docker containers: space savings

ci/builder/Dockerfile

@@ -56,12 +56,14 @@ RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-ge
 RUN curl -fsSL https://github.com/trufflesecurity/trufflehog/releases/download/v3.91.0/trufflehog_3.91.0_linux_$ARCH_GO.tar.gz > trufflehog.tar.gz \
     && if [ $ARCH_GO = amd64 ]; then echo '694c5c8791c9a30d8ee295cbe991fc6e7c5f4bd8f5dbe8ada100dfe2ece9a628 trufflehog.tar.gz' | sha256sum --check; fi \
     && if [ $ARCH_GO = arm64 ]; then echo '58f627f07e7b94c5269db2958c57209f190a7f15c01d8126eac9b3b1d7ae23b3 trufflehog.tar.gz' | sha256sum --check; fi \
-    && tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog
+    && tar -xzf trufflehog.tar.gz -C /usr/local/bin trufflehog \
+    && rm trufflehog.tar.gz
 
 # Install Python dependencies. These are necessary to run some of our base tooling.
 COPY requirements.txt /workdir/
 RUN curl -LsSf https://astral.sh/uv/0.9.10/install.sh | UV_INSTALL_DIR=/usr/local/bin UV_UNMANAGED_INSTALL=1 sh \
-    && uv pip install --system --break-system-packages -r /workdir/requirements.txt && rm /workdir/requirements*.txt
+    && uv pip install --system --break-system-packages -r /workdir/requirements.txt && rm /workdir/requirements*.txt \
+    && rm -rf /root/.cache/uv
 
 # Install extra tools not available in apt repositories.
 
@@ -173,7 +175,8 @@ RUN gpg --dearmor < nodesource.asc > /etc/apt/keyrings/nodesource.gpg \
     && apt-get update \
     && apt-get install -y --no-install-recommends nodejs \
     && apt-get clean \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf /usr/share/doc/nodejs
 
 RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.11.0/shellcheck-v0.11.0.linux.$ARCH_GCC.tar.xz > shellcheck.tar.xz \
     && tar -xJf shellcheck.tar.xz -C /usr/local/bin --strip-components 1 shellcheck-v0.11.0/shellcheck \
@@ -219,6 +222,10 @@ RUN mkdir rust \
     && mkdir -p /usr/local/lib/rustlib/src/rust \
     && tar -xzf rust-src.tar.gz -C /usr/local/lib/rustlib/src/rust --strip-components=1 \
     && rm -f rust-src.asc rust-src.tar.gz \
+    # Trim Rust source tree: only library/ is needed (for cargo miri setup). \
+    # Delete compiler/, src/, tests/, tools/, etc. to save ~500-700 MB. \
+    && find /usr/local/lib/rustlib/src/rust -mindepth 1 -maxdepth 1 \
+        -type d ! -name library -exec rm -rf {} + \
     && case $RUST_COMPONENTS in *miri*) \
     PATH=$PATH:/root/.cargo/bin cargo miri setup \
     ;; \
@@ -238,7 +245,8 @@ RUN mkdir rust \
     && cargo install --root /usr/local --version "=0.1.60" --locked --features=vendored-openssl cargo-udeps \
     && cargo install --root /usr/local --version "=0.12.0" --locked --no-default-features --features=s3,openssl/vendored sccache \
     && cargo install --root /usr/local --version "=0.4.0" --locked cargo-binutils \
-    && cargo install --root /usr/local --version "=0.13.1" --locked wasm-pack
+    && cargo install --root /usr/local --version "=0.13.1" --locked wasm-pack \
+    && rm -rf /cargo/registry /cargo/git
 
 # Shims for sanitizers
 COPY sanshim/$ARCH_GCC /sanshim
@@ -247,13 +255,15 @@ COPY sanshim/$ARCH_GCC /sanshim
 # so using the same command here should ensure it's installed and cached in the
 # right place
 COPY pyright-version.sh /workdir/
-RUN npx pyright@$(sh /workdir/pyright-version.sh) --help
+RUN npx pyright@$(sh /workdir/pyright-version.sh) --help \
+    && npm cache clean --force 2>/dev/null || true
 
 # Install APT repo generator.
 
 RUN curl -fsSL https://github.com/deb-s3/deb-s3/releases/download/0.11.8/deb-s3-0.11.8.gem > deb-s3.gem \
-    && gem install ./deb-s3.gem \
-    && rm deb-s3.gem
+    && gem install ./deb-s3.gem --no-document \
+    && rm deb-s3.gem \
+    && rm -rf /root/.local/share/gem/cache
 
