Switch from "&&" to ";" and use "apt-mark showmanual"+"ldd" method for non-slim Debian too

Author: tianon

2.4/alpine3.10/Dockerfile

@@ -4,8 +4,9 @@ RUN apk add --no-cache \
 		gmp-dev
 
 # skip installing gem documentation
-RUN mkdir -p /usr/local/etc \
-	&& { \
+RUN set -eux; \
+	mkdir -p /usr/local/etc; \
+	{ \
 		echo 'install: --no-document'; \
 		echo 'update: --no-document'; \
 	} >> /usr/local/etc/gemrc
@@ -18,9 +19,9 @@ ENV RUBYGEMS_VERSION 3.0.3
 # some of ruby's build scripts are written in ruby
 #   we purge system ruby later to make sure our final image uses what we just built
 # readline-dev vs libedit-dev: https://bugs.ruby-lang.org/issues/11869 and https://github.com/docker-library/ruby/issues/75
-RUN set -ex \
+RUN set -eux; \
 	\
-	&& apk add --no-cache --virtual .ruby-builddeps \
+	apk add --no-cache --virtual .ruby-builddeps \
 		autoconf \
 		bison \
 		bzip2 \
@@ -47,65 +48,72 @@ RUN set -ex \
 		xz \
 		yaml-dev \
 		zlib-dev \
+	; \
 	\
-	&& wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz" \
-	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum -c - \
+	wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz"; \
+	echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \
 	\
-	&& mkdir -p /usr/src/ruby \
-	&& tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1 \
-	&& rm ruby.tar.xz \
+	mkdir -p /usr/src/ruby; \
+	tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \
+	rm ruby.tar.xz; \
 	\
-	&& cd /usr/src/ruby \
+	cd /usr/src/ruby; \
 	\
 # https://github.com/docker-library/ruby/issues/196
 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source)
 # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here)
-	&& wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch' \
-	&& echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum -c - \
-	&& patch -p1 -i thread-stack-fix.patch \
-	&& rm thread-stack-fix.patch \
+	wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \
+	echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \
+	patch -p1 -i thread-stack-fix.patch; \
+	rm thread-stack-fix.patch; \
 	\
 # hack in "ENABLE_PATH_CHECK" disabling to suppress:
 #   warning: Insecure world writable dir
-	&& { \
+	{ \
 		echo '#define ENABLE_PATH_CHECK 0'; \
 		echo; \
 		cat file.c; \
-	} > file.c.new \
-	&& mv file.c.new file.c \
+	} > file.c.new; \
+	mv file.c.new file.c; \
 	\
-	&& autoconf \
-	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
+	autoconf; \
+	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 # the configure script does not detect isnan/isinf as macros
-	&& export ac_cv_func_isnan=yes ac_cv_func_isinf=yes \
-	&& ./configure \
+	export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \
+	./configure \
 		--build="$gnuArch" \
 		--disable-install-doc \
 		--enable-shared \
-	&& make -j "$(nproc)" \
-	&& make install \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
 	\
-	&& runDeps="$( \
+	runDeps="$( \
 		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
 			| tr ',' '\n' \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
-	)" \
-	&& apk add --no-network --virtual .ruby-rundeps $runDeps \
+	)"; \
+	apk add --no-network --virtual .ruby-rundeps \
+		$runDeps \
 		bzip2 \
 		ca-certificates \
 		libffi-dev \
 		procps \
 		yaml-dev \
 		zlib-dev \
-	&& apk del --no-network .ruby-builddeps \
-	&& cd / \
-	&& rm -r /usr/src/ruby \
+	; \
+	apk del --no-network .ruby-builddeps; \
+	\
+	cd /; \
+	rm -r /usr/src/ruby; \
 # make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246)
-	&& ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \
-	&& gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \
+	ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))'; \
+	gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/; \
 # rough smoke test
-	&& ruby --version && gem --version && bundle --version
+	ruby --version; \
+	gem --version; \
+	bundle --version
 
