Several dockerfile cleanups (user and cache)

Just trying to make consistent our use of the user name
we create. This makes the user name the same across all
images and makes sure it is being used in the right places.

Some tinkering with the caches we use for the RUN statements.
Dropped the UID (there is very little documentation about how
this actually affects the cache and whose UID it is) so we'll
use the default. Added cache statements for apt statements as
well.

Note that for good connections, the caching does not make a
measurable difference in the time to build. It could be that
we are still not using the cache appropriately.

Signed-off-by: Mic Bowman <[email protected]>

docker/pdo_base.dockerfile

@@ -25,8 +25,10 @@ ENV TERM=screen-256color
 # -----------------------------------------------------------------
 ARG ADD_APT_PKGS=
 
-ENV DEBIAN_FRONTEND "noninteractive"
-RUN apt-get update \
+ENV DEBIAN_FRONTEND="noninteractive"
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    apt-get update \
     && apt-get install -y -q --no-install-recommends \
         autoconf \
         automake \
@@ -77,5 +79,23 @@ RUN wget -q https://github.com/WebAssembly/wasi-sdk/releases/download/wasi-sdk-$
     && dpkg --install ${WASI_PACKAGE} \
     && rm ${WASI_PACKAGE}
 
+# -----------------------------------------------------------------
+# Create the pdo_user account and group that will be used for
+# future installations into the pdo install directory
+# -----------------------------------------------------------------
+ARG UNAME=pdo_user
+ENV UNAME=${UNAME}
+
+ARG UID=1000
+ARG GID=$UID
+
+RUN groupadd -f -g $GID -o $UNAME
+RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME
+
+# -----------------------------------------------------------------
+# Prep for the installation
+# -----------------------------------------------------------------
+USER $UNAME
+
 WORKDIR /project/pdo/tools
 COPY tools/environment.sh ./

docker/pdo_ccf.dockerfile

@@ -19,7 +19,7 @@
 # to cache pip downloads between builds, cutting down noticeably build time.
 # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune.
 
-ARG PDO_VERSION
+ARG PDO_VERSION=latest
 FROM pdo_ccf_base:${PDO_VERSION}
 
 # -----------------------------------------------------------------
@@ -38,6 +38,13 @@ ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD}
 ARG XFER_DIR=/project/pdo/xfer
 ENV XFER_DIR=${XFER_DIR}
 
+# copy the source files into the image using the user
+# identity that was created in the base container
+ARG UNAME=pdo_user
+ENV UNAME=${UNAME}
+
+USER $UNAME
+
 # copy the source files into the image
 WORKDIR /project/pdo
 COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
@@ -49,9 +56,7 @@ WORKDIR /project/pdo/tools
 COPY --chown=${UNAME}:${UNAME} tools/*.sh ./
 
 # build it!!!
-ARG UID=1000
-ARG GID=${UID}
-RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \
+RUN --mount=type=cache,target=/project/pdo/.cache/pip \
     /project/pdo/tools/build_ccf.sh
 
 # Network ports for running services

docker/pdo_ccf_base.dockerfile

@@ -24,13 +24,17 @@ ARG UBUNTU_NAME=focal
 
 ENV TERM=screen-256color
 
+USER root
+
 # -----------------------------------------------------------------
 # Install base packages
 # -----------------------------------------------------------------
 ARG ADD_APT_PKGS=
 
-ENV DEBIAN_FRONTEND "noninteractive"
-RUN apt-get update \
+ENV DEBIAN_FRONTEND="noninteractive"
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    apt-get update \
     && apt-get install -y -q --no-install-recommends \
         libsecp256k1-dev \
         lsof \
@@ -46,8 +50,9 @@ RUN apt-get update \
 RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list
 RUN curl https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add -
 
-
-RUN apt-get update \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    apt-get update \
     && apt-get install -y --no-install-recommends \
         sgx-aesm-service \
         libsgx-dcap-ql \
@@ -59,19 +64,20 @@ RUN apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
 # -----------------------------------------------------------------
+# Create the pdo_user account and group that will be used for
+# future installations into the pdo install directory
 # -----------------------------------------------------------------
-WORKDIR /project/pdo
-
-ARG UNAME=pdo_ccf
+ARG UNAME=pdo_user
 ENV UNAME=${UNAME}
 
 ARG UID=1000
 ARG GID=$UID
 
-RUN echo $UID $GID
 RUN groupadd -f -g $GID -o $UNAME
 RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME
-RUN chown --recursive $UNAME:$UNAME /project/pdo
+
+# -----------------------------------------------------------------
 USER $UNAME
 
+WORKDIR /project/pdo
 ENTRYPOINT ["/bin/bash"]

docker/pdo_client.dockerfile

@@ -19,24 +19,9 @@
 # to cache pip downloads between builds, cutting down noticeably build time.
 # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune.
 
