dockerfile: add proper OCI annotations

.. to achieve faster builds

.drone.yml

@@ -10,7 +10,7 @@ platform:
 steps:
 - name: hadolint
   pull: always
-  image: hadolint/hadolint:v1.23.0-8-gb01c5a9-alpine
+  image: hadolint/hadolint:v2.10.0-alpine
   commands:
   - hadolint --version
   - hadolint Dockerfile

.hadolint.yaml

@@ -4,7 +4,6 @@ ignored:
   - DL3039
   # DL3041 warning: Specify version with `dnf install -y <package>-<version>`.
   - DL3041
-  # SC2039 warning: In POSIX sh, brace expansion is undefined.
+  # SC3009 warning: In POSIX sh, brace expansion is undefined.
   # it actually still works
-  - SC2039
+  - SC3009
-

.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+---
+fail_fast: false
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v4.2.0
+    hooks:
+      - id: check-merge-conflict
+  - repo: https://git.dotya.ml/wanderer/hadolint-pre-commit
+    rev: v0.0.1
+    hooks:
+      - id: hadolint-container

Dockerfile

@@ -1,20 +1,34 @@
 # syntax=docker/dockerfile:1.3
-FROM registry.fedoraproject.org/fedora:34
+FROM registry.fedoraproject.org/fedora-minimal:36
 
 ARG BUILD_DATE
 ARG VCS_REF
 
-LABEL description="Container image mainly used for CI testing of C/C++ programs on Fedora"
+# as per https://github.com/opencontainers/image-spec/blob/main/annotations.md,
-
+# keep Label Schema labels for backward compatibility.
-LABEL org.label-schema.build-date=$BUILD_DATE \
+LABEL description="Container image mainly used for CI testing of C/C++ programs on Fedora" \
+      org.label-schema.build-date=$BUILD_DATE \
       org.label-schema.vcs-url="https://git.dotya.ml/wanderer/docker-fedora-cpp.git" \
       org.label-schema.vcs-ref=$VCS_REF \
-      org.label-schema.license=GPL-3.0
+      org.label-schema.license=GPL-3.0 \
+      org.opencontainers.image.title="docker-fedora-cpp" \
+      org.opencontainers.image.description="Container image mainly used for CI testing of C/C++ programs on Fedora" \
+      org.opencontainers.image.created=$BUILD_DATE \
+      org.opencontainers.image.authors=wanderer \
+      org.opencontainers.image.url="https://git.dotya.ml/wanderer/docker-fedora-cpp.git" \
+      org.opencontainers.image.source="https://git.dotya.ml/wanderer/docker-fedora-cpp.git" \
+      org.opencontainers.image.revision=$VCS_REF \
+      org.opencontainers.image.licenses=GPL-3.0
 
 RUN printf "[main]\ngpg_check=1\ninstallonly_limit=2\nclean_requirements_on_remove=True\nfastestmirror=True\nmax_parallel_downloads=7\n" > /etc/dnf/dnf.conf; \
     cat /etc/dnf/dnf.conf; \
-      dnf --refresh upgrade -y
+    \
-RUN dnf install --nodocs -y \
+    microdnf --refresh upgrade -y && \
+    \
+    \
+    microdnf install --nodocs dnf dnf-plugins-core -y && \
+    dnf copr enable eddsalkield/iwyu -y && \
+    microdnf install --nodocs --setopt install_weak_deps=0 -y \
     git \
     ninja-build \
     make \
@@ -24,7 +38,14 @@ RUN dnf install --nodocs -y \
     libgcc \
     libstdc++-{devel,static} \
     glibc-devel \
+    iwyu \
+    cryptopp-devel \
+    libasan-static \
+    liblsan-static \
+    libubsan-static \
+    libtsan-static \
     binutils \
+    lld \
     flex \
     bison \
     openmpi-devel \
@@ -47,17 +68,18 @@ RUN dnf install --nodocs -y \
     kernel-devel \
     ncurses-{c++-libs,devel,libs,static} \
     numactl-{devel,libs} \
-    && dnf clean all -y
+    && dnf copr disable eddsalkield/iwyu \
-
+    && rm -vf /etc/dnf/protected.d/dnf.conf \
-# nDPI will by default (left unchanged) be installed with prefix "/usr/local".
+    && microdnf remove dnf-plugins-core -y \
-# this makes sure the results get picked up in subsequent linkings against it.
+    && rpm --nodeps -e dnf \
-RUN printf "/usr/local/lib\n" >> /etc/ld.so.conf.d/local.conf && /usr/sbin/ldconfig
+    && microdnf clean all -y && \
-
+    \
-# see https://git.dotya.ml/wanderer/docker-fedora-cpp/issues/1
+	\
-#
+    printf "/usr/local/lib\n" >> /etc/ld.so.conf.d/local.conf && \
-# building nDPI would fail with plain RUN and kaniko.
+	/usr/sbin/ldconfig && \
-# having it wrapped in 'bash -c' helped
+    \
-RUN bash -c 'export MAKEFLAGS="$MAKEFLAGS -j$(nproc)" && printf "$MAKEFLAGS\n"; \
+	\
+    bash -c 'export MAKEFLAGS="$MAKEFLAGS -j$(nproc)" && printf "$MAKEFLAGS\n"; \
     export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin:$PATH"; \
     git clone https://github.com/ntop/nDPI.git /tmp/nDPI && \
     cd /tmp/nDPI ; \
@@ -71,7 +93,15 @@ RUN bash -c 'export MAKEFLAGS="$MAKEFLAGS -j$(nproc)" && printf "$MAKEFLAGS\n";
     ./autogen.sh && \
     ./configure && \
     make && \
-    make install'
+    make install'; \
-RUN if [ -f /tmp/nDPI/config.log ]; then cat /tmp/nDPI/config.log; fi; \
+	\
+    if [ -f /tmp/nDPI/config.log ]; then cat /tmp/nDPI/config.log; fi; \
     rm -rf /tmp/nDPI
 
