[docker] use cloudfront debian mirrors for bullseye (#15303)

* [builder] Point docker builds to aws hosted cloudfront mirror

This should improve build time and reliability

Test Plan: build images

* [docker] use cloudfront debian mirrors for bullseye

* [docker] debian-base install

* [docker] cleanup stuff into debian-base

---------

Co-authored-by: Perry Randall <[email protected]>
(cherry picked from commit 7cf7637)

docker/builder/builder.Dockerfile

@@ -3,21 +3,23 @@
 FROM rust as rust-base
 WORKDIR /aptos
 
+
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    sed -i 's|http://deb.debian.org/debian|http://cloudfront.debian.net/debian|g' /etc/apt/sources.list &&  \
     apt update && apt-get --no-install-recommends install -y \
-    cmake \
-    curl \
-    clang \
-    git \
-    pkg-config \
-    libssl-dev \
-    libpq-dev \
-    libdw-dev \
-    binutils \
-    lld \
-    libudev-dev
+        binutils \
+        clang \
+        cmake \
+        curl \
+        git \
+        libdw-dev \
+        libpq-dev \
+        libssl-dev \
+        libudev-dev \
+        lld \
+        pkg-config
 
 ### Build Rust code ###
 FROM rust-base as builder-base

docker/builder/debian-base.Dockerfile

@@ -6,6 +6,19 @@ ARG TARGETARCH
 
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    sed -i 's|http://deb.debian.org/debian|http://cloudfront.debian.net/debian|g' /etc/apt/sources.list &&  \
+    apt-get update && apt-get --no-install-recommends --allow-downgrades -y install \
+        ca-certificates \
+        curl \
+        iproute2 \
+        libpq-dev \
+        libssl1.1 \
+        netcat \
+        net-tools \
+        tcpdump
+
 # Add Tini to make sure the binaries receive proper SIGTERM signals when Docker is shut down
 ADD --chmod=755 https://github.com/krallin/tini/releases/download/v0.19.0/tini-$TARGETARCH /tini
-ENTRYPOINT ["/tini", "--"]
+ENTRYPOINT ["/tini", "--"]

docker/builder/faucet.Dockerfile

@@ -3,14 +3,8 @@ FROM debian-base AS faucet
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
+    sed -i 's|http://security.debian.org/debian-security|https://cloudfront.debian.net/debian-security|g' /etc/apt/sources.list &&  \
     apt-get update && apt-get --no-install-recommends install -y \
-        libssl1.1 \
-        ca-certificates \
-        nano \
-        net-tools \
-        tcpdump \
-        iproute2 \
-        netcat \
         procps
 
 RUN mkdir -p /aptos/client/data/wallet/

docker/builder/forge.Dockerfile

@@ -3,16 +3,14 @@
 FROM debian-base as forge
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install --no-install-recommends -y \
-    libssl1.1 \
-    ca-certificates \
-    openssh-client \
-    wget \
-    busybox \
-    git \
-    unzip \
-    awscli 
+        awscli \
+        busybox \
+        git \
+        openssh-client \
+        unzip \
+        wget
 
 WORKDIR /aptos
 

docker/builder/indexer-grpc.Dockerfile

@@ -2,18 +2,6 @@
 
 FROM debian-base AS indexer-grpc
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
-    apt-get update && apt-get install --no-install-recommends -y \    
-    libssl1.1 \
-    ca-certificates \
-    net-tools \
-    tcpdump \
-    iproute2 \
-    netcat \
-    libpq-dev \
-    curl
-
 COPY --link --from=indexer-builder /aptos/dist/aptos-indexer-grpc-cache-worker /usr/local/bin/aptos-indexer-grpc-cache-worker
 COPY --link --from=indexer-builder /aptos/dist/aptos-indexer-grpc-file-store /usr/local/bin/aptos-indexer-grpc-file-store
 COPY --link --from=indexer-builder /aptos/dist/aptos-indexer-grpc-data-service /usr/local/bin/aptos-indexer-grpc-data-service

docker/builder/keyless-pepper-service.Dockerfile

@@ -1,17 +1,5 @@
 FROM debian-base AS keyless-pepper-service
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
-    apt-get update && apt-get install --no-install-recommends -y \    
-    libssl1.1 \
-    ca-certificates \
-    net-tools \
-    tcpdump \
-    iproute2 \
-    netcat \
-    libpq-dev \
-    curl
-
 COPY --link --from=tools-builder /aptos/dist/aptos-keyless-pepper-service /usr/local/bin/aptos-keyless-pepper-service
 