-ARG PDO_VERSION
+ARG PDO_VERSION=latest
 FROM pdo_base:${PDO_VERSION}
 
-# -----------------------------------------------------------------
-# -----------------------------------------------------------------
-WORKDIR /project/pdo
-
-ARG UNAME=pdo_client
-ENV UNAME=${UNAME}
-
-ARG UID=1000
-ARG GID=${UID}
-
-RUN groupadd -f -g $GID -o $UNAME
-RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME
-RUN chown --recursive $UNAME:$UNAME /project/pdo
-USER $UNAME
-
 # -----------------------------------------------------------------
 # set up the PDO sources
 # -----------------------------------------------------------------
@@ -54,6 +39,16 @@ ENV PDO_INTERPRETER=${PDO_INTERPRETER}
 ARG PDO_LOG_LEVEL=info
 ENV PDO_LOG_LEVEL=${PDO_LOG_LEVEL}
 
+# -----------------------------------------------------------------
+# use the identity created in the base container
+# -----------------------------------------------------------------
+ARG UNAME=pdo_user
+ENV UNAME=${UNAME}
+
+USER $UNAME
+
+# -----------------------------------------------------------------
+# -----------------------------------------------------------------
 # copy the source files into the image
 WORKDIR /project/pdo
 COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
@@ -65,8 +60,9 @@ WORKDIR /project/pdo/tools
 COPY --chown=${UNAME}:${UNAME} tools/*.sh ./
 
 # build it!!!
-RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \
+RUN --mount=type=cache,target=/project/pdo/.cache/pip \
     /project/pdo/tools/build_client.sh
 
-RUN ln -s /project/pdo/tools/bashrc_client.sh /project/pdo/.bashrc
+RUN rm -f /project/pdo/.bashrc; ln -s /project/pdo/tools/bashrc_client.sh /project/pdo/.bashrc
+
 ENTRYPOINT [ "/bin/bash" ]

docker/pdo_services.dockerfile

@@ -19,7 +19,7 @@
 # to cache pip downloads between builds, cutting down noticeably build time.
 # Note that cache is cleaned with the "uusal" docker prune commans, e.g., docker builder prune.
 
-ARG PDO_VERSION
+ARG PDO_VERSION=latest
 FROM pdo_services_base:${PDO_VERSION}
 
 # -----------------------------------------------------------------
@@ -28,7 +28,7 @@ FROM pdo_services_base:${PDO_VERSION}
 ARG REBUILD=0
 
 ARG SGX_MODE=SIM
-ENV SGX_MODE $SGX_MODE
+ENV SGX_MODE=$SGX_MODE
 
 ARG PDO_DEBUG_BUILD=1
 ENV PDO_DEBUG_BUILD=${PDO_DEBUG_BUILD}
@@ -45,7 +45,12 @@ ENV PDO_MEMORY_CONFIG=${PDO_MEMORY_CONFIG}
 ARG PDO_LOG_LEVEL=info
 ENV PDO_LOG_LEVEL=${PDO_LOG_LEVEL}
 
-# copy the source files into the image
+# copy the source files into the image using the user
+# identity that was created in the base container
+ARG UNAME=pdo_user
+ENV UNAME=${UNAME}
+
+USER $UNAME
 WORKDIR /project/pdo
 COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
 
@@ -55,18 +60,15 @@ COPY --chown=${UNAME}:${UNAME} repository /project/pdo/src
 WORKDIR /project/pdo/tools
 COPY --chown=${UNAME}:${UNAME} tools/*.sh ./
 
-# built it!
-ARG UID=1000
-ARG GID=${UID}
-RUN --mount=type=cache,uid=${UID},gid=${GID},target=/project/pdo/.cache/pip \
+# build it!
+RUN --mount=type=cache,target=/project/pdo/.cache/pip \
     /project/pdo/tools/build_services.sh
 
 # Network ports for running services
 EXPOSE 7001 7002 7003 7004 7005
 EXPOSE 7101 7102 7103 7104 7105
 EXPOSE 7201 7202 7203 7204 7205
 
-
 # Note that the entry point when specified with exec syntax
 # can be extended through the docker run interface far more
 # easily than if you use the other specification format of

docker/pdo_services_base.dockerfile

@@ -14,7 +14,7 @@
 # limitations under the License.
 # ------------------------------------------------------------------------------
 
-ARG PDO_VERSION
+ARG PDO_VERSION=latest
 FROM pdo_base:${PDO_VERSION}
 
 ARG UBUNTU_VERSION=22.04
@@ -24,7 +24,11 @@ ARG SGX=2.25
 ARG OPENSSL=3.0.14
 ARG SGXSSL=3.0_Rev4
 
-RUN echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \
+USER root
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+ echo "deb [arch=amd64] https://download.01.org/intel-sgx/sgx_repo/ubuntu ${UBUNTU_NAME} main" >> /etc/apt/sources.list \
  && wget -qO - https://download.01.org/intel-sgx/sgx_repo/ubuntu/intel-sgx-deb.key | apt-key add - \
  && apt-get update \
  && apt-get install -y \
@@ -86,17 +90,9 @@ ENV SGX_SSL="/opt/intel/sgxssl"
 
 # -----------------------------------------------------------------
 # -----------------------------------------------------------------
-WORKDIR /project/pdo
-
-ARG UNAME=pdo_services
+ARG UNAME=pdo_user
 ENV UNAME=${UNAME}
 
-ARG UID=1000
-ARG GID=$UID
-
-RUN groupadd -f -g $GID -o $UNAME
-RUN useradd -m -u $UID -g $GID -d /project/pdo -o -s /bin/bash $UNAME
-RUN chown --recursive $UNAME:$UNAME /project/pdo
 USER $UNAME
-
+WORKDIR /project/pdo
 ENTRYPOINT ["/bin/bash"]