[PATCH RFC 1/1] Dockerfile: restore debian sources list after installation
4 views
Skip to first unread message
Felix Moessbauer
Nov 14, 2025, 10:40:25 AMNov 14
to kas-...@googlegroups.com, jan.k...@siemens.com, Felix Moessbauer
We currently have the snapshot mirrors in the debian sources list. While
this in general is good to have a stable baseline for installing
additional packages, it is problematic in case the container gets older
and components become outdated (e.g. the ca-certificates). By restoring
the original debian mirror entries, we make it easier for our users to
keep things up to date by just running apt-update.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
Dockerfile | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index f508777ad..0e8d7c0ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
rm -f /etc/apt/apt.conf.d/docker-clean && \
echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
- sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
+ sed -i -e 's|^URIs:|#|' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
/etc/apt/sources.list.d/debian.sources; \
echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/use-snapshot.conf; \
echo 'Acquire::Retries "10";' >> /etc/apt/apt.conf.d/use-snapshot.conf; \
@@ -113,6 +113,12 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
python3-botocore \
bubblewrap \
debootstrap && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ sed -i \
+ -e 's|^#\(.*\)|@@TMP@@\1|' \
+ -e 's|^URIs:\(.*\)|#\1|' \
+ -e 's|@@TMP@@\(.*\)|URIs:\1|' \
+ /etc/apt/sources.list.d/debian.sources && \
rm -rf /var/log/* /tmp/* /var/tmp/* /var/cache/ldconfig/aux-cache && \
sbuild-adduser builder && \
sed -i 's|# kas-isar: ||g' /container-entrypoint
@@ -140,6 +146,12 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ sed -i \
+ -e 's|^#\(.*\)|@@TMP@@\1|' \
+ -e 's|^URIs:\(.*\)|#\1|' \
+ -e 's|@@TMP@@\(.*\)|URIs:\1|' \
+ /etc/apt/sources.list.d/debian.sources && \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
fi && \
--
2.51.0
this in general is good to have a stable baseline for installing
additional packages, it is problematic in case the container gets older
and components become outdated (e.g. the ca-certificates). By restoring
the original debian mirror entries, we make it easier for our users to
keep things up to date by just running apt-update.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
Dockerfile | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index f508777ad..0e8d7c0ef 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
rm -f /etc/apt/apt.conf.d/docker-clean && \
echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
- sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
+ sed -i -e 's|^URIs:|#|' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
/etc/apt/sources.list.d/debian.sources; \
echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/use-snapshot.conf; \
echo 'Acquire::Retries "10";' >> /etc/apt/apt.conf.d/use-snapshot.conf; \
@@ -113,6 +113,12 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
python3-botocore \
bubblewrap \
debootstrap && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ sed -i \
+ -e 's|^#\(.*\)|@@TMP@@\1|' \
+ -e 's|^URIs:\(.*\)|#\1|' \
+ -e 's|@@TMP@@\(.*\)|URIs:\1|' \
+ /etc/apt/sources.list.d/debian.sources && \
rm -rf /var/log/* /tmp/* /var/tmp/* /var/cache/ldconfig/aux-cache && \
sbuild-adduser builder && \
sed -i 's|# kas-isar: ||g' /container-entrypoint
@@ -140,6 +146,12 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ sed -i \
+ -e 's|^#\(.*\)|@@TMP@@\1|' \
+ -e 's|^URIs:\(.*\)|#\1|' \
+ -e 's|@@TMP@@\(.*\)|URIs:\1|' \
+ /etc/apt/sources.list.d/debian.sources && \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
fi && \
--
2.51.0
Jan Kiszka
Nov 14, 2025, 4:33:17 PMNov 14
to Felix Moessbauer, kas-...@googlegroups.com
On 14.11.25 16:40, Felix Moessbauer wrote:
> We currently have the snapshot mirrors in the debian sources list. While
> this in general is good to have a stable baseline for installing
> additional packages, it is problematic in case the container gets older
> and components become outdated (e.g. the ca-certificates). By restoring
> the original debian mirror entries, we make it easier for our users to
> keep things up to date by just running apt-update.
>
> Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
> ---
> Dockerfile | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/Dockerfile b/Dockerfile
> index f508777ad..0e8d7c0ef 100644
> --- a/Dockerfile
> +++ b/Dockerfile
> @@ -39,7 +39,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
> rm -f /etc/apt/apt.conf.d/docker-clean && \
> echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
> if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
> - sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
> + sed -i -e 's|^URIs:|#|' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
> /etc/apt/sources.list.d/debian.sources; \
Let's keep a backup of debian.sources and simply move that over the
> We currently have the snapshot mirrors in the debian sources list. While
> this in general is good to have a stable baseline for installing
> additional packages, it is problematic in case the container gets older
> and components become outdated (e.g. the ca-certificates). By restoring
> the original debian mirror entries, we make it easier for our users to
> keep things up to date by just running apt-update.
>
> Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
> ---
> Dockerfile | 14 +++++++++++++-
> 1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/Dockerfile b/Dockerfile
> index f508777ad..0e8d7c0ef 100644
> --- a/Dockerfile
> +++ b/Dockerfile
> @@ -39,7 +39,7 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
> rm -f /etc/apt/apt.conf.d/docker-clean && \
> echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
> if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
> - sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
> + sed -i -e 's|^URIs:|#|' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
> /etc/apt/sources.list.d/debian.sources; \
snapshot version constructed here. Simpler than the sed's below, I bet.
