Merge pull request #13160 from rabbitmq/simplified-oci-action

Simplified OCI builds
2025-01-29 09:33:20 +01:00 · 2025-01-29 09:33:20 +01:00 · 6692fcb608
parent f3eea915e7 0e7b53c6a8
commit 6692fcb608
3 changed files with 59 additions and 553 deletions
--- a/.github/workflows/oci-arm64-make.yaml
+++ b/.github/workflows/oci-arm64-make.yaml
@ -1,179 +0,0 @@
 # This file should be identical to oci-make, except it should built the ARM64
 # image and only for the main branch. It's a separate workflow due to the performance
 # of building the ARM64 image. This way we only build it on main, where it should
 # take advantage of the cache.
 #
 # https://github.com/marketplace/actions/build-and-push-docker-images
 name: OCI ARM64 (make)
 on:
  push:
    branches:
      - main
    paths-ignore:
      - '.github/workflows/secondary-umbrella.yaml'
      - '.github/workflows/update-elixir-patches.yaml'
      - '.github/workflows/update-otp-patches.yaml'
      - '.github/workflows/release-alphas.yaml'
      - '*.md'
  workflow_dispatch:
 env:
  REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq-arm64
 concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
  cancel-in-progress: true
 jobs:
  build-package-generic-unix:
    runs-on: ubuntu-24.04-arm
    outputs:
      authorized: ${{ steps.authorized.outputs.authorized }}
    steps:
      - name: CHECK IF IMAGE WILL PUSH
        id: authorized
        run: |
          if [ -n "${{ secrets.DOCKERHUB_PASSWORD }}" ]; then
            echo "authorized=true" | tee -a $GITHUB_OUTPUT
          else
            echo "authorized=false" | tee -a $GITHUB_OUTPUT
          fi
      - name: Checkout
        if: steps.authorized.outputs.authorized == 'true'
        uses: actions/checkout@v4
      - name: Configure Erlang
        if: steps.authorized.outputs.authorized == 'true'
        uses: erlef/setup-beam@v1
        with:
          otp-version: 26.2
          elixir-version: 1.15
      - name: make package-generic-unix
        if: steps.authorized.outputs.authorized == 'true'
        run: |
          make package-generic-unix PROJECT_VERSION=4.1.0-alpha.1
      - name: Upload package-generic-unix
        if: steps.authorized.outputs.authorized == 'true'
        uses: actions/upload-artifact@v4.3.1
        with:
          name: package-generic-unix
          path: PACKAGES/rabbitmq-server-*.tar.xz
  build:
    needs: build-package-generic-unix
    runs-on: ubuntu-24.04-arm
    if: ${{ needs.build-package-generic-unix.outputs.authorized }} == 'true'
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/arm64
    steps:
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download package-generic-unix
        uses: actions/download-artifact@v4
        with:
          name: package-generic-unix
          path: PACKAGES
      - name: Rename package-generic-unix
        run: |
          cp \
            PACKAGES/rabbitmq-server-generic-unix-*.tar.xz \
            packaging/docker-image/package-generic-unix.tar.xz
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Build and push by digest
        id: build
        uses: docker/build-push-action@v6
        with:
          context: packaging/docker-image
          platforms: ${{ matrix.platform }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-to: type=gha
          cache-from: type=gha
          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
      - name: Export digest
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
    needs:
      - build
    runs-on: ubuntu-24.04-arm
    if: ${{ needs.build-package-generic-unix.outputs.authorized }} == 'true'
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
  summary-oci:
    needs:
    - build-package-generic-unix
    - build
    - merge
    runs-on: ubuntu-24.04-arm
    steps:
    - name: SUMMARY
      run: |
        cat << 'EOF' | jq -e 'map(.result == "success") | all(.)'
