tftsr-devops_investigation/.docker/Dockerfile.linux-arm64

# Pre-baked cross-compiler for Linux arm64 Tauri releases (runs on Linux amd64).
# Bakes in: amd64 cross-toolchain, arm64 multiarch dev libs, Node.js, and Rust.
# This image takes ~15 min to build but is only rebuilt when deps change.
# Rebuild when: Rust toolchain version, webkit2gtk/gtk major version, Node.js major version,
# OpenSSL major version (used via OPENSSL_STATIC=1), or Tauri CLI changes that affect
# bundler system deps.
# Tag format: rust<VER>-node<VER>
FROM ubuntu:22.04

ARG DEBIAN_FRONTEND=noninteractive

# Step 1: amd64 host tools and cross-compiler
RUN apt-get update -qq \
    && apt-get install -y -qq --no-install-recommends \
       ca-certificates curl git gcc g++ make patchelf pkg-config perl jq \
       gcc-aarch64-linux-gnu g++-aarch64-linux-gnu \
    && rm -rf /var/lib/apt/lists/*

# Step 2: Enable arm64 multiarch.  Ubuntu uses ports.ubuntu.com for arm64 to avoid
# binary-all index conflicts with the amd64 archive.ubuntu.com mirror.
RUN dpkg --add-architecture arm64 \
    && sed -i 's|^deb http://archive.ubuntu.com|deb [arch=amd64] http://archive.ubuntu.com|g' /etc/apt/sources.list \
    && sed -i 's|^deb http://security.ubuntu.com|deb [arch=amd64] http://security.ubuntu.com|g' /etc/apt/sources.list \
    && printf '%s\n' \
       'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted universe multiverse' \
       'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted universe multiverse' \
       'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted universe multiverse' \
       > /etc/apt/sources.list.d/arm64-ports.list \
    && apt-get update -qq \
    && apt-get install -y -qq --no-install-recommends \
       libwebkit2gtk-4.1-dev:arm64 \
       libssl-dev:arm64 \
       libgtk-3-dev:arm64 \
       librsvg2-dev:arm64 \
    && rm -rf /var/lib/apt/lists/*

# Step 3: Node.js 22
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
    && apt-get install -y --no-install-recommends nodejs \
    && rm -rf /var/lib/apt/lists/*

# Step 4: GitHub CLI
# tea (Gitea CLI) can be installed if needed:
# RUN curl -sL https://dl.gitea.com/tea/master/tea-master-linux-arm64 -o /usr/local/bin/tea \
#     && chmod +x /usr/local/bin/tea

# Step 5: Rust 1.88 with arm64 cross-compilation target
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y \
    --default-toolchain 1.88.0 --profile minimal --no-modify-path \
    && /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu \
    && /root/.cargo/bin/rustup component add rustfmt clippy

ENV PATH="/root/.cargo/bin:${PATH}"
feat(ci): add persistent pre-baked Docker builder images Add three Dockerfiles under .docker/ and a build-images.yml workflow that pushes them to the local Gitea container registry (172.0.0.29:3000). Each image pre-installs all system deps, Node.js 22, and the Rust cross- compilation target so release builds can skip apt-get entirely: trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88 build-images.yml triggers automatically when .docker/ changes on master and supports workflow_dispatch for manual/first-time builds. auto-tag.yml is NOT changed in this commit — switch it to use the new images in the follow-up PR (after images are pushed to the registry). One-time server setup required before first use: echo '{"insecure-registries":["172.0.0.29:3000"]}' \ \| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker 2026-04-06 02:07:17 +00:00			`# Pre-baked cross-compiler for Linux arm64 Tauri releases (runs on Linux amd64).`
			`# Bakes in: amd64 cross-toolchain, arm64 multiarch dev libs, Node.js, and Rust.`
			`# This image takes ~15 min to build but is only rebuilt when deps change.`
docs(docker): expand rebuild trigger comments to include OpenSSL and Tauri CLI 2026-04-12 23:54:57 +00:00			`# Rebuild when: Rust toolchain version, webkit2gtk/gtk major version, Node.js major version,`
			`# OpenSSL major version (used via OPENSSL_STATIC=1), or Tauri CLI changes that affect`
			`# bundler system deps.`
feat(ci): add persistent pre-baked Docker builder images Add three Dockerfiles under .docker/ and a build-images.yml workflow that pushes them to the local Gitea container registry (172.0.0.29:3000). Each image pre-installs all system deps, Node.js 22, and the Rust cross- compilation target so release builds can skip apt-get entirely: trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88 build-images.yml triggers automatically when .docker/ changes on master and supports workflow_dispatch for manual/first-time builds. auto-tag.yml is NOT changed in this commit — switch it to use the new images in the follow-up PR (after images are pushed to the registry). One-time server setup required before first use: echo '{"insecure-registries":["172.0.0.29:3000"]}' \ \| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker 2026-04-06 02:07:17 +00:00			`# Tag format: rust<VER>-node<VER>`
			`FROM ubuntu:22.04`

