From 52b69b8b308266d9334dc34dad1379ab7b14e66e Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Tue, 10 Feb 2026 23:09:08 +0000 Subject: [PATCH 1/2] fix: add apt-get install retry logic to handle stale package archives Ubuntu package archives can supersede package versions between apt-get update and apt-get install, causing 404 errors (e.g., libexpat1 in jammy-security). Add retry logic that clears the apt cache and re-runs apt-get update on install failure to fetch the current package index. Applies to both agent and squid container Dockerfiles. Co-Authored-By: Claude Opus 4.6 (1M context) --- containers/agent/Dockerfile | 15 ++++++++++++--- containers/squid/Dockerfile | 8 ++++++-- 2 files changed, 18 insertions(+), 5 deletions(-) diff --git a/containers/agent/Dockerfile b/containers/agent/Dockerfile index 75e49c84..bffd2d57 100644 --- a/containers/agent/Dockerfile +++ b/containers/agent/Dockerfile @@ -9,8 +9,9 @@ FROM ${BASE_IMAGE} # Install required packages and Node.js 22 # Note: Some packages may already exist in runner-like base images, apt handles this gracefully +# Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build RUN apt-get update && \ - apt-get install -y --no-install-recommends \ + ( apt-get install -y --no-install-recommends \ iptables \ curl \ ca-certificates \ @@ -21,7 +22,13 @@ RUN apt-get update && \ net-tools \ netcat-openbsd \ gosu \ - libcap2-bin && \ + libcap2-bin || \ + (echo "apt-get install failed, retrying with fresh package index..." && \ + rm -rf /var/lib/apt/lists/* && \ + apt-get update && \ + apt-get install -y --no-install-recommends \ + iptables curl ca-certificates git gh gnupg dnsutils \ + net-tools netcat-openbsd gosu libcap2-bin) ) && \ # Prefer system binaries over runner toolcache (e.g., act images) for Node checks. export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH" && \ # Install Node.js 22 from NodeSource @@ -70,7 +77,9 @@ RUN chmod +x /usr/local/bin/setup-iptables.sh /usr/local/bin/entrypoint.sh /usr/ # This prevents tokens from being read multiple times (e.g., by malicious code) COPY one-shot-token/one-shot-token.c /tmp/one-shot-token.c RUN apt-get update && \ - apt-get install -y --no-install-recommends gcc libc6-dev && \ + ( apt-get install -y --no-install-recommends gcc libc6-dev || \ + (rm -rf /var/lib/apt/lists/* && apt-get update && \ + apt-get install -y --no-install-recommends gcc libc6-dev) ) && \ gcc -shared -fPIC -O2 -Wall -o /usr/local/lib/one-shot-token.so /tmp/one-shot-token.c -ldl -lpthread && \ rm /tmp/one-shot-token.c && \ apt-get remove -y gcc libc6-dev && \ diff --git a/containers/squid/Dockerfile b/containers/squid/Dockerfile index 629fd602..38681b95 100644 --- a/containers/squid/Dockerfile +++ b/containers/squid/Dockerfile @@ -1,14 +1,18 @@ FROM ubuntu/squid:latest # Install additional tools for debugging, healthcheck, and SSL Bump +# Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build RUN apt-get update && \ - apt-get install -y --no-install-recommends \ + ( apt-get install -y --no-install-recommends \ curl \ dnsutils \ net-tools \ netcat-openbsd \ openssl \ - squid-openssl && \ + squid-openssl || \ + (rm -rf /var/lib/apt/lists/* && apt-get update && \ + apt-get install -y --no-install-recommends \ + curl dnsutils net-tools netcat-openbsd openssl squid-openssl) ) && \ rm -rf /var/lib/apt/lists/* # Create log directory and SSL database directory From 299200161ef004581930152f3629389d383f5d79 Mon Sep 17 00:00:00 2001 From: "Jiaxiao (mossaka) Zhou" Date: Tue, 10 Feb 2026 23:19:14 +0000 Subject: [PATCH 2/2] refactor: use shell variables to deduplicate apt package lists Address Copilot review feedback: define package lists once as shell variables and reuse them in both the initial install and retry paths, preventing