 EXPOSE 8000

docker/builder/nft-metadata-crawler.Dockerfile

@@ -4,18 +4,6 @@ FROM indexer-builder
 
 FROM debian-base AS nft-metadata-crawler
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
-    apt-get update && apt-get install --no-install-recommends -y \    
-    libssl1.1 \
-    ca-certificates \
-    net-tools \
-    tcpdump \
-    iproute2 \
-    netcat \
-    libpq-dev \
-    curl
-
 COPY --link --from=indexer-builder /aptos/dist/aptos-nft-metadata-crawler /usr/local/bin/aptos-nft-metadata-crawler
 
 # The health check port

docker/builder/node-checker.Dockerfile

@@ -2,17 +2,6 @@
 
 FROM debian-base AS node-checker
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
-    apt-get update && apt-get install --no-install-recommends -y \
-        libssl1.1 \
-        ca-certificates \
-        net-tools \
-        tcpdump \
-        iproute2 \
-        netcat \
-        libpq-dev
-
 COPY  --link --from=tools-builder /aptos/dist/aptos-node-checker /usr/local/bin/aptos-node-checker
 
 ENV RUST_LOG_FORMAT=json
@@ -25,4 +14,4 @@ ENV GIT_TAG ${GIT_TAG}
 ARG GIT_BRANCH
 ENV GIT_BRANCH ${GIT_BRANCH}
 ARG GIT_SHA
-ENV GIT_SHA ${GIT_SHA}
+ENV GIT_SHA ${GIT_SHA}

docker/builder/telemetry-service.Dockerfile

@@ -1,17 +1,5 @@
 FROM debian-base AS telemetry-service
 
-RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
-    apt-get update && apt-get install --no-install-recommends -y \    
-        libssl1.1 \
-        ca-certificates \
-        net-tools \
-        tcpdump \
-        iproute2 \
-        netcat \
-        libpq-dev \
-        curl
-
 COPY --link --from=tools-builder /aptos/dist/aptos-telemetry-service /usr/local/bin/aptos-telemetry-service
 
 EXPOSE 8000
@@ -23,4 +11,4 @@ ENV GIT_TAG ${GIT_TAG}
 ARG GIT_BRANCH
 ENV GIT_BRANCH ${GIT_BRANCH}
 ARG GIT_SHA
-ENV GIT_SHA ${GIT_SHA}
+ENV GIT_SHA ${GIT_SHA}

docker/builder/tools.Dockerfile

@@ -1,9 +1,6 @@
 ### Tools Image ###
 FROM debian-base AS tools
 
-RUN echo "deb http://deb.debian.org/debian bullseye main" > /etc/apt/sources.list.d/bullseye.list && \
-    echo "Package: *\nPin: release n=bullseye\nPin-Priority: 50" > /etc/apt/preferences.d/bullseye
-
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get --no-install-recommends --allow-downgrades -y \
@@ -13,9 +10,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     perl-base=5.32.1-4+deb11u4 \
     libtinfo6=6.2+20201114-2+deb11u2 \
     git \
-    libssl1.1 \
-    ca-certificates \
-    socat \
+            socat \
     python3-botocore/bullseye \
     awscli/bullseye \
     gnupg2 \

docker/builder/validator-testing.Dockerfile

@@ -5,29 +5,23 @@ FROM debian-base as validator-testing-base
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y --no-install-recommends \
-    libssl1.1 \
-    ca-certificates \
-    # Needed to run debugging tools like perf
-    linux-perf \
-    sudo \
-    procps \
-    gdb \
-    curl \
-    # postgres client lib required for indexer
-    libpq-dev \
-    # Extra goodies for debugging
-    less \
-    git \
-    vim \
-    nano \
-    libjemalloc-dev \
-    binutils \
-    graphviz \
-    ghostscript \
-    strace \
-    htop \
-    sysstat \
-    valgrind
+        # Needed to run debugging tools like perf
+        gdb \
+        linux-perf \
+        procps \
+        sudo \
+        # Extra goodies for debugging
+        binutils \
+        ghostscript \
+        git \
+        graphviz \
+        htop \
+        less \
+        libjemalloc-dev \
+        strace \
+        sysstat \
+        valgrind \
+        vim
 
 FROM node-builder
 

docker/builder/validator.Dockerfile

@@ -7,18 +7,13 @@ FROM tools-builder
 FROM debian-base AS validator
 
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
-    --mount=type=cache,target=/var/lib/apt,sharing=locked \   
+    --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install --no-install-recommends -y \
-        libssl1.1 \
-        ca-certificates \
         # Needed to run debugging tools like perf
         linux-perf \
         sudo \
         procps \
-        gdb \
-        curl \
-        # postgres client lib required for indexer
-        libpq-dev
+        gdb
 
 ### Because build machine perf might not match run machine perf, we have to symlink
 ### Even if version slightly off, still mostly works