 # Install the AWS CLI.
 
@@ -272,7 +282,12 @@ RUN arch_gcloud=$(echo "$ARCH_GCC" | sed -e "s/aarch64/arm/" -e "s/amd64/x86_64/
     && rm gcloud.tar.gz \
     && CLOUDSDK_CORE_DISABLE_PROMPTS=1 /opt/google-cloud-sdk/install.sh --path-update false \
     && /opt/google-cloud-sdk/bin/gcloud config set disable_usage_reporting false \
-    && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin
+    && /opt/google-cloud-sdk/bin/gcloud components install gke-gcloud-auth-plugin \
+    # Clean up gcloud SDK: remove backup copies, bundled Python (system Python exists), caches \
+    && rm -rf /opt/google-cloud-sdk/.install/.backup \
+    && rm -rf /opt/google-cloud-sdk/platform/bundledpythonunix \
+    && find /opt/google-cloud-sdk -name '__pycache__' -type d -exec rm -rf {} + 2>/dev/null || true \
+    && rm -rf /root/.cache/pip
 
 # Install docs site dependencies. These are towards the end for the same reason
 # as the Python dependencies. These are only supported on x86_64 at the moment.
@@ -346,20 +361,24 @@ RUN curl -fsSL https://amazon-inspector-sbomgen.s3.amazonaws.com/1.8.2/linux/$AR
     && if [ $ARCH_GO = arm64 ]; then echo '449a49e222a2bdffe0353435d7b04b0556b35a391c7b9714ce46d1a5382bc3e2 inspector-sbomgen.zip' | sha256sum --check; fi \
     && unzip inspector-sbomgen.zip \
     && mv inspector-sbomgen-1.8.2/linux/$ARCH_GO/inspector-sbomgen /usr/local/bin \
-    && chmod +x /usr/local/bin/inspector-sbomgen
+    && chmod +x /usr/local/bin/inspector-sbomgen \
+    && rm -rf inspector-sbomgen.zip inspector-sbomgen-1.8.2
 
 RUN arch_zizmor=$(echo "$ARCH_GCC" | sed -e "s/amd64/x86_64/") \
     && curl -fsSL https://github.com/zizmorcore/zizmor/releases/download/v1.18.0/zizmor-$arch_zizmor-unknown-linux-gnu.tar.gz > zizmor.tar.gz \
     && if [ $arch_zizmor = x86_64 ]; then echo '8e7901319ab7b71c38d6d388a48e02ff65791e5971b2ee6577c9b5c3ab44c65f zizmor.tar.gz' | sha256sum --check; fi \
     && if [ $arch_zizmor = aarch64 ]; then echo '4cd5d20dc43398ee229d65cd32a68725d396fe2b423030fb6a9971100ce54da5 zizmor.tar.gz' | sha256sum --check; fi \
     && tar xvf zizmor.tar.gz \
-    && mv zizmor /usr/local/bin
+    && mv zizmor /usr/local/bin \
+    && rm zizmor.tar.gz
 
 RUN arch_fdb=$(echo "$ARCH_GCC" | sed -e "s/x86_64/amd64/") \
     && curl -fsSL https://github.com/apple/foundationdb/releases/download/7.3.71/foundationdb-clients_7.3.71-1_$arch_fdb.deb > foundationdb-clients.deb \
     && if [ $ARCH_GCC = x64_64 ]; then echo '695193b8c6f8af9ec083221611b5f2925ef7a5e3c5e3c1d0af65d0dfbe99d13d foundationdb-clients.deb' | sha256sum --check; fi \
     && if [ $ARCH_GCC = aarch64 ]; then echo 'db1bbb72d57685a1c212c6456e6f0dfd1266c5c10c4adbc98d23a5d91bdbaff7 foundationdb-clients.deb' | sha256sum --check; fi \
-    && dpkg -i foundationdb-clients.deb
+    && dpkg -i foundationdb-clients.deb \
+    && rm foundationdb-clients.deb \
+    && rm -rf /usr/share/doc/foundationdb-clients
 
