust \ && tar -xzf rust-src.tar.gz -C /usr/local/lib/rustlib/src/rust --strip-components=1 \ && rm -f rust-src.asc rust-src.tar.gz \ + # Trim Rust source tree: only library/ is needed (for cargo miri setup). \ + # Delete compiler/, src/, tests/, tools/, etc. to save ~500-700 MB. \ + && find /usr/local/lib/rustlib/src/rust -mindepth 1 -maxdepth 1 \ + -type d ! -name library -exec rm -rf {} + \ && case $RUST_COMPONENTS in *miri*) \ PATH=$PATH:/root/.cargo/bin cargo miri setup \ ;; \ @@ -238,7 +245,8 @@ RUN mkdir rust \ && cargo install --root /usr/local --version "=0.1.60" --locked --features=vendored-openssl cargo-udeps \ && cargo install --root /usr/local --version "=0.12.0" --locked --no-default-features --features=s3,openssl/vendored sccache \ && cargo install --root /usr/local --version "=0.4.0" --locked cargo-binutils \ - && cargo install --root /usr/local --version "=0.13.1" --locked wasm-pack + && cargo install --root /usr/local --version "=0.13.1" --locked wasm-pack \ + && rm -rf /cargo/registry /cargo/git # Shims for sanitizers COPY sanshim/$ARCH_GCC /sanshim @@ -247,13 +255,15 @@ COPY sanshim/$ARCH_GCC /sanshim # so using the same command here should ensure it's installed and cached in the # right place COPY pyright-version.sh /workdir/ -RUN npx pyright@$(sh /workdir/pyright-version.sh) --help +RUN npx pyright@$(sh /workdir/pyright-version.sh) --help \ + && npm cache clean --force 2>/dev/null || true # Install APT repo generator. RUN curl -fsSL https://github.com/deb-s3/deb-s3/releases/download/0.11.8/deb-s3-0.11.8.gem > deb-s3.gem \ - && gem install ./deb-s3.gem \ - && rm deb-s3.gem + && gem install ./deb-s3.gem --no-document \ + && rm deb-s3.gem \ + && rm -rf /root/.local/share/gem/cache # Install the AWS CLI. @@ -272,7 +282,12 @@ RUN arch_gcloud=$(echo "$ARCH_GCC" | sed -e "s/aarch64/arm/" -e "s/amd64/x86_64/ && rm gcloud.tar.gz \ && CLOUDSDK_CORE_DISABLE_PROMPTS=1 /opt/google-cloud-sdk/install.sh --path-update false \ && /opt/google-cloud-sdk/bin/gcloud config set disable_usage_reporting false \ - && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin + && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin \ + # Clean up gcloud SDK: remove backup copies, bundled Python (system Python exists), caches \ + && rm -rf /opt/google-cloud-sdk/.install/.backup \ + && rm -rf /opt/google-cloud-sdk/platform/bundledpythonunix \ + && find /opt/google-cloud-sdk -name '__pycache__' -type d -exec rm -rf {} + 2>/dev/null || true \ + && rm -rf /root/.cache/pip # Install docs site dependencies. These are towards the end for the same reason # as the Python dependencies. These are only supported on x86_64 at the moment. @@ -346,20 +361,24 @@ RUN curl -fsSL https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.2/linux/$AR && if [ $ARCH_GO = arm64 ]; then echo '449a49e222a2bdffe0353435d7b04b0556b35a391c7b9714ce46d1a5382bc3e2 inspector-sbomgen.zip' | sha256sum --check; fi \ && unzip inspector-sbomgen.zip \ && mv inspector-sbomgen-1.8.2/linux/$ARCH_GO/inspector-sbomgen /usr/local/bin \ - && chmod +x /usr/local/bin/inspector-sbomgen + && chmod +x /usr/local/bin/inspector-sbomgen \ + && rm -rf inspector-sbomgen.zip inspector-sbomgen-1.8.2 RUN arch_zizmor=$(echo "$ARCH_GCC" | sed -e "s/amd64/x86_64/") \ && curl -fsSL https://github.com/zizmorcore/zizmor/releases/download/v1.18.0/zizmor-$arch_zizmor-unknown-linux-gnu.tar.gz > zizmor.tar.gz \ && if [ $arch_zizmor = x86_64 ]; then echo '8e7901319ab7b71c38d6d388a48e02ff65791e5971b2ee6577c9b5c3ab44c65f zizmor.tar.gz' | sha256sum --check; fi \ && if [ $arch_zizmor = aarch64 ]; then echo '4cd5d20dc43398ee229d65cd32a68725d396fe2b423030fb6a9971100ce54da5 zizmor.tar.gz' | sha256sum --check; fi \ && tar xvf zizmor.tar.gz \ - && mv zizmor /usr/local/bin + && mv zizmor /usr/local/bin \ + && rm zizmor.tar.gz RUN arch_fdb=$(echo "$ARCH_GCC" | sed -e "s/x86_64/amd64/") \ && curl -fsSL https://github.com/apple/foundationdb/releases/download/7.3.71/foundationdb-clients_7.3.71-1_$arch_fdb.deb > foundationdb-clients.deb \ && if [ $ARCH_GCC = x64_64 ]; then echo '695193b8c6f8af9ec083221611b5f2925ef7a5e3c5e3c1d0af65d0dfbe99d13d foundationdb-clients.deb' | sha256sum --check; fi \ && if [ $ARCH_GCC = aarch64 ]; then echo 'db1bbb72d57685a1c212c6456e6f0dfd1266c5c10c4adbc98d23a5d91bdbaff7 foundationdb-clients.deb' | sha256sum --check; fi \ - && dpkg -i foundationdb-clients.deb + && dpkg -i foundationdb-clients.deb \ + && rm foundationdb-clients.deb \ + && rm -rf /usr/share/doc/foundationdb-clients # Hardcode some known SSH hosts, or else SSH will ask whether the host is # trustworthy on the first connection. diff --git a/misc/images/frontegg-mock/Dockerfile b/misc/images/frontegg-mock/Dockerfile index a43e6f83bf804..08dfbf61bc319 100644 --- a/misc/images/frontegg-mock/Dockerfile +++ b/misc/images/frontegg-mock/Dockerfile @@ -15,7 +15,8 @@ RUN groupadd --system --gid=999 materialize \ RUN apt-get update \ && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install \ ca-certificates \ - tini + tini \ + && rm -rf /var/lib/apt/lists/* COPY mz-frontegg-mock /usr/local/bin/ diff --git a/misc/images/materialized-base/Dockerfile b/misc/images/materialized-base/Dockerfile index 34a57cecd3b58..03c99e2f515b4 100644 --- a/misc/images/materialized-base/Dockerfile +++ b/misc/images/materialized-base/Dockerfile @@ -30,7 +30,7 @@ RUN groupadd --system --gid=999 materialize \ gettext-base \ nginx \ postgresql-18 \ - ssh \ + openssh-client \ tini \ && if [ "$CI_SANITIZER" != "none" ]; then \ TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install --no-install-recommends llvm; \ @@ -38,6 +38,27 @@ RUN groupadd --system --gid=999 materialize \ && rm -rf /var/lib/apt/lists/* \ && apt-get clean \ && rm -rf /var/lib/postgresql \ + # Remove unused PostgreSQL binaries (keep only postgres, initdb, pg_isready, pg_ctl, psql) \ + && find /usr/lib/postgresql/18/bin -type f \ + ! -name postgres ! -name initdb ! -name pg_isready ! -name pg_ctl ! -name psql \ + -delete \ + # Remove PostgreSQL client binaries except psql \ + && find /usr/bin -name 'pg_*' -delete \ + # Remove docs, man pages \ + && rm -rf /usr/share/postgresql/18/man \ + && rm -rf /usr/share/doc/postgresql* \ + # Remove LLVM bitcode (PostgreSQL JIT support, not used) \ + && rm -rf /usr/lib/postgresql/18/lib/bitcode \ + # Remove pgxs (extension build infrastructure) \ + && rm -rf /usr/lib/postgresql/18/lib/pgxs \ + # Remove static libraries \ + && find /usr/lib/postgresql -name '*.a' -delete \ + # Remove unused