+# nDPI is by default (left unchanged) installed with prefix "/usr/local".
+# we make sure the results (libs in /usr/local/lib) get picked up in subsequent
+# linkings against it by aappending to /etc/ld.so.conf.d/local.conf.
+# see https://git.dotya.ml/wanderer/docker-fedora-cpp/issues/1
+#
+# further, building nDPI would fail with plain RUN inside kaniko.
+# having it wrapped in 'bash -c' helped

Makefile

@@ -4,20 +4,20 @@ dtag = immawanderer/fedora-cpp:testbuild
 dargs = build -t $(dtag) --no-cache --pull - < $(dfile)
 cleanargs = image rm -f $(dtag)
 pruneargs = system prune -af
-dargskaniko = run --rm -it -w=$(kanikowdir) -v $$PWD:$(kanikowdir)
+dargskaniko = run --rm -it -w=$(kanikowdir) -v $$PWD:$(kanikowdir):z
-kanikoexecutorimg = gcr.io/kaniko-project/executor@sha256:6ecc43ae139ad8cfa11604b592aaedddcabff8cef469eda303f1fb5afe5e3034
+kanikoexecutorimg = gcr.io/kaniko-project/executor:v1.8.1-debug
 kanikowdir = /src
 kanikocontext = .
 kanikoargs = -f=$(dfile) -c=$(kanikocontext) --use-new-run --snapshotMode=redo --build-arg BUILD_DATE=$(build_date) --build-arg VCS_REF=$(vcs_ref) --no-push
 vcs_ref = $$(git rev-parse --short HEAD)
 build_date= $$(date -u +"%Y-%m-%dT%H:%M:%SZ")
-hadolintimg = hadolint/hadolint:v1.23.0-8-gb01c5a9-alpine
+hadolintimg = hadolint/hadolint
-hadolintargs = run --rm -i -v $$PWD/.hadolint.yaml:/root/.config/hadolint.yaml
+hadolinttag = v2.10.0-alpine
-
+hadolintargs = run --rm -i -v $$PWD:/src:z --workdir=/src
 .PHONY: hadolint build kaniko clean test prune
 
 hadolint:
-	$(dcmd) $(hadolintargs) $(hadolintimg) < $(dfile)
+	$(dcmd) $(hadolintargs) $(hadolintimg):$(hadolinttag) < $(dfile)
 
 kaniko:
 	$(dcmd) $(dargskaniko) $(kanikoexecutorimg) $(kanikoargs)

README.md

@@ -1,5 +1,6 @@
 # docker-fedora-cpp
 
+[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
 [![Build Status](https://drone.dotya.ml/api/badges/wanderer/docker-fedora-cpp/status.svg?ref=refs/heads/dev)](https://drone.dotya.ml/wanderer/docker-fedora-cpp)
 [![Docker Image Version (latest by date)](https://img.shields.io/docker/v/immawanderer/fedora-cpp)](https://hub.docker.com/r/immawanderer/fedora-cpp/tags/?page=1&ordering=last_updated)
 [![Docker Image Version (tag latest semver)](https://img.shields.io/docker/v/immawanderer/archlinux/linux-amd64)](https://hub.docker.com/r/immawanderer/fedora-cpp/tags/?page=1&ordering=last_updated&name=linux-amd64)
@@ -13,11 +14,14 @@ The image is rebuilt nightly to ensure it always has the latest packages.
 development happens on [this Gitea instance](https://git.dotya.ml/wanderer/docker-fedora-cpp)
 
 ## What you get
-* updated `registry.fedoraproject.org/fedora:34` image
+* updated `registry.fedoraproject.org/fedora-minimal:36` image
 * the result of
 ```sh
-    dnf install -y \
+    microdnf install --nodocs dnf dnf-plugins-core -y && \
+    dnf copr enable eddsalkield/iwyu -y && \
+    microdnf install --nodocs --setopt install_weak_deps=0 -y \
     git \
+    ninja-build \
     make \
     {c,auto}make \
     gcc \
@@ -25,7 +29,14 @@ development happens on [this Gitea instance](https://git.dotya.ml/wanderer/docke
     libgcc \
     libstdc++-{devel,static} \
     glibc-devel \
+    iwyu \
+    cryptopp-devel \
+    libasan-static \
+    liblsan-static \
+    libubsan-static \
+    libtsan-static \
     binutils \
+    lld \
     flex \
     bison \
     openmpi-devel \
@@ -46,9 +57,13 @@ development happens on [this Gitea instance](https://git.dotya.ml/wanderer/docke
     autoconf \
     pkgconf \
     kernel-devel \
-    numactl-{devel,libs} \
     ncurses-{c++-libs,devel,libs,static} \
-    && dnf clean all -y
+    numactl-{devel,libs} \
+    && dnf copr disable eddsalkield/iwyu \
+    && rm -vf /etc/dnf/protected.d/dnf.conf \
+    && microdnf remove dnf-plugins-core -y \
+    && rpm --nodeps -e dnf \
+    && microdnf clean all -y
 ```
 * compiled [`github.com/ntop/nDPI.git`](https://github.com/ntop/nDPI)