        ${{ toJson(needs) }}
        EOF
--- a/.github/workflows/oci-make.yaml
+++ b/.github/workflows/oci-make.yaml
@ -1,4 +1,8 @@
-# https://github.com/marketplace/actions/build-and-push-docker-images
+# When changing the OTP version, make sure to update all references:
 # - the default in workflow_dispatch
 # - otp_version in both jobs
 #
 #
 name: OCI (make)
 on:
  push:
@ -9,6 +13,16 @@ on:
      - '.github/workflows/release-alphas.yaml'
      - '*.md'
  workflow_dispatch:
    inputs:
      otp_version:
        # a tag of the erlang image, see https://hub.docker.com/_/erlang for available tags
        # also used in the setup-beam step (same tag should work for both)
        description: OTP version (eg. `26`, `26.2.5.6`)
        default: 27
      build_arm:
        description: Build for ARM64 as well?
        type: boolean
        default: false
 env:
  REGISTRY_IMAGE: pivotalrabbitmq/rabbitmq
 concurrency:
@ -16,6 +30,10 @@ concurrency:
  cancel-in-progress: true
 jobs:
  build-package-generic-unix:
    strategy:
      matrix:
        otp_version:
        - ${{ github.event.inputs.otp_version || '27' }}
    runs-on: ubuntu-latest
    outputs:
      authorized: ${{ steps.authorized.outputs.authorized }}
@ -35,43 +53,35 @@ jobs:
        if: steps.authorized.outputs.authorized == 'true'
        uses: erlef/setup-beam@v1
        with:
-          otp-version: 26.2
+          otp-version: ${{ matrix.otp_version }}
-          elixir-version: 1.15
+          elixir-version: latest
      - name: make package-generic-unix
        if: steps.authorized.outputs.authorized == 'true'
        run: |
          make package-generic-unix PROJECT_VERSION=4.1.0-alpha.1
      - name: Upload package-generic-unix
        if: steps.authorized.outputs.authorized == 'true'
-        uses: actions/upload-artifact@v4.3.1
+        uses: actions/upload-artifact@v4
        with:
-          name: package-generic-unix
+          name: package-generic-unix-otp${{ matrix.otp_version }}
          path: PACKAGES/rabbitmq-server-*.tar.xz
-  build:
+  build-and-push:
    needs: build-package-generic-unix
    runs-on: ubuntu-latest
    if: ${{ needs.build-package-generic-unix.outputs.authorized }} == 'true'
    strategy:
      fail-fast: false
      matrix:
-        platform:
+        otp_version:
-          - linux/amd64
+        - ${{ github.event.inputs.otp_version || '27' }}
-          # Unfortunately even with type=gha cache, OpenSSL and OTP
+    needs: build-package-generic-unix
-          # are rebuilt often and it takes ~90 minutes to do that
+    runs-on: ubuntu-latest
-          # in the emulated ARM mode. Disabling until we have a better solution.
+    if: ${{ needs.build-package-generic-unix.outputs.authorized }} == 'true'
          #- linux/arm64
    steps:
      - name: Prepare
        run: |
          platform=${{ matrix.platform }}
          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
      - name: Checkout
        uses: actions/checkout@v4
      - name: Download package-generic-unix
        uses: actions/download-artifact@v4
        with:
-          name: package-generic-unix
+          name: package-generic-unix-otp${{ matrix.otp_version }}
          path: PACKAGES
      - name: Rename package-generic-unix
        run: |
@ -83,6 +93,8 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          flavor: |
            suffix=-otp${{ matrix.otp_version }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
@ -91,12 +103,6 @@ jobs:
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
@ -106,71 +112,11 @@ jobs:
        id: build
        uses: docker/build-push-action@v6
        with:
          push: true
          context: packaging/docker-image
-          platforms: ${{ matrix.platform }}
+          platforms: ${{ github.event.inputs.build_arm && 'linux/amd64, linux/arm64' || 'linux/amd64' }}
-          labels: ${{ steps.meta.outputs.labels }}
+          tags: ${{ steps.meta.outputs.tags }}
-          cache-to: type=gha
+          cache-to: type=gha,mode=max,scope=${{ matrix.otp_version }}
-          cache-from: type=gha
+          cache-from: type=gha,scope=${{ matrix.otp_version }}
-          outputs: type=image,name=${{ env.REGISTRY_IMAGE }},push-by-digest=true,name-canonical=true,push=true
+          build-args:
-      - name: Export digest
+            OTP_VERSION=${{ matrix.otp_version }}
        run: |
          mkdir -p /tmp/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "/tmp/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-${{ env.PLATFORM_PAIR }}
          path: /tmp/digests/*
          if-no-files-found: error
          retention-days: 1
  merge:
    needs:
      - build
    runs-on: ubuntu-latest
    if: ${{ needs.build-package-generic-unix.outputs.authorized }} == 'true'
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: /tmp/digests
          pattern: digests-*
          merge-multiple: true
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=ref,event=branch
            type=ref,event=pr
            type=sha,format=long
      - name: Login to Docker Hub
        uses: docker/login-action@v3
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}
      - name: Create manifest list and push
        working-directory: /tmp/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
      - name: Inspect image
        run: |
          docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:${{ steps.meta.outputs.version }}
  summary-oci:
    needs:
    - build-package-generic-unix
    - build
    - merge
    runs-on: ubuntu-latest
    steps:
    - name: SUMMARY
      run: |
        cat << 'EOF' | jq -e 'map(.result == "success") | all(.)'