--
Siemens AG, Foundational Technologies
Linux Expert Center
Felix Moessbauer
Nov 17, 2025, 9:56:47 AMNov 17
to kas-...@googlegroups.com, jan.k...@siemens.com, Felix Moessbauer
We currently have the snapshot mirrors in the debian sources list. While
this in general is good to have a stable baseline for installing
additional packages, it is problematic in case the container gets older
and components become outdated (e.g. the ca-certificates). By restoring
the original debian mirror entries, we make it easier for our users to
keep things up to date by just running apt-update.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
Changes since v1:
this in general is good to have a stable baseline for installing
additional packages, it is problematic in case the container gets older
and components become outdated (e.g. the ca-certificates). By restoring
the original debian mirror entries, we make it easier for our users to
keep things up to date by just running apt-update.
Signed-off-by: Felix Moessbauer <felix.mo...@siemens.com>
---
- backup and restore sources list instead of sed magic
Dockerfile | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index f508777ad..6031de7c3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,8 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
rm -f /etc/apt/apt.conf.d/docker-clean && \
echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
- sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
+ cp /etc/apt/sources.list.d/debian.sources /etc/apt/sources.list.d/debian.sources~; \
echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-packages.conf && \
if echo "${DEBIAN_TAG}" | grep -q "[0-9]"; then \
- sed -i -e '/^URIs:/d' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
+ sed -i -e 's|^URIs:|#|' -e 's|^# http://snapshot\.|URIs: http://snapshot.|' \
/etc/apt/sources.list.d/debian.sources; \
/etc/apt/sources.list.d/debian.sources; \
echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/use-snapshot.conf; \
echo 'Acquire::Retries "10";' >> /etc/apt/apt.conf.d/use-snapshot.conf; \
@@ -113,6 +114,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
echo 'Acquire::Retries "10";' >> /etc/apt/apt.conf.d/use-snapshot.conf; \
python3-botocore \
bubblewrap \
debootstrap && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ if [ -f "/etc/apt/sources.list.d/debian.sources~" ]; then \
bubblewrap \
debootstrap && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
+ fi && \
rm -rf /var/log/* /tmp/* /var/tmp/* /var/cache/ldconfig/aux-cache && \
sbuild-adduser builder && \
sed -i 's|# kas-isar: ||g' /container-entrypoint
@@ -140,6 +145,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
sbuild-adduser builder && \
sed -i 's|# kas-isar: ||g' /container-entrypoint
gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ if [ -f "/etc/apt/sources.list.d/debian.sources~" ]; then \
xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
+ rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
+ mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
+ fi && \
if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
fi && \
--
apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
fi && \
2.51.0
Jan Kiszka
Nov 17, 2025, 12:21:30 PMNov 17
to Felix Moessbauer, kas-...@googlegroups.com
> + mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
> + fi && \
> rm -rf /var/log/* /tmp/* /var/tmp/* /var/cache/ldconfig/aux-cache && \
> sbuild-adduser builder && \
> sed -i 's|# kas-isar: ||g' /container-entrypoint
> @@ -140,6 +145,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
> gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
> xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
> pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
> + rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
> + if [ -f "/etc/apt/sources.list.d/debian.sources~" ]; then \
> + mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
> + fi && \
> if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
> apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
> fi && \
MOESSBAUER, Felix
Nov 18, 2025, 3:50:16 AMNov 18
to Kiszka, Jan, kas-...@googlegroups.com
it is not a reproducible container). Instead of the -f we could also
check with the same tag condition as above, but for that we would need
to refresh the DEBIAN_TAG build arg as this is not preserved across
stages.
I vote for keeping the current implementation.
Felix
>
> > + mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
> > + fi && \
> > rm -rf /var/log/* /tmp/* /var/tmp/* /var/cache/ldconfig/aux-cache && \
> > sbuild-adduser builder && \
> > sed -i 's|# kas-isar: ||g' /container-entrypoint
> > @@ -140,6 +145,10 @@ RUN --mount=type=cache,target=/var/cache/apt,sharing=${CACHE_SHARING} \
> > gcc build-essential chrpath socat cpio python3 python3-pip python3-pexpect \
> > xz-utils debianutils iputils-ping python3-git python3-jinja2 libegl1 libsdl1.2-dev \
> > pylint xterm python3-subunit mesa-common-dev zstd lz4 && \
> > + rm -f /etc/apt/apt.conf.d/use-snapshot.conf /etc/apt/apt.conf.d/keep-packages.conf && \
> > + if [ -f "/etc/apt/sources.list.d/debian.sources~" ]; then \
> > + mv -f /etc/apt/sources.list.d/debian.sources~ /etc/apt/sources.list.d/debian.sources; \
> > + fi && \
> > if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
> > apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
> > fi && \
>
> Jan
>
> --
> Siemens AG, Foundational Technologies
> Linux Expert Center
Siemens AG
Linux Expert Center
Friedrich-Ludwig-Bauer-Str. 3
85748 Garching, Germany
Jan Kiszka
Nov 18, 2025, 4:20:32 AMNov 18
to Moessbauer, Felix (FT RPD CED OES-DE), kas-...@googlegroups.com
> I vote for keeping the current implementation.
>
Jan Kiszka
Nov 18, 2025, 2:45:15 PMNov 18
to Felix Moessbauer, kas-...@googlegroups.com
On 17.11.25 15:56, Felix Moessbauer wrote:
Jan
> if [ "$TARGETPLATFORM" = "linux/amd64" ]; then \
> apt-get install --no-install-recommends -y gcc-multilib g++-multilib; \
> fi && \
--
Reply all
Reply to author
Forward
0 new messages