chore(base): add debian source mirrors

Author: duanhongyi

.woodpecker/build-linux.yml

@@ -15,6 +15,8 @@ steps:
   - echo $CONTAINER_PASSWORD | podman login $DRYCC_REGISTRY --username $CONTAINER_USERNAME --password-stdin > /dev/null 2>&1
   - make clean build publish clean
   environment:
+    SOURCES:
+      from_secret: sources
     CODENAME:
       from_secret: codename
     DEV_REGISTRY:

Makefile

@@ -13,7 +13,7 @@ clean:
 	@rm -rf "${WORK_DIR}" "${WORK_DIR}".tar.gz
 
 mkimage:
-	./scripts/mkimage.sh minbase "${CODENAME}"
+	./scripts/mkimage.sh minbase "${CODENAME}" "${SOURCES}"
 
 podman-import:
 	@podman import ${WORK_DIR}.tar.gz ${BASE_LAYER}

debootstrap/bookworm/rootfs/usr/bin/install-stack

@@ -49,7 +49,7 @@ function main() {
     echo "Extract data to a temporary directory: ${TMP_DIR}"
     tar --directory "${TMP_DIR}" --extract --gunzip --file "${TMP_DIR}"/"${stack_filename}" --no-same-owner
 
-    packages=$(grep -vE '^\s*(#|$)' "${TMP_DIR}"/meta/dependencies)
+    packages=$(tr '\t\n' ' ' < "${TMP_DIR}/meta/dependencies" | tr -s ' ')
     if [[ -n "${packages:+x}" ]]; then
         echo "Install system packages: ${packages}"
         install-packages "$packages"

debootstrap/bookworm/rootfs/usr/sbin/install-packages

@@ -9,8 +9,7 @@ function main {
     until [ $n -gt $max ]; do
         set +e
         (
-        apt-get update &&
-        apt-get install -y --no-install-recommends "$@"
+        eval "apt-get update; apt-get install -y --no-install-recommends $*"
         )
         CODE=$?
         set -e

debootstrap/bullseye/rootfs/usr/bin/install-stack

@@ -49,7 +49,7 @@ function main() {
     echo "Extract data to a temporary directory: ${TMP_DIR}"
     tar --directory "${TMP_DIR}" --extract --gunzip --file "${TMP_DIR}"/"${stack_filename}" --no-same-owner
 
-    packages=$(grep -vE '^\s*(#|$)' "${TMP_DIR}"/meta/dependencies)
+    packages=$(tr '\t\n' ' ' < "${TMP_DIR}/meta/dependencies" | tr -s ' ')
     if [[ -n "${packages:+x}" ]]; then
         echo "Install system packages: ${packages}"
         install-packages "$packages"

debootstrap/bullseye/rootfs/usr/sbin/install-packages

@@ -9,8 +9,7 @@ function main {
     until [ $n -gt $max ]; do
         set +e
         (
-        apt-get update &&
-        apt-get install -y --no-install-recommends "$@"
+        eval "apt-get update; apt-get install -y --no-install-recommends $*"
         )
         CODE=$?
         set -e

debootstrap/trixie/rootfs/etc/apt/apt.conf.d/apt-retry

@@ -0,0 +1,2 @@
+# Retry apt failures 3 times. See here for more information: https://linux.die.net/man/5/apt.conf
+Acquire::Retries 3;

debootstrap/trixie/rootfs/etc/apt/apt.conf.d/container-autoremove-suggests

@@ -0,0 +1,16 @@
+# Since Container users are looking for the smallest possible final images, the
+# following emerges as a very common pattern:
+
+#   RUN apt-get update \
+#       && apt-get install -y <packages> \
+#       && <do some compilation work> \
+#       && apt-get purge -y --auto-remove <packages>
+
+# By default, APT will actually _keep_ packages installed via Recommends or
+# Depends if another package Suggests them, even and including if the package
+# that originally caused them to be installed is removed.  Setting this to
+# "false" ensures that APT is appropriately aggressive about removing the
+# packages it added.
+
+# https://aptitude.alioth.debian.org/doc/en/ch02s05s05.html#configApt-AutoRemove-SuggestsImportant
+Apt::AutoRemove::SuggestsImportant "false";

debootstrap/trixie/rootfs/etc/apt/apt.conf.d/container-clean

@@ -0,0 +1,16 @@
+# Since for most Container users, package installs happen in "podman build" steps,
+# they essentially become individual layers due to the way Container handles
+# layering, especially using CoW filesystems.  What this means for us is that
+# the caches that APT keeps end up just wasting space in those layers, making
+# our layers unnecessarily large (especially since we'll normally never use
+# these caches again and will instead just "podman build" again and make a brand
+# new image).
+
+# Ideally, these would just be invoking "apt-get clean", but in our testing,
+# that ended up being cyclic and we got stuck on APT's lock, so we get this fun
+# creation that's essentially just "apt-get clean".
+DPkg::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };
+APT::Update::Post-Invoke { "rm -f /var/cache/apt/archives/*.deb /var/cache/apt/archives/partial/*.deb /var/cache/apt/*.bin || true"; };
+
+Dir::Cache::pkgcache "";
+Dir::Cache::srcpkgcache "";

debootstrap/trixie/rootfs/etc/apt/apt.conf.d/container-gzip-indexes

@@ -0,0 +1,11 @@
+# Since Container users using "RUN apt-get update && apt-get install -y ..." in
+# their Dockerfiles don't go delete the lists files afterwards, we want them to
+# be as small as possible on-disk, so we explicitly request "gz" versions and
+# tell Apt to keep them gzipped on-disk.
+
+# For comparison, an "apt-get update" layer without this on a pristine
+# "debian:wheezy" base image was "29.88 MB", where with this it was only
+# "8.273 MB".
+
+Acquire::GzipIndexes "true";
+Acquire::CompressionTypes::Order:: "gz";