Arch Linux Ruby base image in Harbor with weekly rebuild pipeline #360

New issue

Closed

opened 2026-05-10 16:23:42 +00:00 by ldraney · 3 comments

ldraney commented 2026-05-10 16:23:42 +00:00

Owner

Copy link

Type

Infra

Lineage

Plan: pal-enterprises infrastructure overhaul (Ticket 3 of 5). Story: story-infra-overhaul.

Repo

ldraney/pal-e-platform

User Story

As a platform owner
I want a shared Arch Linux Ruby base image in Harbor that rebuilds weekly
So that all Rails apps stay on the latest Ruby, system libs, and security patches without manual version bump tickets

Context

All Ruby apps currently use ruby:3.4.8-slim (Debian), manually version-pinned. Every Ruby upgrade requires a ticket per app. Arch Linux's rolling release model eliminates this — a weekly rebuild of the base image picks up the latest Ruby and system packages automatically.

This base image will be used by:

• pal-enterprises (prod Dockerfile + dev pod)
• Future Rails apps (westside-ror, pal-e-ror, westside-docs — migration later)

See arch-harbor for architecture context.

File Targets

Files the agent should create:

• docker/ruby-arch/Dockerfile — multi-stage Arch base image
• docker/ruby-arch/.woodpecker.yaml — scheduled weekly pipeline to rebuild + push to Harbor

Files the agent may need to modify:

• terraform/modules/harbor/main.tf — add pal-e Harbor project for shared base images (if not exists)

Dockerfile Shape

Verified Arch package names (confirmed on host Arch system):

FROM archlinux:latest AS base
RUN pacman -Syu --noconfirm ruby jemalloc postgresql-libs libyaml && \
    gem install bundler && \
    pacman -Scc --noconfirm
ENV LD_PRELOAD="/usr/lib/libjemalloc.so"

FROM base AS build
RUN pacman -S --noconfirm base-devel git pkgconf && \
    pacman -Scc --noconfirm

Package corrections from local Arch verification:

• ruby-bundler (pacman) → gem install bundler — pacman has 4.0.3, Gemfile.lock needs 4.0.11. Install via gem instead.
• libpq → removed — postgresql-libs already in base, includes headers (libpq-fe.h confirmed owned by postgresql-libs).
• pkg-config → pkgconf — correct Arch package name (provides pkg-config compatibility symlink).

Pipeline Shape

• Trigger: weekly cron + manual
• Steps: build Arch image → push to harbor.harbor.svc.cluster.local/pal-e/ruby-arch:latest
• Follow existing Woodpecker pipeline conventions (clone step, Kaniko build, Harbor push)
• Note: Verify Kaniko supports pacman -Syu (network access during build). If not, use docker-in-docker or buildah.

Acceptance Criteria

• Harbor project pal-e exists (created via Terraform or manually)
• harbor.tail5b443a.ts.net/pal-e/ruby-arch:latest exists in Harbor
• docker run harbor.../pal-e/ruby-arch:latest ruby --version returns current Arch Ruby
• docker run harbor.../pal-e/ruby-arch:latest bundler --version works
• Base image includes: ruby, bundler (gem), jemalloc, postgresql-libs (with headers), libyaml
• Build stage includes: base-devel, git, pkgconf
• gem install pg works in the build stage (native extension compilation with libpq-fe.h)
• jemalloc loads: LD_PRELOAD=/usr/lib/libjemalloc.so ruby -e 'puts :ok'
• Weekly Woodpecker cron job configured and tested
• Manual pipeline trigger works
• Kaniko (or alternative builder) handles pacman -Syu correctly

Test Expectations

• Dockerfile builds without errors
• Image pushed to Harbor successfully
• gem install pg works in the build stage (native extension compilation)
• jemalloc loads correctly

Dependencies

None — can start immediately. Wave 1 parallel with T1 (pal-e-services#75).

Downstream dependents:

• T2 (pal-e-deployments#158) — dev overlay uses this base image
• T4 (pal-enterprises#18) — Dockerfile migration uses this base image

Constraints

• Image tag: pal-e/ruby-arch:latest (always latest, rolling release is the point)
• Harbor project pal-e may need to be created via Terraform
• Woodpecker cron needs to be configured in the repo settings (not just the yaml)
• Verify Kaniko + pacman -Syu compatibility — if Kaniko can't do network operations during build, document the alternative

Checklist

• PR opened
• Dockerfile builds
• Image pushed to Harbor
• Cron pipeline configured
• No unrelated changes

Related

• story-infra-overhaul — parent story
• arch-harbor — architecture note
• ldraney/pal-e-services#75 — T1: Keycloak + ArgoCD (parallel)
• ldraney/pal-e-deployments#158 — T2: Dev overlay (depends on this)
• ldraney/pal-enterprises#18 — T4: Dockerfile migration (depends on this)
• ldraney/pal-enterprises#14 — Ruby 4.0 upgrade (will be closed, superseded by rolling release)