			`ARG DEBIAN_FRONTEND=noninteractive`

			`# Step 1: amd64 host tools and cross-compiler`
			`RUN apt-get update -qq \`
			`&& apt-get install -y -qq --no-install-recommends \`
fix(docker): add ca-certificates to arm64 base image step 1 ubuntu:22.04 minimal does not guarantee ca-certificates is present before the multiarch apt operations in Step 2. curl in Step 3 then fails with error 77 (CURLE_SSL_CACERT_BADFILE) when fetching the nodesource setup script over HTTPS. 2026-04-13 00:42:08 +00:00			`ca-certificates curl git gcc g++ make patchelf pkg-config perl jq \`
feat(ci): add persistent pre-baked Docker builder images Add three Dockerfiles under .docker/ and a build-images.yml workflow that pushes them to the local Gitea container registry (172.0.0.29:3000). Each image pre-installs all system deps, Node.js 22, and the Rust cross- compilation target so release builds can skip apt-get entirely: trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88 build-images.yml triggers automatically when .docker/ changes on master and supports workflow_dispatch for manual/first-time builds. auto-tag.yml is NOT changed in this commit — switch it to use the new images in the follow-up PR (after images are pushed to the registry). One-time server setup required before first use: echo '{"insecure-registries":["172.0.0.29:3000"]}' \ \| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker 2026-04-06 02:07:17 +00:00			`gcc-aarch64-linux-gnu g++-aarch64-linux-gnu \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# Step 2: Enable arm64 multiarch. Ubuntu uses ports.ubuntu.com for arm64 to avoid`
			`# binary-all index conflicts with the amd64 archive.ubuntu.com mirror.`
			`RUN dpkg --add-architecture arm64 \`
			`&& sed -i 's\|^deb http://archive.ubuntu.com\|deb [arch=amd64] http://archive.ubuntu.com\|g' /etc/apt/sources.list \`
			`&& sed -i 's\|^deb http://security.ubuntu.com\|deb [arch=amd64] http://security.ubuntu.com\|g' /etc/apt/sources.list \`
			`&& printf '%s\n' \`
			`'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy main restricted universe multiverse' \`
			`'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-updates main restricted universe multiverse' \`
			`'deb [arch=arm64] http://ports.ubuntu.com/ubuntu-ports jammy-security main restricted universe multiverse' \`
			`> /etc/apt/sources.list.d/arm64-ports.list \`
			`&& apt-get update -qq \`
			`&& apt-get install -y -qq --no-install-recommends \`
			`libwebkit2gtk-4.1-dev:arm64 \`
			`libssl-dev:arm64 \`
			`libgtk-3-dev:arm64 \`
			`librsvg2-dev:arm64 \`
			`&& rm -rf /var/lib/apt/lists/*`

			`# Step 3: Node.js 22`
			`RUN curl -fsSL https://deb.nodesource.com/setup_22.x \| bash - \`
			`&& apt-get install -y --no-install-recommends nodejs \`
			`&& rm -rf /var/lib/apt/lists/*`

