docker: optimize layers

docker/datahub-frontend/Dockerfile

@@ -8,46 +8,47 @@ ARG ALPINE_REPO_URL=http://dl-cdn.alpinelinux.org/alpine
 ARG GITHUB_REPO_URL=https://github.com
 ARG MAVEN_CENTRAL_REPO_URL=https://repo1.maven.org/maven2
 
-RUN addgroup -S datahub && adduser -S datahub -G datahub
+# Add user and set up repository mirrors
+RUN addgroup -S datahub && adduser -S datahub -G datahub \
+    && if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ]; then \
+    sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories; \
+    fi
 
-# Optionally set corporate mirror for apk
-RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi
+# Upgrade packages and install dependencies
+ENV JMX_VERSION=0.18.0 \
+    LD_LIBRARY_PATH="/lib:/lib64"
 
-# Upgrade Alpine and base packages
-# PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
-ENV JMX_VERSION=0.18.0
 RUN apk --no-cache --update-cache --available upgrade \
     && apk --no-cache add curl sqlite libc6-compat snappy \
-    && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
-    && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
+    && apk --no-cache add openjdk17-jre-headless jattach --repository=${ALPINE_REPO_URL}/edge/community \
     && wget ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.24.0/opentelemetry-javaagent.jar -O opentelemetry-javaagent.jar \
     && wget ${MAVEN_CENTRAL_REPO_URL}/io/prometheus/jmx/jmx_prometheus_javaagent/${JMX_VERSION}/jmx_prometheus_javaagent-${JMX_VERSION}.jar -O jmx_prometheus_javaagent.jar
 
-ENV LD_LIBRARY_PATH="/lib:/lib64"
-
 FROM base as prod-install
 
 COPY ./datahub-frontend.zip /
 RUN unzip datahub-frontend.zip -d /datahub-frontend \
-   && mv /datahub-frontend/main/* /datahub-frontend \
-   && rmdir /datahub-frontend/main \
-   && rm datahub-frontend.zip
+    && mv /datahub-frontend/main/* /datahub-frontend \
+    && rmdir /datahub-frontend/main \
+    && rm datahub-frontend.zip \
+    && chown -R datahub:datahub /datahub-frontend \
+    && chmod 755 /datahub-frontend
+
 COPY ./docker/monitoring/client-prometheus-config.yaml /datahub-frontend/
-RUN chown -R datahub:datahub /datahub-frontend && chmod 755 /datahub-frontend
 
 FROM base as dev-install
 # Dummy stage for development. Assumes code is built on your machine and mounted to this image.
-# See this excellent thread https://github.com/docker/cli/issues/1134
 VOLUME [ "/datahub-frontend" ]
 
 FROM ${APP_ENV}-install as final
+
 COPY ./docker/datahub-frontend/start.sh /
 RUN chown datahub:datahub /start.sh && chmod 755 /start.sh
 USER datahub
 
 ARG SERVER_PORT=9002
 ENV SERVER_PORT=$SERVER_PORT
-RUN echo $SERVER_PORT
+
 EXPOSE $SERVER_PORT
 
 HEALTHCHECK --start-period=2m --retries=4 CMD curl --fail http://localhost:$SERVER_PORT/admin || exit 1

docker/datahub-gms/Dockerfile

@@ -14,14 +14,12 @@ ARG ALPINE_REPO_URL
 ENV DOCKERIZE_VERSION v0.6.1
 WORKDIR /go/src/github.com/jwilder
 
-# Optionally set corporate mirror for apk
-RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi
-
-RUN apk --no-cache --update add openssl git tar curl
-
-WORKDIR /go/src/github.com/jwilder/dockerize
-
-RUN go install github.com/jwilder/dockerize@$DOCKERIZE_VERSION
+# Optionally set corporate mirror for apk and install dependencies
+RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then \
+    sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; \
+    fi \
+    && apk --no-cache --update add openssl git tar curl \
+    && go install github.com/jwilder/dockerize@$DOCKERIZE_VERSION
 
 FROM alpine:3.20 AS base
 
@@ -35,10 +33,10 @@ ARG MAVEN_CENTRAL_REPO_URL
 
 # Upgrade Alpine and base packages
 # Optionally set corporate mirror for apk
-RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; fi
-
-# PFP-260: Upgrade Sqlite to >=3.28.0-r0 to fix https://security.snyk.io/vuln/SNYK-ALPINE39-SQLITE-449762
-RUN apk --no-cache --update-cache --available upgrade \
+RUN if [ "${ALPINE_REPO_URL}" != "http://dl-cdn.alpinelinux.org/alpine" ] ; then \
+    sed -i "s#http.*://dl-cdn.alpinelinux.org/alpine#${ALPINE_REPO_URL}#g" /etc/apk/repositories ; \
+    fi \
+    && apk --no-cache --update-cache --available upgrade \
     && apk --no-cache add curl bash coreutils gcompat sqlite libc6-compat snappy \
     && apk --no-cache add openjdk17-jre-headless --repository=${ALPINE_REPO_URL}/edge/community \
     && apk --no-cache add jattach --repository ${ALPINE_REPO_URL}/edge/community/ \
@@ -48,18 +46,24 @@ RUN apk --no-cache --update-cache --available upgrade \
     && wget --no-verbose ${GITHUB_REPO_URL}/open-telemetry/opentelemetry-java-instrumentation/releases/download/v1.24.0/opentelemetry-javaagent.jar \
     && wget --no-verbose ${MAVEN_CENTRAL_REPO_URL}/io/prometheus/jmx/jmx_prometheus_javaagent/${JMX_VERSION}/jmx_prometheus_javaagent-${JMX_VERSION}.jar -O jmx_prometheus_javaagent.jar \
     && cp /usr/lib/jvm/java-17-openjdk/jre/lib/security/cacerts /tmp/kafka.client.truststore.jks
+
 COPY --from=binary /go/bin/dockerize /usr/local/bin
 
 ENV LD_LIBRARY_PATH="/lib:/lib64"
 
 FROM base as prod-install
+
 COPY war.war /datahub/datahub-gms/bin/war.war
 COPY metadata-models/src/main/resources/entity-registry.yml /datahub/datahub-gms/resources/entity-registry.yml
 COPY docker/datahub-gms/start.sh /datahub/datahub-gms/scripts/start.sh
 COPY docker/datahub-gms/jetty.xml /datahub/datahub-gms/scripts/jetty.xml
 COPY docker/datahub-gms/jetty-jmx.xml /datahub/datahub-gms/scripts/jetty-jmx.xml
 COPY docker/monitoring/client-prometheus-config.yaml /datahub/datahub-gms/scripts/prometheus-config.yaml
-RUN chmod +x /datahub/datahub-gms/scripts/start.sh
+
+RUN chmod +x /datahub/datahub-gms/scripts/start.sh \
+    && addgroup -S datahub && adduser -S datahub -G datahub \
+    && mkdir -p /etc/datahub \
+    && chown -R datahub:datahub /datahub/datahub-gms /etc/datahub
 
 FROM base as dev-install
 # Dummy stage for development. Assumes code is built on your machine and mounted to this image.
@@ -69,8 +73,6 @@ FROM ${APP_ENV}-install as final
 
 RUN mkdir -p /etc/datahub/plugins/auth/resources
 
-RUN addgroup -S datahub && adduser -S datahub -G datahub
-RUN chown -R datahub:datahub /etc/datahub
 USER datahub
 
 ENV JMX_OPTS=""