ARG BASE_IMAGE=europe-west1-docker.pkg.dev/cqse-build/teamscale/teamscale-base:v63

########################################################################
# Intermediate image for copying the files and managing the permissions in /opt/teamscale.
# The COPY and RUN commands introduce layers which work on the same files and
# by just copying the end result to the production image saves around ~500MB.
# Layers working on the same files introduce redundancies, because each layer contains a copy of the
# file it is working on.
FROM ${BASE_IMAGE} AS files

COPY --chown=teamscale:teamscale build/dist/teamscale /opt/teamscale
COPY --chown=teamscale:teamscale build/dist/lib-internal /opt/teamscale/lib

# Remove unneccessary files
# Windows specfic files are not needed, as well as setting up Teamscale under linux as a systemd service
RUN cd /opt/teamscale && rm -rf linux windows teamscale.bat bin/Teamscale.bat

# Restrict the directories Teamscale loads jars/natives from to be read-only.
# This avoids a possible RCE in case of other bugs allowing writes to the file system (TS-34400)
# lib-ext and custom-checks are usually mounted (as ro) within a docker-compose file if needed
# Read-only (=444) for the existing files (to avoid being overwritten)
# Read and execute (=enter; =555) for the directories and natives
RUN chmod 444 /opt/teamscale/lib/* /opt/teamscale/lib-ext/* /opt/teamscale/custom-checks/* \
    && chmod 555 /opt/teamscale/lib /opt/teamscale/lib-ext /opt/teamscale/custom-checks \
    && chmod -R 555 /opt/teamscale/lib/natives

###############################
# Production Docker image build
FROM ${BASE_IMAGE} AS production

COPY --from=files --chown=teamscale:teamscale /opt/teamscale /opt/teamscale

EXPOSE 8080
WORKDIR /opt/teamscale

# Required for ABAP Secured Network Connections (SNC) and management of
# credentials.
ENV SNC_LIB="/opt/teamscale/lib-ext/libsapcrypto.so" \
    SECUDIR="/var/teamscale/snc-cred" \
    USER="teamscale"

# Do not use the command directly, as otherwise the stop signal (SIGTERM) will not be directed to Teamscale
# see: https://docs.docker.com/compose/faq/#why-do-my-services-take-10-seconds-to-recreate-or-stop
ENTRYPOINT ["/opt/teamscale/teamscale.sh"]

##########################
# Debug Docker image build
FROM production AS debug

ENV AYSNC_PROFILER_VERSION="3.0" \
    DD_AGENT_VERSION="1.10.0"

USER root

# Install debug packages
# WARNING: `jq` was removed because it caused segmentation faults with qemu: https://cqse.atlassian.net/browse/TS-42024
RUN apt-get update && \
    apt-get -y install --no-install-recommends \
            zip \
            openjdk-21-jdk-headless \
            openjdk-21-dbg && \
    rm -rf /var/lib/apt/lists/*

# Install profiling tools (separate from above for better caching)
RUN \
    # Datadog Agent
    mkdir -p "/opt/dd-java-agent" && \
    wget --quiet -O /opt/dd-java-agent/dd-java-agent.jar https://github.com/DataDog/dd-trace-java/releases/download/v${DD_AGENT_VERSION}/dd-java-agent.jar && \
    # Async Profiler
    mkdir -p "/opt/async-profiler" && \
    wget --quiet -O "async-profiler.tar.gz" "https://github.com/async-profiler/async-profiler/releases/download/v${AYSNC_PROFILER_VERSION}/async-profiler-${AYSNC_PROFILER_VERSION}-linux-x64.tar.gz" && \
    tar --extract --gzip --file "async-profiler.tar.gz" --directory "/opt/async-profiler" --strip-components 1 && \
    rm "async-profiler.tar.gz"

# libjemalloc with tracing enabled
# See: https://cqse.atlassian.net/browse/TS-37982
ADD --chmod=755 "https://storage.googleapis.com/teamscale-public-build-artifacts/artifacts/libjemalloc_trace.so" "/usr/lib/libjemalloc_trace.so"
ENV LD_PRELOAD="/usr/lib/libjemalloc_trace.so" \
    MALLOC_CONF="prof:true,lg_prof_interval:32,lg_prof_sample:20"

USER teamscale