feat: full copy from apollo_nxt-trcaa with complete sanitization Complete backport of all features from apollo_nxt-trcaa repository: - Three-tier shell execution safety system (Tier 1: auto, Tier 2: approve, Tier 3: deny) - Ollama function calling with tool use support - AI provider tool calling auto-detection - kubectl binary bundling and management - kubeconfig upload and context management - Shell approval modal with real-time UI - MCP protocol HTTP transport with custom headers - Enhanced security audit logging - Comprehensive test coverage (275+ tests) - Updated CI/CD workflows for Gitea Actions - Complete documentation (ADRs, wiki, release notes) Sanitization applied to all files: - Removed all MSI, Motorola, VNXT, Vesta references - Replaced internal infrastructure references with TFTSR equivalents - Updated all URLs and API endpoints - Sanitized commit history references in documentation Technical changes: - New modules: shell/classifier, shell/executor, shell/kubectl, shell/kubeconfig - Enhanced AI providers: ollama.rs, openai.rs with function calling - New Tauri commands: shell execution, kubeconfig management, tool calling detection - Database migrations: shell_execution_audit table - Frontend: ShellApprovalModal, ShellExecution, KubeconfigManager pages - CI/CD: kubectl bundling, multi-platform builds, Gitea Actions integration Version: 1.0.8 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-06-05 19:11:00 +00:00			`# Step 4: GitHub CLI`
fix: revert incorrect sanitization - use 172.0.0.29 for CI runners Critical fixes for CI/CD workflows: 1. Reverted gitea.tftsr.com:3000 → 172.0.0.29:3000 in ALL workflow files - CI runners MUST use internal IP address 172.0.0.29 - This was incorrectly sanitized in the initial backport 2. Removed GitHub CLI (gh) from Dockerfiles - Replaced with commented-out tea (Gitea CLI) installation - This project uses Gitea, not GitHub Files changed: - .gitea/workflows/auto-tag.yml - Fixed 19 URLs - .gitea/workflows/build-images.yml - Fixed registry URLs - .gitea/workflows/test.yml - Fixed git remote URLs - .docker/Dockerfile.* - Removed gh CLI, added tea as optional Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-06-05 19:52:00 +00:00			`# tea (Gitea CLI) can be installed if needed:`
			`# RUN curl -sL https://dl.gitea.com/tea/master/tea-master-linux-arm64 -o /usr/local/bin/tea \`
			`# && chmod +x /usr/local/bin/tea`
feat: full copy from apollo_nxt-trcaa with complete sanitization Complete backport of all features from apollo_nxt-trcaa repository: - Three-tier shell execution safety system (Tier 1: auto, Tier 2: approve, Tier 3: deny) - Ollama function calling with tool use support - AI provider tool calling auto-detection - kubectl binary bundling and management - kubeconfig upload and context management - Shell approval modal with real-time UI - MCP protocol HTTP transport with custom headers - Enhanced security audit logging - Comprehensive test coverage (275+ tests) - Updated CI/CD workflows for Gitea Actions - Complete documentation (ADRs, wiki, release notes) Sanitization applied to all files: - Removed all MSI, Motorola, VNXT, Vesta references - Replaced internal infrastructure references with TFTSR equivalents - Updated all URLs and API endpoints - Sanitized commit history references in documentation Technical changes: - New modules: shell/classifier, shell/executor, shell/kubectl, shell/kubeconfig - Enhanced AI providers: ollama.rs, openai.rs with function calling - New Tauri commands: shell execution, kubeconfig management, tool calling detection - Database migrations: shell_execution_audit table - Frontend: ShellApprovalModal, ShellExecution, KubeconfigManager pages - CI/CD: kubectl bundling, multi-platform builds, Gitea Actions integration Version: 1.0.8 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> 2026-06-05 19:11:00 +00:00
			`# Step 5: Rust 1.88 with arm64 cross-compilation target`
feat(ci): add persistent pre-baked Docker builder images Add three Dockerfiles under .docker/ and a build-images.yml workflow that pushes them to the local Gitea container registry (172.0.0.29:3000). Each image pre-installs all system deps, Node.js 22, and the Rust cross- compilation target so release builds can skip apt-get entirely: trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88 build-images.yml triggers automatically when .docker/ changes on master and supports workflow_dispatch for manual/first-time builds. auto-tag.yml is NOT changed in this commit — switch it to use the new images in the follow-up PR (after images are pushed to the registry). One-time server setup required before first use: echo '{"insecure-registries":["172.0.0.29:3000"]}' \ \| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker 2026-04-06 02:07:17 +00:00			`RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \| sh -s -- -y \`