        ${{ toJson(needs) }}
        EOF
--- a/packaging/docker-image/Dockerfile
+++ b/packaging/docker-image/Dockerfile
@ -1,228 +1,28 @@
-#
+ARG OTP_VERSION="27"
 # Based on the generated file from https://github.com/docker-library/rabbitmq
 #
-# The official Canonical Ubuntu Focal image is ideal from a security perspective,
+FROM erlang:${OTP_VERSION}-slim AS base
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 FROM ubuntu:22.04 as build-base
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 RUN set -eux; \
 	export DEBIAN_FRONTEND=noninteractive; \
 	apt-get update; \
-	apt-get install -y --no-install-recommends \
+	apt-get install --yes --no-install-recommends \
 		build-essential \
 		ca-certificates \
 		gosu \
 		tzdata \
 		gnupg \
-		libncurses5-dev \
+		wget \
-		wget
+		xz-utils \
 FROM build-base as openssl-builder
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 # Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
 ARG PGP_KEYSERVER=keyserver.ubuntu.com
 # If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
 # run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:4.0 --build-arg PGP_KEYSERVER=pgpkeys.eu 4.0/ubuntu
 # For context, see https://github.com/docker-library/official-images/issues/4252
 ENV OPENSSL_VERSION 3.3.1
 ENV OPENSSL_SOURCE_SHA256="777cd596284c883375a2a7a11bf5d2786fc5413255efab20c50d6ffe6d020b7e"
 # https://www.openssl.org/community/otc.html
 # https://www.openssl.org/source/
 ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0xB7C1C14360F353A36862E4D5231C84CDDCC69C45 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x95A9908DDFA16830BE9FB9003D30A3A9FF1360DC 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xA21FAB74B0088AA361152586B8EF1A6BA9DA2D5C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D 0xEFC0A467D613CB83C7ED6D30D894E2CE8B3D79F5"
 ENV OTP_VERSION 26.2.5
 # TODO add PGP checking when the feature will be added to Erlang/OTP's build system
 # https://erlang.org/pipermail/erlang-questions/2019-January/097067.html
 ENV OTP_SOURCE_SHA256="de155c4ad9baab2b9e6c96dbd03bf955575a04dd6feee9c08758beb28484c9f6"
 # install openssl & erlang to a path that isn't auto-checked for libs to prevent accidental use by system packages
 ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
 ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
 # Install dependencies required to build Erlang/OTP from source
 # https://erlang.org/doc/installation_guide/INSTALL.html
 # dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
 # gnupg: Required to verify OpenSSL artefacts
 # libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli
 RUN set -eux; \
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
 	OPENSSL_CONFIG_DIR="$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Required by the crypto & ssl Erlang/OTP applications
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
 	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \
 	export GNUPGHOME="$(mktemp -d)"; \
 	for key in $OPENSSL_PGP_KEY_IDS; do \
 		gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key"; \
 	done; \
 	gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \
 	gpgconf --kill all; \
 	rm -rf "$GNUPGHOME"; \
 	echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \
 	mkdir -p "$OPENSSL_PATH"; \
 	tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \
 	\
 # Configure OpenSSL for compilation
 	cd "$OPENSSL_PATH"; \
 # without specifying "--libdir", Erlang will fail during "crypto:supports()" looking for a "pthread_atfork" function that doesn't exist (but only on arm32v7/armhf??)