### Type Infra ### Lineage Plan: pal-enterprises infrastructure overhaul (Ticket 3 of 5). Story: `story-infra-overhaul`. ### Repo `ldraney/pal-e-platform` ### User Story As a platform owner I want a shared Arch Linux Ruby base image in Harbor that rebuilds weekly So that all Rails apps stay on the latest Ruby, system libs, and security patches without manual version bump tickets ### Context All Ruby apps currently use `ruby:3.4.8-slim` (Debian), manually version-pinned. Every Ruby upgrade requires a ticket per app. Arch Linux's rolling release model eliminates this — a weekly rebuild of the base image picks up the latest Ruby and system packages automatically. This base image will be used by: - pal-enterprises (prod Dockerfile + dev pod) - Future Rails apps (westside-ror, pal-e-ror, westside-docs — migration later) See `arch-harbor` for architecture context. ### File Targets Files the agent should create: - `docker/ruby-arch/Dockerfile` — multi-stage Arch base image - `docker/ruby-arch/.woodpecker.yaml` — scheduled weekly pipeline to rebuild + push to Harbor Files the agent may need to modify: - `terraform/modules/harbor/main.tf` — add `pal-e` Harbor project for shared base images (if not exists) ### Dockerfile Shape **Verified Arch package names** (confirmed on host Arch system): ```dockerfile FROM archlinux:latest AS base RUN pacman -Syu --noconfirm ruby jemalloc postgresql-libs libyaml && \ gem install bundler && \ pacman -Scc --noconfirm ENV LD_PRELOAD="/usr/lib/libjemalloc.so" FROM base AS build RUN pacman -S --noconfirm base-devel git pkgconf && \ pacman -Scc --noconfirm ``` **Package corrections from local Arch verification:** - `ruby-bundler` (pacman) → `gem install bundler` — pacman has 4.0.3, Gemfile.lock needs 4.0.11. Install via gem instead. - `libpq` → removed — `postgresql-libs` already in base, includes headers (`libpq-fe.h` confirmed owned by `postgresql-libs`). - `pkg-config` → `pkgconf` — correct Arch package name (provides pkg-config compatibility symlink). ### Pipeline Shape - Trigger: weekly cron + manual - Steps: build Arch image → push to `harbor.harbor.svc.cluster.local/pal-e/ruby-arch:latest` - Follow existing Woodpecker pipeline conventions (clone step, Kaniko build, Harbor push) - **Note:** Verify Kaniko supports `pacman -Syu` (network access during build). If not, use docker-in-docker or buildah. ### Acceptance Criteria - [ ] Harbor project `pal-e` exists (created via Terraform or manually) - [ ] `harbor.tail5b443a.ts.net/pal-e/ruby-arch:latest` exists in Harbor - [ ] `docker run harbor.../pal-e/ruby-arch:latest ruby --version` returns current Arch Ruby - [ ] `docker run harbor.../pal-e/ruby-arch:latest bundler --version` works - [ ] Base image includes: ruby, bundler (gem), jemalloc, postgresql-libs (with headers), libyaml - [ ] Build stage includes: base-devel, git, pkgconf - [ ] `gem install pg` works in the build stage (native extension compilation with libpq-fe.h) - [ ] jemalloc loads: `LD_PRELOAD=/usr/lib/libjemalloc.so ruby -e 'puts :ok'` - [ ] Weekly Woodpecker cron job configured and tested - [ ] Manual pipeline trigger works - [ ] Kaniko (or alternative builder) handles `pacman -Syu` correctly ### Test Expectations - [ ] Dockerfile builds without errors - [ ] Image pushed to Harbor successfully - [ ] `gem install pg` works in the build stage (native extension compilation) - [ ] jemalloc loads correctly ### Dependencies None — can start immediately. Wave 1 parallel with T1 (pal-e-services#75). **Downstream dependents:** - T2 (pal-e-deployments#158) — dev overlay uses this base image - T4 (pal-enterprises#18) — Dockerfile migration uses this base image ### Constraints - Image tag: `pal-e/ruby-arch:latest` (always latest, rolling release is the point) - Harbor project `pal-e` may need to be created via Terraform - Woodpecker cron needs to be configured in the repo settings (not just the yaml) - Verify Kaniko + `pacman -Syu` compatibility — if Kaniko can't do network operations during build, document the alternative ### Checklist - [ ] PR opened - [ ] Dockerfile builds - [ ] Image pushed to Harbor - [ ] Cron pipeline configured - [ ] No unrelated changes ### Related - `story-infra-overhaul` — parent story - `arch-harbor` — architecture note - `ldraney/pal-e-services#75` — T1: Keycloak + ArgoCD (parallel) - `ldraney/pal-e-deployments#158` — T2: Dev overlay (depends on this) - `ldraney/pal-enterprises#18` — T4: Dockerfile migration (depends on this) - `ldraney/pal-enterprises#14` — Ruby 4.0 upgrade (will be closed, superseded by rolling release)

ldraney commented 2026-05-10 16:28:32 +00:00

Author

Owner

Copy link

Scope Review: NEEDS_REFINEMENT

Review note: review-1201-2026-05-10
Issue body is well-structured with Dockerfile and pipeline shapes, but traceability backing notes are missing and dependencies are undocumented.