 # install things globally, for great justice
 # and don't create ".bundle" in all our apps

2.4/alpine3.9/Dockerfile

@@ -4,8 +4,9 @@ RUN apk add --no-cache \
 		gmp-dev
 
 # skip installing gem documentation
-RUN mkdir -p /usr/local/etc \
-	&& { \
+RUN set -eux; \
+	mkdir -p /usr/local/etc; \
+	{ \
 		echo 'install: --no-document'; \
 		echo 'update: --no-document'; \
 	} >> /usr/local/etc/gemrc
@@ -18,9 +19,9 @@ ENV RUBYGEMS_VERSION 3.0.3
 # some of ruby's build scripts are written in ruby
 #   we purge system ruby later to make sure our final image uses what we just built
 # readline-dev vs libedit-dev: https://bugs.ruby-lang.org/issues/11869 and https://github.com/docker-library/ruby/issues/75
-RUN set -ex \
+RUN set -eux; \
 	\
-	&& apk add --no-cache --virtual .ruby-builddeps \
+	apk add --no-cache --virtual .ruby-builddeps \
 		autoconf \
 		bison \
 		bzip2 \
@@ -47,65 +48,72 @@ RUN set -ex \
 		xz \
 		yaml-dev \
 		zlib-dev \
+	; \
 	\
-	&& wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz" \
-	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum -c - \
+	wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz"; \
+	echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \
 	\
-	&& mkdir -p /usr/src/ruby \
-	&& tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1 \
-	&& rm ruby.tar.xz \
+	mkdir -p /usr/src/ruby; \
+	tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \
+	rm ruby.tar.xz; \
 	\
-	&& cd /usr/src/ruby \
+	cd /usr/src/ruby; \
 	\
 # https://github.com/docker-library/ruby/issues/196
 # https://bugs.ruby-lang.org/issues/14387#note-13 (patch source)
 # https://bugs.ruby-lang.org/issues/14387#note-16 ("Therefore ncopa's patch looks good for me in general." -- only breaks glibc which doesn't matter here)
-	&& wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch' \
-	&& echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum -c - \
-	&& patch -p1 -i thread-stack-fix.patch \
-	&& rm thread-stack-fix.patch \
+	wget -O 'thread-stack-fix.patch' 'https://bugs.ruby-lang.org/attachments/download/7081/0001-thread_pthread.c-make-get_main_stack-portable-on-lin.patch'; \
+	echo '3ab628a51d92fdf0d2b5835e93564857aea73e0c1de00313864a94a6255cb645 *thread-stack-fix.patch' | sha256sum --check --strict; \
+	patch -p1 -i thread-stack-fix.patch; \
+	rm thread-stack-fix.patch; \
 	\
 # hack in "ENABLE_PATH_CHECK" disabling to suppress:
 #   warning: Insecure world writable dir
-	&& { \
+	{ \
 		echo '#define ENABLE_PATH_CHECK 0'; \
 		echo; \
 		cat file.c; \
-	} > file.c.new \
-	&& mv file.c.new file.c \
+	} > file.c.new; \
+	mv file.c.new file.c; \
 	\
-	&& autoconf \
-	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
+	autoconf; \
+	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 # the configure script does not detect isnan/isinf as macros
-	&& export ac_cv_func_isnan=yes ac_cv_func_isinf=yes \
-	&& ./configure \
+	export ac_cv_func_isnan=yes ac_cv_func_isinf=yes; \
+	./configure \
 		--build="$gnuArch" \
 		--disable-install-doc \
 		--enable-shared \
-	&& make -j "$(nproc)" \
-	&& make install \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
 	\
-	&& runDeps="$( \
+	runDeps="$( \
 		scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
 			| tr ',' '\n' \
 			| sort -u \
 			| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
-	)" \
-	&& apk add --no-network --virtual .ruby-rundeps $runDeps \
+	)"; \
+	apk add --no-network --virtual .ruby-rundeps \
+		$runDeps \
 		bzip2 \
 		ca-certificates \
 		libffi-dev \
 		procps \
 		yaml-dev \
 		zlib-dev \
-	&& apk del --no-network .ruby-builddeps \
-	&& cd / \
-	&& rm -r /usr/src/ruby \
+	; \
+	apk del --no-network .ruby-builddeps; \
+	\
+	cd /; \
+	rm -r /usr/src/ruby; \
 # make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246)
-	&& ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \
-	&& gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \
+	ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))'; \
+	gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/; \
 # rough smoke test
-	&& ruby --version && gem --version && bundle --version
+	ruby --version; \
+	gem --version; \
+	bundle --version
 