 # OpenSSL's "config" script uses a lot of "uname"-based target detection...
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # https://deb.debian.org/debian/dists/unstable/main/
 	case "$dpkgArch" in \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L860 (look for "linux-" and "linux64-" keys)
 		amd64) opensslMachine='linux-x86_64' ;; \
 		arm64) opensslMachine='linux-aarch64' ;; \
 # https://github.com/openssl/openssl/blob/openssl-3.1.1/Configurations/10-main.conf#L736-L766
 # https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
 # https://gcc.gnu.org/onlinedocs/gcc/ARM-Options.html
 		armhf) opensslMachine='linux-armv4'; opensslExtraConfig='-march=armv7-a+fp' ;; \
 		i386) opensslMachine='linux-x86' ;; \
 		ppc64el) opensslMachine='linux-ppc64le' ;; \
 		riscv64) opensslMachine='linux64-riscv64' ;; \
 		s390x) opensslMachine='linux64-s390x' ;; \
 		*) echo >&2 "error: unsupported arch: '$apkArch'"; exit 1 ;; \
 	esac; \
 	MACHINE="$opensslMachine" \
 	RELEASE="4.x.y-z" \
 	SYSTEM='Linux' \
 	BUILD='???' \
 	./Configure \
 		"$opensslMachine" \
 		enable-fips \
 		--prefix="$OPENSSL_INSTALL_PATH_PREFIX" \
 		--openssldir="$OPENSSL_CONFIG_DIR" \
 		--libdir="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
 # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
 		-Wl,-rpath="$OPENSSL_INSTALL_PATH_PREFIX/lib" \
 		${opensslExtraConfig:-} \
 	; \
-# Compile, install OpenSSL, verify that the command-line works & development headers are present
+	rm -rf /var/lib/apt/lists/*; \
-	make -j "$(getconf _NPROCESSORS_ONLN)"; \
+	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false;
 	make install_sw install_ssldirs install_fips; \
 	ldconfig; \
 # use Debian's CA certificates
 	rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \
 	ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"
-# smoke test
+FROM base AS rabbitmq
 RUN $OPENSSL_INSTALL_PATH_PREFIX/bin/openssl version
-FROM openssl-builder as erlang-builder
+ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
 ARG BUILDKIT_SBOM_SCAN_STAGE=true
 RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/releases/download/OTP-$OTP_VERSION/otp_src_$OTP_VERSION.tar.gz"; \
 	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \
 	\
 # Download, verify & extract OTP_SOURCE
 	mkdir -p "$OTP_PATH"; \
 	wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \
 	echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
 	tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \
 	\
 # Configure Erlang/OTP for compilation, disable unused features & applications
 # https://erlang.org/doc/applications.html
 # ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation
 	cd "$OTP_PATH"; \
 	export ERL_TOP="$OTP_PATH"; \
 	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
 # add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure "$OPENSSL_INSTALL_PATH_PREFIX/lib" is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
 	export CFLAGS="$CFLAGS -Wl,-rpath=$OPENSSL_INSTALL_PATH_PREFIX/lib"; \
 	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
 	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
 	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
 # JIT is only supported on amd64 + arm64; https://github.com/erlang/otp/blob/OTP-25.3.2.2/erts/configure#L24306-L24347
 	jitFlag=; \
 	case "$dpkgArch" in \
 		amd64 | arm64) jitFlag='--enable-jit' ;; \
 	esac; \
 	./configure \
 		--prefix="$ERLANG_INSTALL_PATH_PREFIX" \
 		--host="$hostArch" \
 		--build="$buildArch" \
 		--disable-sctp \
 		--disable-silent-rules \
 		--enable-builtin-zlib \
 		--enable-clock-gettime \
 		--enable-hybrid-heap \
 		--enable-kernel-poll \
 		--enable-smp-support \
 		--enable-threads \
 		--with-microstate-accounting=extra \
 		--with-ssl="$OPENSSL_INSTALL_PATH_PREFIX" \
 		--without-common_test \
 		--without-debugger \
 		--without-dialyzer \
 		--without-diameter \
 		--without-edoc \