 # Hardcode some known SSH hosts, or else SSH will ask whether the host is
 # trustworthy on the first connection.

misc/images/frontegg-mock/Dockerfile

@@ -15,7 +15,8 @@ RUN groupadd --system --gid=999 materialize \
 RUN apt-get update \
     && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install \
         ca-certificates \
-        tini
+        tini \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY mz-frontegg-mock /usr/local/bin/
 

misc/images/materialized-base/Dockerfile

@@ -30,14 +30,35 @@ RUN groupadd --system --gid=999 materialize \
         gettext-base \
         nginx \
         postgresql-18 \
-        ssh \
+        openssh-client \
         tini \
     && if [ "$CI_SANITIZER" != "none" ]; then \
         TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install --no-install-recommends llvm; \
        fi \
     && rm -rf /var/lib/apt/lists/* \
     && apt-get clean \
     && rm -rf /var/lib/postgresql \
+    # Remove unused PostgreSQL binaries (keep only postgres, initdb, pg_isready, pg_ctl, psql) \
+    && find /usr/lib/postgresql/18/bin -type f \
+        ! -name postgres ! -name initdb ! -name pg_isready ! -name pg_ctl ! -name psql \
+        -delete \
+    # Remove PostgreSQL client binaries except psql \
+    && find /usr/bin -name 'pg_*' -delete \
+    # Remove docs, man pages \
+    && rm -rf /usr/share/postgresql/18/man \
+    && rm -rf /usr/share/doc/postgresql* \
+    # Remove LLVM bitcode (PostgreSQL JIT support, not used) \
+    && rm -rf /usr/lib/postgresql/18/lib/bitcode \
+    # Remove pgxs (extension build infrastructure) \
+    && rm -rf /usr/lib/postgresql/18/lib/pgxs \
+    # Remove static libraries \
+    && find /usr/lib/postgresql -name '*.a' -delete \
+    # Remove unused extension SQL files (keep only plpgsql which is needed for initdb) \
+    && find /usr/share/postgresql/18/extension -type f \
+        ! -name 'plpgsql*' -delete \
+    # Remove nginx docs and unnecessary files \
+    && rm -rf /usr/share/doc/nginx* \
+    && rm -rf /usr/share/nginx/modules-available \
     && mkdir -p /mzdata /scratch /var/run/postgresql /var/lib/nginx /var/log/nginx \
     && touch /run/nginx.pid \
     && chown -R materialize /mzdata /scratch /var/run/postgresql /var/lib/nginx /var/log/nginx /run/nginx.pid

misc/images/mz/Dockerfile

@@ -10,7 +10,8 @@
 MZFROM prod-base
 
 RUN apt-get update \
-    && apt-get -qy install ca-certificates postgresql-client tini
+    && apt-get -qy install --no-install-recommends postgresql-client \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY mz /usr/local/bin/
 

misc/images/prod-base/Dockerfile

@@ -22,10 +22,11 @@ RUN apt-get update \
         ca-certificates \
         curl \
         tini \
-        ssh \
+        openssh-client \
     && if [ "$CI_SANITIZER" != "none" ]; then \
         TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get -qy install --no-install-recommends llvm; \
        fi \
+    && rm -rf /var/lib/apt/lists/* \
     && mkdir /scratch \
     && chown materialize /scratch \
     && mkdir /mzdata \

misc/images/ubuntu-base/Dockerfile

@@ -24,7 +24,7 @@ RUN sed -i -e 's#http://archive\.ubuntu\.com#http://us-east-1.ec2.archive.ubuntu
            -e 's#http://security\.ubuntu\.com#http://us-east-1.ec2.archive.ubuntu.com#' \
            -e 's#http://ports\.ubuntu\.com#http://us-east-1.ec2.ports.ubuntu.com#' /etc/apt/sources.list.d/ubuntu.sources
 
-RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends eatmydata
+RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends eatmydata \
+    && rm -rf /var/lib/apt/lists/*
 
 COPY --from=foundationdb/foundationdb:7.3.71 /usr/lib/libfdb_c.so /usr/lib/
-COPY --from=foundationdb/foundationdb:7.3.71 /usr/bin/fdbcli /usr/bin/

test/chbench/chbench/src/chBenchmark.cc

@@ -843,18 +843,22 @@ static int gen(int argc, char* argv[]) {
     return 0;
 }
 int main(int argc, char* argv[]) {
+    int ret = 0;
     for (int i = 1; i < argc; ++i) {
         if (argv[i][0] == '-')
             continue;
         else if (strcmp(argv[i], "run") == 0)
-            return run(argc, argv);
+            ret = run(argc, argv);
         else if (strcmp(argv[i], "gen") == 0)
-            return gen(argc, argv);
+            ret = gen(argc, argv);
         else if (strcmp(argv[i], "version") == 0) {
             fprintf(stderr, "chBenchmark 0.1.0\n");
-            return 0;
         } else
             errx(1, "unknown command: %s\n", argv[i]);
+        // Use _exit to skip static destructors, working around a double-free
+        // bug in libpqxx's static type_name variables during library unloading
+        // on glibc 2.42+ (Ubuntu 26.04).
+        _exit(ret);
     }
     usage();
     return 0;