From 75beab08e2250e9f6f99617025a429040e4c9e9b Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Mon, 24 Mar 2025 08:42:25 -0400 Subject: [PATCH 1/8] Use uv pip to install supervisor in workers image Do this to take advantage of the cache mount for uv, and to be consistent with how base requirements are installed with uv pip. --- docker/Dockerfile-workers | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index 2ceb6ab67c..ccfd64ca22 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -26,10 +26,15 @@ FROM docker.io/library/redis:7-bookworm AS redis_base # now build the final image, based on the the regular Synapse docker image FROM $FROM - # Install supervisord with pip instead of apt, to avoid installing a second + # Install supervisord with uv pip instead of apt, to avoid installing a second # copy of python. - RUN --mount=type=cache,target=/root/.cache/pip \ - pip install supervisor~=4.2 + # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache + # (mounted as --mount=type=cache) and the target directory. + RUN \ + --mount=type=bind,from=ghcr.io/astral-sh/uv:0.6.8,source=/uv,target=/uv \ + --mount=type=cache,target=/root/.cache/uv \ + /uv pip install --link-mode=copy --prefix="/usr/local" supervisor~=4.2 + RUN mkdir -p /etc/supervisor/conf.d # Copy over redis and nginx From 6501ba4f950dc56de8447f91d29a1629cd2f107f Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Mon, 24 Mar 2025 12:30:17 -0400 Subject: [PATCH 2/8] Add changelog --- changelog.d/18275.docker | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/18275.docker diff --git a/changelog.d/18275.docker b/changelog.d/18275.docker new file mode 100644 index 0000000000..154226e5f6 --- /dev/null +++ b/changelog.d/18275.docker @@ -0,0 +1 @@ +Use uv pip to install supervisor in the worker image. From bbfe1ece8eb0c6e51349cbf0890baa19bf96b0ae Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 08:16:27 -0400 Subject: [PATCH 3/8] Dockerfile-workers: use uv:python- image Do this to reduce the number of intermediate images required, as the main Dockerfile uses that image already. --- docker/Dockerfile-workers | 27 ++++++++++++--------------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index dd0bf59994..cf5d670dc4 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -3,12 +3,13 @@ ARG SYNAPSE_VERSION=latest ARG FROM=matrixdotorg/synapse:$SYNAPSE_VERSION ARG DEBIAN_VERSION=bookworm +ARG PYTHON_VERSION=3.12 -# first of all, we create a base image with an nginx which we can copy into the +# first of all, we create a base image with dependencies which we can copy into the # target image. For repeated rebuilds, this is much faster than apt installing # each time. -FROM docker.io/library/debian:${DEBIAN_VERSION}-slim AS deps_base +FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base RUN \ --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ @@ -16,6 +17,13 @@ FROM docker.io/library/debian:${DEBIAN_VERSION}-slim AS deps_base DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \ redis-server nginx-light + # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache + # (mounted as --mount=type=cache) and the target directory. + RUN --mount=type=cache,target=/root/.cache/uv \ + uv pip install --link-mode=copy --prefix="/uv/usr/local" supervisor~=4.2 + + RUN mkdir -p /uv/etc/supervisor/conf.d + # Similarly, a base to copy the redis server from. # # The redis docker image has fewer dynamic libraries than the debian package, @@ -27,20 +35,9 @@ FROM docker.io/library/redis:7-${DEBIAN_VERSION} AS redis_base # now build the final image, based on the the regular Synapse docker image FROM $FROM - # Install supervisord with uv pip instead of apt, to avoid installing a second - # copy of python. - # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache - # (mounted as --mount=type=cache) and the target directory. - RUN \ - --mount=type=bind,from=ghcr.io/astral-sh/uv:0.6.8,source=/uv,target=/uv \ - --mount=type=cache,target=/root/.cache/uv \ - /uv pip install --link-mode=copy --prefix="/usr/local" supervisor~=4.2 - - RUN mkdir -p /etc/supervisor/conf.d - - # Copy over redis and nginx + # Copy over dependencies COPY --from=redis_base /usr/local/bin/redis-server /usr/local/bin - + COPY --from=deps_base /uv / COPY --from=deps_base /usr/sbin/nginx /usr/sbin COPY --from=deps_base /usr/share/nginx /usr/share/nginx COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx From 47e3a1043b5bc36cbdba80a7896faef29212738c Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 08:25:12 -0400 Subject: [PATCH 4/8] Dockerfile-workers: use cache mount for apt Do it in the same way as is done in the main Dockerfile --- docker/Dockerfile-workers | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index cf5d670dc4..5198318786 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -10,6 +10,10 @@ ARG PYTHON_VERSION=3.12 # each time. FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base + + # Tell apt to keep downloaded package files, as we're