 		--without-erl_docgen \
 		--without-et \
 		--without-eunit \
 		--without-ftp \
 		--without-jinterface \
 		--without-megaco \
 		--without-observer \
 		--without-odbc \
 		--without-reltool \
 		--without-ssh \
 		--without-tftp \
 		--without-wx \
 		$jitFlag \
 	; \
 	\
 # Compile & install Erlang/OTP
 	make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \
 	make install; \
 	\
 # Remove unnecessary files
 	find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name examples -exec rm -rf '{}' +; \
 	find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name src -exec rm -rf '{}' +; \
 	find "$ERLANG_INSTALL_PATH_PREFIX/lib/erlang" -type d -name include -exec rm -rf '{}' +
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$PATH
 RUN find $ERLANG_INSTALL_PATH_PREFIX -type f -name 'crypto.so' -exec ldd {} \; | awk '/libcrypto\.so/ { if (!index($3,ENVIRON["OPENSSL_INSTALL_PATH_PREFIX"])) exit 1 }'
 RUN erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
 FROM ubuntu:22.04
 # OPENSSL/ERLANG_INSTALL_PATH_PREFIX are defined in a different stage, so define them again
 ENV ERLANG_INSTALL_PATH_PREFIX /opt/erlang
 ENV OPENSSL_INSTALL_PATH_PREFIX /opt/openssl
 COPY --from=erlang-builder $ERLANG_INSTALL_PATH_PREFIX $ERLANG_INSTALL_PATH_PREFIX
 RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"erlang-sbom","packages":[{"name":"erlang","versionInfo":"26.2.2","SPDXID":"SPDXRef-Package--erlang","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/erlang@26.2.2?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $ERLANG_INSTALL_PATH_PREFIX/erlang.spdx.json
 COPY --from=openssl-builder $OPENSSL_INSTALL_PATH_PREFIX $OPENSSL_INSTALL_PATH_PREFIX
 RUN echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"openssl-sbom","packages":[{"name":"openssl","versionInfo":"3.1.5","SPDXID":"SPDXRef-Package--openssl","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/openssl@3.1.5?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"Apache-2.0"}]}' > $OPENSSL_INSTALL_PATH_PREFIX/openssl.spdx.json
 ENV PATH $ERLANG_INSTALL_PATH_PREFIX/bin:$OPENSSL_INSTALL_PATH_PREFIX/bin:$PATH
 ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
 RUN set -eux; \
 # Configure OpenSSL to use system certs
 	ln -vsf /etc/ssl/certs /etc/ssl/private "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl"; \
 	\
 # Check that OpenSSL still works after copying from previous builder
 	ldconfig; \
 	sed -i.ORIG -e "/\.include.*fips/ s!.*!.include $OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf!" \
 		-e '/# fips =/s/.*/fips = fips_sect/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/openssl.cnf"; \
 	sed -i.ORIG -e '/^activate/s/^/#/' "$OPENSSL_INSTALL_PATH_PREFIX/etc/ssl/fipsmodule.cnf"; \
 	[ "$(command -v openssl)" = "$OPENSSL_INSTALL_PATH_PREFIX/bin/openssl" ]; \
 	openssl version; \
 	openssl version -d; \
 	\
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
 	erl -noshell -eval 'ok = crypto:start(), ok = io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'; \
 	\
 # Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM
-	groupadd --gid 999 --system rabbitmq; \
+	groupadd --system rabbitmq; \
 	useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \
 	mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
 	chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
@ -232,38 +32,15 @@ RUN set -eux; \
 # Use the latest stable RabbitMQ release (https://www.rabbitmq.com/download.html)
 ARG RABBITMQ_VERSION=4.0.0
 ENV RABBITMQ_VERSION=${RABBITMQ_VERSION}
-ENV RABBITMQ_HOME /opt/rabbitmq
+ENV RABBITMQ_HOME=/opt/rabbitmq
 # Add RabbitMQ to PATH
-ENV PATH $RABBITMQ_HOME/sbin:$PATH
+ENV PATH=$RABBITMQ_HOME/sbin:$PATH
 COPY package-generic-unix.tar.xz /usr/local/src/rabbitmq-$RABBITMQ_VERSION.tar.xz
 # Install RabbitMQ
 RUN set -eux; \
 	export DEBIAN_FRONTEND=noninteractive; \
 	apt-get update; \
 	apt-get install --yes --no-install-recommends \
 		ca-certificates \
