# These are overridden by build-stx-debian.sh
ARG DIST=bullseye
ARG RELEASE=11.2

################################################
# ca_certs build stage
################################################

# We need up-to-date SSL certs, otherwise we won't be able to access
# mirror.starlingx.windriver.com; yet the ca-certificates package is
# behind that URL. As a workaround: install ca-certificates from
# upstream debian, then copy the (generated) CA bundle into the.
# main build stage.

FROM debian:${DIST} as ca_certs

ENV DEBIAN_FRONTEND=noninteractive

RUN apt-get update -y && \
    apt-get -y install --no-install-recommends ca-certificates

################################################
# main build stage
################################################

# Start with an the old-ish bullseye release (11.2), then upgrade --
# to make sure packages that come pre-installed in the debian:XXX image
# are older than anything in StarlingX.
FROM debian:${RELEASE}

ENV DEBIAN_FRONTEND=noninteractive

# Disable upstream debian repos
RUN mv /etc/apt/sources.list /etc/apt/sources.list.disabled

# Install apt repos
COPY apt/debian.sources.list /etc/apt/sources.list.d/debian.list.disabled
COPY apt/stx.sources.list /etc/apt/sources.list.d/stx.list.disabled
COPY apt/stx.preferences /etc/apt/preferences.d/stx

# Install layer-specific binary repositories.
# Note: They are all supposed to be disabled by default, but can be optionally
#       enabled if it is necessary to build an image that requires
#       dependencies that are in repositories not listed in `stx.sources.list`.
COPY apt/*.layer.sources.list /etc/apt/sources.list.d/
RUN for layer in /etc/apt/sources.list.d/*.layer.sources.list; do \
      mv "${layer}" "$(echo "${layer}" | sed s/.layer.sources.list/.list.disabled/)"; \
    done

# repo templates:
#   /etc/apt/sources.list.d/
#     debian.list.disabled         - vanilla debian repos
#     stx.list.disabled            - starlingx binary & build repos
#
# To enable a repo list:
#     cp /etc/apt/sources.list.d/$repo_list.disabled \
#        /etc/apt/sources.list.d/$repo_list
#
# To disable a repo list:
#     rm -f /etc/apt/sources.list.d/$repo_list
#
# By default only stx.list is enabled, which includes only the packages
# built by stx tools, and the binary packages from the curated binary
# download lists (bullseye-base.lst etc).
#
# Enabling the upstream repos ("debian.list") is dangerous because it
# may conflict with packages in stx.list.
#
#
# FIXME: apt evaluates these files in alphabetical order, so stx.list
#        comes after debian.list. When the local binary repo contains
#        the same package/version as the debian repo, apt will download
#        it from debian, regardless of the priority in /etc/apt/preferences.
#        We should rename these files to make stx.list sort before
#        debian.list. This would affect Loci scripts in
#        loci/docker/stx-scripts/
#

#
# Copy CA certs from the "ca_certs" build stage. The bundle file was generated
# by ca-certificates in that stage, and will be re-generated when we install
# that package again in the main stage below. That version may be *older* than
# the certs that we are copying here. We assume ca-certificates is regularly
# updated in stx-tools' package download lists, or it is built by us, and contains
# all the certs we might need during docker images build, such as the intermidate
# cert used by mirror.starlingx.windriver.com .
#
RUN mkdir -p /etc/ssl/certs
COPY --from=ca_certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt

#
# Upgrade base packages to versions in managed repos
#
RUN cp -f /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list && \
    apt-get -y update && \
    apt-get -y upgrade && \
    apt-get -y install --no-install-recommends --no-install-suggests \
        ca-certificates \
        libapache2-mod-wsgi-py3 \
        python3-setuptools \
        && \
    rm -f /etc/apt/sources.list.d/stx.list && \
    apt-get clean && rm -rf /var/lib/apt/lists/*

#
# Enable stx repo only. Packages installs below this point will use
# only the managed locally-built & 3rd-party repos.
#
RUN cp /etc/apt/sources.list.d/stx.list.disabled /etc/apt/sources.list.d/stx.list

#
# Install required packages
#
RUN apt-get update -y && \
    apt-get upgrade -y && \
    apt-get install -y \
        openssh-client \
        python3 \
        python3-pip \
        python3-wheel \
# FIXME: uncomment once qemu is ported to debian (starlingx/integ)
#        qemu-utils \
        && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*

# FIXME: these packages are not required by most docker images inheriting
# from this image. However these Python modules are not buildable from
# source (ie by pip) on Debian and require patches. Install the patched
# versions as DEB packages to make sure pip dependencies in derived images
# are satisfied.
#
# A better solution would be to omit them here, but install them in each
# project that requires them; or add wheel subpackages to these DEBs.
RUN apt-get update -y && \
    apt-get upgrade -y && \
    apt-get install -y \
        python3-thriftpy \
        python3-nss \
        && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/*