the lists from drifting out of sync. Co-Authored-By: Claude Opus 4.6 (1M context) --- containers/agent/Dockerfile | 37 ++++++++++++++----------------------- containers/squid/Dockerfile | 17 ++++++----------- 2 files changed, 20 insertions(+), 34 deletions(-) diff --git a/containers/agent/Dockerfile b/containers/agent/Dockerfile index bffd2d57..5e1fd866 100644 --- a/containers/agent/Dockerfile +++ b/containers/agent/Dockerfile @@ -10,25 +10,14 @@ FROM ${BASE_IMAGE} # Install required packages and Node.js 22 # Note: Some packages may already exist in runner-like base images, apt handles this gracefully # Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build -RUN apt-get update && \ - ( apt-get install -y --no-install-recommends \ - iptables \ - curl \ - ca-certificates \ - git \ - gh \ - gnupg \ - dnsutils \ - net-tools \ - netcat-openbsd \ - gosu \ - libcap2-bin || \ - (echo "apt-get install failed, retrying with fresh package index..." && \ - rm -rf /var/lib/apt/lists/* && \ - apt-get update && \ - apt-get install -y --no-install-recommends \ - iptables curl ca-certificates git gh gnupg dnsutils \ - net-tools netcat-openbsd gosu libcap2-bin) ) && \ +RUN set -eux; \ + PKGS="iptables curl ca-certificates git gh gnupg dnsutils net-tools netcat-openbsd gosu libcap2-bin"; \ + apt-get update && \ + ( apt-get install -y --no-install-recommends $PKGS || \ + (echo "apt-get install failed, retrying with fresh package index..." && \ + rm -rf /var/lib/apt/lists/* && \ + apt-get update && \ + apt-get install -y --no-install-recommends $PKGS) ) && \ # Prefer system binaries over runner toolcache (e.g., act images) for Node checks. export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH" && \ # Install Node.js 22 from NodeSource @@ -76,13 +65,15 @@ RUN chmod +x /usr/local/bin/setup-iptables.sh /usr/local/bin/entrypoint.sh /usr/ # Build one-shot-token LD_PRELOAD library for single-use token access # This prevents tokens from being read multiple times (e.g., by malicious code) COPY one-shot-token/one-shot-token.c /tmp/one-shot-token.c -RUN apt-get update && \ - ( apt-get install -y --no-install-recommends gcc libc6-dev || \ +RUN set -eux; \ + BUILD_PKGS="gcc libc6-dev"; \ + apt-get update && \ + ( apt-get install -y --no-install-recommends $BUILD_PKGS || \ (rm -rf /var/lib/apt/lists/* && apt-get update && \ - apt-get install -y --no-install-recommends gcc libc6-dev) ) && \ + apt-get install -y --no-install-recommends $BUILD_PKGS) ) && \ gcc -shared -fPIC -O2 -Wall -o /usr/local/lib/one-shot-token.so /tmp/one-shot-token.c -ldl -lpthread && \ rm /tmp/one-shot-token.c && \ - apt-get remove -y gcc libc6-dev && \ + apt-get remove -y $BUILD_PKGS && \ apt-get autoremove -y && \ rm -rf /var/lib/apt/lists/* diff --git a/containers/squid/Dockerfile b/containers/squid/Dockerfile index 38681b95..3df7040f 100644 --- a/containers/squid/Dockerfile +++ b/containers/squid/Dockerfile @@ -2,17 +2,12 @@ FROM ubuntu/squid:latest # Install additional tools for debugging, healthcheck, and SSL Bump # Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build -RUN apt-get update && \ - ( apt-get install -y --no-install-recommends \ - curl \ - dnsutils \ - net-tools \ - netcat-openbsd \ - openssl \ - squid-openssl || \ - (rm -rf /var/lib/apt/lists/* && apt-get update && \ - apt-get install -y --no-install-recommends \ - curl dnsutils net-tools netcat-openbsd openssl squid-openssl) ) && \ +RUN set -eux; \ + PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \ + apt-get update && \ + ( apt-get install -y --no-install-recommends $PKGS || \ + (rm -rf /var/lib/apt/lists/* && apt-get update && \ + apt-get install -y --no-install-recommends $PKGS) ) && \ rm -rf /var/lib/apt/lists/* # Create log directory and SSL database directory