• [SCOPE] infra-overhaul story missing from project-pal-enterprises user-stories table
• [SCOPE] No arch-harbor architecture note exists in pal-e-docs
• [BODY] Add Dependencies section (T4 and T2 depend on this ticket)
• [BODY] Add Checklist section
• [BODY] Add AC for Harbor project creation via Terraform
• [BODY] Add AC for Kaniko + pacman compatibility verification

## Scope Review: NEEDS_REFINEMENT Review note: `review-1201-2026-05-10` Issue body is well-structured with Dockerfile and pipeline shapes, but traceability backing notes are missing and dependencies are undocumented. - **[SCOPE]** `infra-overhaul` story missing from `project-pal-enterprises` user-stories table - **[SCOPE]** No `arch-harbor` architecture note exists in pal-e-docs - **[BODY]** Add Dependencies section (T4 and T2 depend on this ticket) - **[BODY]** Add Checklist section - **[BODY]** Add AC for Harbor project creation via Terraform - **[BODY]** Add AC for Kaniko + pacman compatibility verification

ldraney commented 2026-05-10 16:31:56 +00:00

Author

Owner

Copy link

Scope refinement (review-1201-2026-05-10):

• Fixed Dockerfile package names from local Arch verification:
  • ruby-bundler (pacman 4.0.3) → gem install bundler (Gemfile.lock needs 4.0.11)
  • libpq → removed (postgresql-libs already in base, includes libpq-fe.h)
  • pkg-config → pkgconf (correct Arch package name)
• Added Dependencies section (T2 and T4 depend on this)
• Added missing ACs: Harbor project creation, Kaniko+pacman compatibility
• Added story-infra-overhaul reference (story note created)
• Added arch-harbor reference (architecture note created)
• Added Checklist section per template-issue

**Scope refinement (review-1201-2026-05-10):** - Fixed Dockerfile package names from local Arch verification: - `ruby-bundler` (pacman 4.0.3) → `gem install bundler` (Gemfile.lock needs 4.0.11) - `libpq` → removed (postgresql-libs already in base, includes libpq-fe.h) - `pkg-config` → `pkgconf` (correct Arch package name) - Added Dependencies section (T2 and T4 depend on this) - Added missing ACs: Harbor project creation, Kaniko+pacman compatibility - Added `story-infra-overhaul` reference (story note created) - Added `arch-harbor` reference (architecture note created) - Added Checklist section per template-issue

ldraney commented 2026-05-10 16:34:33 +00:00

Author

Owner

Copy link

Scope Review: READY

Review note: review-1201-2026-05-10-r2

All 6 refinement items from r1 verified fixed. Template complete, traceability triangle solid (story-infra-overhaul + arch-harbor notes created), dependencies documented, ACs expanded to 11 with Harbor project creation and Kaniko compatibility. Ticket is ready for implementation.

Minor housekeeping: add infra-overhaul row to project-pal-enterprises user-stories table.

## Scope Review: READY Review note: `review-1201-2026-05-10-r2` All 6 refinement items from r1 verified fixed. Template complete, traceability triangle solid (story-infra-overhaul + arch-harbor notes created), dependencies documented, ACs expanded to 11 with Harbor project creation and Kaniko compatibility. Ticket is ready for implementation. Minor housekeeping: add infra-overhaul row to project-pal-enterprises user-stories table.

forgejo_admin referenced this issue from a commit 2026-05-10 16:38:43 +00:00

Add Arch Linux Ruby base image with weekly rebuild pipeline

ldraney referenced this issue from a pull request that will close it, 2026-05-10 16:39:26 +00:00

Add Arch Linux Ruby base image with weekly rebuild pipeline #361

ldraney 2026-05-10 16:46:10 +00:00

• closed this issue
• added the
  status:approved
  label

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix-gem-bin-path

netpol-westside-ror

fix-woodpecker-multi-pipeline

345-harbor-mobile-css

290-payment-pipeline-observability

spec-board-centric-renderer

284-fix-add-pal-e-docs-namespace-to-postgres

284-add-pal-e-docs-postgres-netpol

188-cross-repo-worktree-isolation-for-parall

111-fix-keycloak-probe

86-fix-rotate-woodpecker-api-token-in-salt

71-feat-deploy-pyrra-slo-manager-with-servi

64-hotfix-woodpecker-oauth-login-broken-for

18-fix-grafana-duplicate-default-datasource-v2

18-fix-grafana-duplicate-default-datasource

13-fix-cnpg-all-parameters

No results found.

Labels

Clear labels   

domain:backend

  

domain:devops

  

domain:frontend

  

status:approved

QA passed, awaiting merge approval

  

status:in-progress

Dev agent is actively working

  

status:needs-fix

QA found issues, back to dev

  

status:qa

PR submitted, awaiting QA review

  

type:bug

Bug fix

  

type:devops

Infrastructure/CI/config work

  

type:feature

New functionality

No labels

domain:backend

domain:devops

domain:frontend

status:approved

status:in-progress

status:needs-fix

status:qa

type:bug

type:devops

type:feature

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ldraney/pal-e-platform#360

No description provided.