 # install things globally, for great justice
 # and don't create ".bundle" in all our apps

2.4/jessie/Dockerfile

@@ -1,8 +1,9 @@
 FROM buildpack-deps:jessie
 
 # skip installing gem documentation
-RUN mkdir -p /usr/local/etc \
-	&& { \
+RUN set -eux; \
+	mkdir -p /usr/local/etc; \
+	{ \
 		echo 'install: --no-document'; \
 		echo 'update: --no-document'; \
 	} >> /usr/local/etc/gemrc
@@ -14,53 +15,67 @@ ENV RUBYGEMS_VERSION 3.0.3
 
 # some of ruby's build scripts are written in ruby
 #   we purge system ruby later to make sure our final image uses what we just built
-RUN set -ex \
+RUN set -eux; \
 	\
-	&& buildDeps=' \
+	savedAptMark="$(apt-mark showmanual)"; \
+	apt-get update; \
+	apt-get install -y --no-install-recommends \
 		bison \
 		dpkg-dev \
 		libgdbm-dev \
 		ruby \
-	' \
-	&& apt-get update \
-	&& apt-get install -y --no-install-recommends $buildDeps \
-	&& rm -rf /var/lib/apt/lists/* \
+	; \
+	rm -rf /var/lib/apt/lists/*; \
 	\
-	&& wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz" \
-	&& echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum -c - \
+	wget -O ruby.tar.xz "https://cache.ruby-lang.org/pub/ruby/${RUBY_MAJOR%-rc}/ruby-$RUBY_VERSION.tar.xz"; \
+	echo "$RUBY_DOWNLOAD_SHA256 *ruby.tar.xz" | sha256sum --check --strict; \
 	\
-	&& mkdir -p /usr/src/ruby \
-	&& tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1 \
-	&& rm ruby.tar.xz \
+	mkdir -p /usr/src/ruby; \
+	tar -xJf ruby.tar.xz -C /usr/src/ruby --strip-components=1; \
+	rm ruby.tar.xz; \
 	\
-	&& cd /usr/src/ruby \
+	cd /usr/src/ruby; \
 	\
 # hack in "ENABLE_PATH_CHECK" disabling to suppress:
 #   warning: Insecure world writable dir
-	&& { \
+	{ \
 		echo '#define ENABLE_PATH_CHECK 0'; \
 		echo; \
 		cat file.c; \
-	} > file.c.new \
-	&& mv file.c.new file.c \
+	} > file.c.new; \
+	mv file.c.new file.c; \
 	\
-	&& autoconf \
-	&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-	&& ./configure \
+	autoconf; \
+	gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+	./configure \
 		--build="$gnuArch" \
 		--disable-install-doc \
 		--enable-shared \
-	&& make -j "$(nproc)" \
-	&& make install \
+	; \
+	make -j "$(nproc)"; \
+	make install; \
 	\
-	&& apt-get purge -y --auto-remove $buildDeps \
-	&& cd / \
-	&& rm -r /usr/src/ruby \
+	apt-mark auto '.*' > /dev/null; \
+	apt-mark manual $savedAptMark > /dev/null; \
+	find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec ldd '{}' ';' \
+		| awk '/=>/ { print $(NF-1) }' \
+		| sort -u \
+		| xargs -r dpkg-query --search \
+		| cut -d: -f1 \
+		| sort -u \
+		| xargs -r apt-mark manual \
+	; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+	\
+	cd /; \
+	rm -r /usr/src/ruby; \
 # make sure bundled "rubygems" is older than RUBYGEMS_VERSION (https://github.com/docker-library/ruby/issues/246)
-	&& ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))' \
-	&& gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/ \
+	ruby -e 'exit(Gem::Version.create(ENV["RUBYGEMS_VERSION"]) > Gem::Version.create(Gem::VERSION))'; \
+	gem update --system "$RUBYGEMS_VERSION" && rm -r /root/.gem/; \
 # rough smoke test
-	&& ruby --version && gem --version && bundle --version
+	ruby --version; \
+	gem --version; \
+	bundle --version
 
 # install things globally, for great justice
 # and don't create ".bundle" in all our apps