From 587473632d7445fc86e5038ed10637a213c3166c Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin@piware.de>
Date: Fri, 19 Feb 2021 07:28:25 +0100
Subject: [PATCH 1/2] tasks: Work around podman 3.0.0 volume handling
 regression

Current podman 3.0.0 in system mode has a regression with handling
anonymous volumes. See https://github.com/containers/podman/issues/9432
for details.

Work around this by placing RabbitMQ's data into a tmpfs volume.
---
 tasks/run-local.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/tasks/run-local.sh b/tasks/run-local.sh
index e9f22352..bf93fcaa 100755
--- a/tasks/run-local.sh
+++ b/tasks/run-local.sh
@@ -91,8 +91,10 @@ EOF
 fi
 
 # start podman and run RabbitMQ in the background
+# HACK: put data into a tmpfs instead of anonymous volume, see https://github.com/containers/podman/issues/9432
 podman run -d --name cockpituous-rabbitmq --pod=new:cockpituous \
     --publish $IMAGE_PORT:8080 \
+    --tmpfs /var/lib/rabbitmq \
     -v "$RABBITMQ_CONFIG":/etc/rabbitmq:ro \
     -v "$SECRETS"/webhook:/run/secrets/webhook:ro \
     docker.io/rabbitmq:3-management

From 9e57cc1bfd8798ee5fd4a5269fbc45daa47c7914 Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin@piware.de>
Date: Thu, 18 Feb 2021 16:07:21 +0100
Subject: [PATCH 2/2] images: Minimize container

Use a multi-stage build [1], pick some "small container targetted" basic
packages, and remove some larger packages that we really don't need in
the container. This shrinks the container from 313 to 137 MB.

[1] https://docs.docker.com/develop/develop-images/multistage-build/
---
 images/Dockerfile | 24 ++++++++++++++++++------
 1 file changed, 18 insertions(+), 6 deletions(-)

diff --git a/images/Dockerfile b/images/Dockerfile
index 6b5c7d1c..f0bf2b30 100644
--- a/images/Dockerfile
+++ b/images/Dockerfile
@@ -1,11 +1,23 @@
-FROM fedora:latest
+FROM fedora:latest AS builder
 LABEL maintainer='cockpit-devel@lists.fedorahosted.org'
 
-RUN dnf -y update && \
-    dnf -y install nginx openssh-server /usr/bin/python && \
-    dnf clean all && \
-    mkdir -p /home/user
-
+# avoid unnecessary stuff in the container; systemd is a protected package, so apply some extra force
+RUN source /etc/os-release && \
+    dnf install -y --releasever=$VERSION_ID --setopt=install_weak_deps=False --installroot=/build \
+        coreutils-single \
+        glibc-minimal-langpack \
+        nginx \
+        openssh-server \
+        tar \
+        /usr/bin/python3 && \
+    rpm --root=/build --verbose --erase --nodeps systemd && \
+    dnf remove -y --installroot=/build systemd-networkd device-mapper dbus-broker cryptsetup && \
+    rm -r /build/var/cache/dnf /build/var/lib/dnf /build/var/lib/rpm*
+
+FROM scratch
+COPY --from=builder /build /
+
+RUN mkdir -p /home/user
 # can't use ../sink/sink with docker build
 ADD https://raw.githubusercontent.com/cockpit-project/cockpituous/master/sink/sink /home/user/sink