			`--default-toolchain 1.88.0 --profile minimal --no-modify-path \`
perf(ci): use pre-baked images and add cargo/npm caching Switch all test and release build jobs from raw base images to the pre-baked images already defined in .docker/ and pushed to the local Gitea registry. Add actions/cache@v3 for Cargo registry and npm to eliminate redundant downloads on subsequent runs. Changes: - Dockerfile.linux-amd64/arm64: bake in rustfmt and clippy components - test.yml: rust jobs → trcaa-linux-amd64:rust1.88-node22; drop inline apt-get and rustup component-add steps; add cargo cache - test.yml: frontend jobs → add npm cache - auto-tag.yml: build-linux-amd64 → trcaa-linux-amd64; drop Install dependencies step and rustup target add - auto-tag.yml: build-windows-amd64 → trcaa-windows-cross; drop Install dependencies step and rustup target add - auto-tag.yml: build-linux-arm64 → trcaa-linux-arm64 (ubuntu:22.04-based); drop ~40-line Install dependencies step, . "$HOME/.cargo/env", and rustup target add (all pre-baked in image ENV PATH) - All build jobs: add cargo and npm cache steps - docs/wiki/CICD-Pipeline.md: document pre-baked images, cache keys, and insecure-registries daemon prerequisite Expected savings: ~70% faster PR test suite (~1.5 min vs ~5 min), ~72% faster release builds (~7 min vs ~25 min) after cache warms up. NOTE: Trigger build-images.yml via workflow_dispatch before merging to ensure images contain rustfmt/clippy before workflow changes land. 2026-04-12 23:17:35 +00:00			`&& /root/.cargo/bin/rustup target add aarch64-unknown-linux-gnu \`
fix(ci): address second AI review — \|\| true, ca-certs, cache@v4, key suffixes Dockerfiles: - Remove \|\| true from rustup component add in all three Linux images; rust:1.88-slim default profile already includes both components so the command is a clean no-op, not a failure risk — silencing errors served no purpose and only hid potential toolchain issues - Add ca-certificates explicitly to Dockerfile.linux-amd64 and Dockerfile.windows-cross (rust:1.88-slim includes it, but being explicit is consistent with the arm64 fix and future-proofs against base image changes) Workflows: - Upgrade actions/cache@v3 → @v4 across test.yml and auto-tag.yml (v3 deprecated; v4 has parallel uploads and better large-cache support) - Add linux-amd64 suffix to cargo cache keys in test.yml Rust jobs and auto-tag.yml build-linux-amd64 job; all four jobs target the same architecture and now share a cache, benefiting from cross-job hits (registry cache is source tarballs, not compiled artifacts — no pollution risk between targets) Not changed: - alpine:latest + docker-cli in build-images.yml is correct; the reviewer confused DinD with socket passthrough — docker:24-cli also has no daemon, both use the host socket; the builds already proved alpine works - curl\|bash for rustup is the official install method; rustup.rs publishes no checksums for the installer script itself 2026-04-13 01:07:20 +00:00			`&& /root/.cargo/bin/rustup component add rustfmt clippy`
feat(ci): add persistent pre-baked Docker builder images Add three Dockerfiles under .docker/ and a build-images.yml workflow that pushes them to the local Gitea container registry (172.0.0.29:3000). Each image pre-installs all system deps, Node.js 22, and the Rust cross- compilation target so release builds can skip apt-get entirely: trcaa-linux-amd64:rust1.88-node22 — webkit2gtk, gtk3, all Tauri deps trcaa-windows-cross:rust1.88-node22 — mingw-w64, nsis, Windows target trcaa-linux-arm64:rust1.88-node22 — arm64 multiarch dev libs, Rust 1.88 build-images.yml triggers automatically when .docker/ changes on master and supports workflow_dispatch for manual/first-time builds. auto-tag.yml is NOT changed in this commit — switch it to use the new images in the follow-up PR (after images are pushed to the registry). One-time server setup required before first use: echo '{"insecure-registries":["172.0.0.29:3000"]}' \ \| sudo tee /etc/docker/daemon.json && sudo systemctl restart docker 2026-04-06 02:07:17 +00:00
			`ENV PATH="/root/.cargo/bin:${PATH}"`