using cache mounts. + RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache + RUN \ --mount=type=cache,target=/var/cache/apt,sharing=locked \ --mount=type=cache,target=/var/lib/apt,sharing=locked \ From ecfabafcaa4f6f1983be8996209aa1a05a2d3ac3 Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 08:26:11 -0400 Subject: [PATCH 5/8] Dockerfile-workers: don't apt-get redis-server Nothing from the apt-installed redis-server ends up getting copied into the runtime image (only the redis docker image is used instead), so skip installing it. --- docker/Dockerfile-workers | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index 5198318786..c4e7ec1c64 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -19,7 +19,7 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base --mount=type=cache,target=/var/lib/apt,sharing=locked \ apt-get update -qq && \ DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \ - redis-server nginx-light + nginx-light # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache # (mounted as --mount=type=cache) and the target directory. From c304bd2ce578182fe7b952be1de6ce1f42ba257d Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 09:05:42 -0400 Subject: [PATCH 6/8] Dockerfile-workers: do more in build layer Add RUN commands to the deps_base build layer to replace some commands done in the runtime layer, and to be able to COPY some dirs with proper ownership instead of having to tweak them in the runtime image. --- docker/Dockerfile-workers | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index c4e7ec1c64..bf63365d34 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -21,6 +21,15 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base DEBIAN_FRONTEND=noninteractive apt-get install -yqq --no-install-recommends \ nginx-light + RUN \ + # remove default page + rm /etc/nginx/sites-enabled/default && \ + # have nginx log to stderr/out + ln -sf /dev/stdout /var/log/nginx/access.log && \ + ln -sf /dev/stderr /var/log/nginx/error.log && \ + # allow nginx user to write to http-*-temp-path dirs + chown www-data /var/lib/nginx + # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache # (mounted as --mount=type=cache) and the target directory. RUN --mount=type=cache,target=/root/.cache/uv \ @@ -46,13 +55,8 @@ FROM $FROM COPY --from=deps_base /usr/share/nginx /usr/share/nginx COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx COPY --from=deps_base /etc/nginx /etc/nginx - RUN rm /etc/nginx/sites-enabled/default - RUN mkdir /var/log/nginx /var/lib/nginx - RUN chown www-data /var/lib/nginx - - # have nginx log to stderr/out - RUN ln -sf /dev/stdout /var/log/nginx/access.log - RUN ln -sf /dev/stderr /var/log/nginx/error.log + COPY --from=deps_base /var/log/nginx /var/log/nginx + COPY --from=deps_base /var/lib/nginx /var/lib/nginx # Copy Synapse worker, nginx and supervisord configuration template files COPY ./docker/conf-workers/* /conf/ From 888095626c81fd7d3171297038e72b68ff6d2ed2 Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 12:04:41 -0400 Subject: [PATCH 7/8] Add changelog --- changelog.d/18292.docker | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/18292.docker diff --git a/changelog.d/18292.docker b/changelog.d/18292.docker new file mode 100644 index 0000000000..cdb95b369b --- /dev/null +++ b/changelog.d/18292.docker @@ -0,0 +1 @@ +Optimize the build of the workers image. From c7b73b487b071989a4c43e251dd7f9e6206dd9b0 Mon Sep 17 00:00:00 2001 From: Andrew Ferrazzutti Date: Fri, 28 Mar 2025 19:32:12 -0400 Subject: [PATCH 8/8] Replace pointless RUN chown with COPY --chown UID/GID ownership of top-level directories isn't preserved by COPY, so set the desired ownership with COPY --chown instead. --- docker/Dockerfile-workers | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/docker/Dockerfile-workers b/docker/Dockerfile-workers index bf63365d34..a7f576184d 100644 --- a/docker/Dockerfile-workers +++ b/docker/Dockerfile-workers @@ -26,9 +26,7 @@ FROM ghcr.io/astral-sh/uv:python${PYTHON_VERSION}-${DEBIAN_VERSION} AS deps_base rm /etc/nginx/sites-enabled/default && \ # have nginx log to stderr/out ln -sf /dev/stdout /var/log/nginx/access.log && \ - ln -sf /dev/stderr /var/log/nginx/error.log && \ - # allow nginx user to write to http-*-temp-path dirs - chown www-data /var/lib/nginx + ln -sf /dev/stderr /var/log/nginx/error.log # --link-mode=copy silences a warning as uv isn't able to do hardlinks between its cache # (mounted as --mount=type=cache) and the target directory. @@ -56,7 +54,8 @@ FROM $FROM COPY --from=deps_base /usr/lib/nginx /usr/lib/nginx COPY --from=deps_base /etc/nginx /etc/nginx COPY --from=deps_base /var/log/nginx /var/log/nginx - COPY --from=deps_base /var/lib/nginx /var/lib/nginx + # chown to allow non-root user to write to http-*-temp-path dirs + COPY --from=deps_base --chown=www-data:root /var/lib/nginx /var/lib/nginx # Copy Synapse worker, nginx and supervisord configuration template files COPY ./docker/conf-workers/* /conf/