extension SQL files (keep only plpgsql which is needed for initdb) \ + && find /usr/share/postgresql/18/extension -type f \ + ! -name 'plpgsql*' -delete \ + # Remove nginx docs and unnecessary files \ + && rm -rf /usr/share/doc/nginx* \ + && rm -rf /usr/share/nginx/modules-available \ && mkdir -p /mzdata /scratch /var/run/postgresql /var/lib/nginx /var/log/nginx \ && touch /run/nginx.pid \ && chown -R materialize /mzdata /scratch /var/run/postgresql /var/lib/nginx /var/log/nginx /run/nginx.pid diff --git a/misc/images/mz/Dockerfile b/misc/images/mz/Dockerfile index 9273aba0a4967..3a9b3bca1a99b 100644 --- a/misc/images/mz/Dockerfile +++ b/misc/images/mz/Dockerfile @@ -10,7 +10,8 @@ MZFROM prod-base RUN apt-get update \ - && apt-get -qy install ca-certificates postgresql-client tini + && apt-get -qy install --no-install-recommends postgresql-client \ + && rm -rf /var/lib/apt/lists/* COPY mz /usr/local/bin/ diff --git a/misc/images/prod-base/Dockerfile b/misc/images/prod-base/Dockerfile index 65f9557158874..488b1d0503935 100644 --- a/misc/images/prod-base/Dockerfile +++ b/misc/images/prod-base/Dockerfile @@ -22,10 +22,11 @@ RUN apt-get update \ ca-certificates \ curl \ tini \ - ssh \ + openssh-client \ && if [ "$CI_SANITIZER" != "none" ]; then \ TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install --no-install-recommends llvm; \ fi \ + && rm -rf /var/lib/apt/lists/* \ && mkdir /scratch \ && chown materialize /scratch \ && mkdir /mzdata \ diff --git a/misc/images/ubuntu-base/Dockerfile b/misc/images/ubuntu-base/Dockerfile index e4ec462dcf036..81092cc29089e 100644 --- a/misc/images/ubuntu-base/Dockerfile +++ b/misc/images/ubuntu-base/Dockerfile @@ -24,7 +24,7 @@ RUN sed -i -e 's#http://archive\.ubuntu\.com#http://us-east-1.ec2.archive.ubuntu -e 's#http://security\.ubuntu\.com#http://us-east-1.ec2.archive.ubuntu.com#' \ -e 's#http://ports\.ubuntu\.com#http://us-east-1.ec2.ports.ubuntu.com#' /etc/apt/sources.list.d/ubuntu.sources -RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends eatmydata +RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends eatmydata \ + && rm -rf /var/lib/apt/lists/* COPY --from=foundationdb/foundationdb:7.3.71 /usr/lib/libfdb_c.so /usr/lib/ -COPY --from=foundationdb/foundationdb:7.3.71 /usr/bin/fdbcli /usr/bin/ diff --git a/test/chbench/chbench/src/chBenchmark.cc b/test/chbench/chbench/src/chBenchmark.cc index 56bb1fe7484e7..8d73f1eddf687 100644 --- a/test/chbench/chbench/src/chBenchmark.cc +++ b/test/chbench/chbench/src/chBenchmark.cc @@ -843,18 +843,22 @@ static int gen(int argc, char* argv[]) { return 0; } int main(int argc, char* argv[]) { + int ret = 0; for (int i = 1; i < argc; ++i) { if (argv[i][0] == '-') continue; else if (strcmp(argv[i], "run") == 0) - return run(argc, argv); + ret = run(argc, argv); else if (strcmp(argv[i], "gen") == 0) - return gen(argc, argv); + ret = gen(argc, argv); else if (strcmp(argv[i], "version") == 0) { fprintf(stderr, "chBenchmark 0.1.0\n"); - return 0; } else errx(1, "unknown command: %s\n", argv[i]); + // Use _exit to skip static destructors, working around a double-free + // bug in libpqxx's static type_name variables during library unloading + // on glibc 2.42+ (Ubuntu 26.04). + _exit(ret); } usage(); return 0;