 # grab gosu for easy step-down from root
 		gosu \
 # Bring in tzdata so users could set the timezones through the environment
 		tzdata \
 	; \
 # verify that the "gosu" binary works
 	gosu nobody true; \
 	\
 	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get install --yes --no-install-recommends \
 		gnupg \
 		wget \
 		xz-utils \
 	; \
 	rm -rf /var/lib/apt/lists/*; \
 	\
 	RABBITMQ_SOURCE_URL="https://github.com/rabbitmq/rabbitmq-server/releases/download/v$RABBITMQ_VERSION/rabbitmq-server-generic-unix-latest-toolchain-$RABBITMQ_VERSION.tar.xz"; \
 	RABBITMQ_PATH="/usr/local/src/rabbitmq-$RABBITMQ_VERSION"; \
 	\
 	mkdir -p "$RABBITMQ_HOME"; \
 	tar --extract --file "$RABBITMQ_PATH.tar.xz" --directory "$RABBITMQ_HOME" --strip-components 1; \
 	rm -rf "$RABBITMQ_PATH"*; \
@ -271,60 +48,22 @@ RUN set -eux; \
 	grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
 	sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
 	grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
-	chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \
+	chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME";
 	\
 	apt-mark auto '.*' > /dev/null; \
 	apt-mark manual $savedAptMark; \
 	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
 	\
 # verify assumption of no stale cookies
 	[ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \
 # Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user
 # If they all succeed, it's safe to assume that things have been set up correctly
 	gosu rabbitmq rabbitmqctl help; \
 	gosu rabbitmq rabbitmqctl list_ciphers; \
 	gosu rabbitmq rabbitmq-plugins list; \
 # no stale cookies
 	rm "$RABBITMQ_DATA_DIR/.erlang.cookie"; \
 	\
 	echo '{"spdxVersion":"SPDX-2.3","SPDXID":"SPDXRef-DOCUMENT","name":"rabbitmq-sbom","packages":[{"name":"rabbitmq","versionInfo":"4.0.0","SPDXID":"SPDXRef-Package--rabbitmq","externalRefs":[{"referenceCategory":"PACKAGE-MANAGER","referenceType":"purl","referenceLocator":"pkg:generic/rabbitmq@4.0.0?os_name=ubuntu&os_version=22.04"}],"licenseDeclared":"MPL-2.0 AND Apache-2.0"}]}' > $RABBITMQ_HOME/rabbitmq.spdx.json
 # Enable Prometheus-style metrics by default (https://github.com/docker-library/rabbitmq/issues/419)
 RUN gosu rabbitmq rabbitmq-plugins enable --offline rabbitmq_prometheus
 # Added for backwards compatibility - users can simply COPY custom plugins to /plugins
 RUN ln -sf /opt/rabbitmq/plugins /plugins
 # set home so that any `--user` knows where to put the erlang cookie
-ENV HOME $RABBITMQ_DATA_DIR
+ENV HOME=$RABBITMQ_DATA_DIR
 # Hint that the data (a.k.a. home dir) dir should be separate volume
 VOLUME $RABBITMQ_DATA_DIR
 # warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell)
 # Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable
 # https://docs.docker.com/samples/library/ubuntu/#locales
-ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
 ENV LANGUAGE=C.UTF-8
 ENV LC_ALL=C.UTF-8
 COPY --chown=rabbitmq:rabbitmq 10-defaults.conf 20-management_agent.disable_metrics_collector.conf /etc/rabbitmq/conf.d/
 COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 EXPOSE 4369 5671 5672 15691 15692 25672
 CMD ["rabbitmq-server"]
 RUN set eux; \
 	rabbitmq-plugins enable --offline rabbitmq_management; \
 # make sure the metrics collector is re-enabled (disabled in the base image for Prometheus-style metrics by default)
 	rm -f /etc/rabbitmq/conf.d/20-management_agent.disable_metrics_collector.conf; \
 # grab "rabbitmqadmin" from inside the "rabbitmq_management-X.Y.Z" plugin folder
 # see https://github.com/docker-library/rabbitmq/issues/207
 	cp /plugins/rabbitmq_management-*/priv/www/cli/rabbitmqadmin /usr/local/bin/rabbitmqadmin; \
 	[ -s /usr/local/bin/rabbitmqadmin ]; \
 	chmod +x /usr/local/bin/rabbitmqadmin; \
 	apt-get update; \
 	apt-get install -y --no-install-recommends python3; \
 	rm -rf /var/lib/apt/lists/*; \
 	rabbitmqadmin --version
 EXPOSE 15671 15672