From e8c0a7b02d646954665e809a4a162732e8007d5d Mon Sep 17 00:00:00 2001
From: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Date: Wed, 31 May 2023 14:31:03 -0400
Subject: [PATCH 1/4] Move Connect build to a new Docker container

---
 build.assets/Dockerfile-connect | 43 +++++++++++++++++++++++++++++++++
 build.assets/Makefile           | 21 ++++++++++++++--
 build.assets/images.mk          |  1 +
 3 files changed, 63 insertions(+), 2 deletions(-)
 create mode 100644 build.assets/Dockerfile-connect

diff --git a/build.assets/Dockerfile-connect b/build.assets/Dockerfile-connect
new file mode 100644
index 000000000000..4d8780ce27f2
--- /dev/null
+++ b/build.assets/Dockerfile-connect
@@ -0,0 +1,43 @@
+# This Dockerfile makes the "build box connect" the container used to:
+# * build Teleport Connect
+#
+# Check the README to learn how to safely introduce changes to Dockerfiles.
+
+## BUILDBOX-CONNECT ###################################################################
+
+ARG NODE_VERSION
+FROM node:${NODE_VERSION} AS buildbox
+
+COPY locale.gen /etc/locale.gen
+COPY profile /etc/profile
+ENV LANGUAGE="en_US.UTF-8" \
+    LANG="en_US.UTF-8" \
+    LC_ALL="en_US.UTF-8" \
+    LC_CTYPE="en_US.UTF-8" \
+    DEBIAN_FRONTEND="noninteractive"
+
+# Install packages.
+RUN apt-get -y update && \
+    apt-get -y install software-properties-common && \
+    apt-get install -q -y --no-install-recommends \
+        apt-utils \
+        build-essential \
+        ca-certificates \
+        git \
+        libc6-dev \
+        libssl-dev \
+        locales \
+        openssh-client \
+        python3-pip \
+        python3-setuptools \
+        python3-wheel \
+        pkg-config \
+        # Used during tag builds to build the RPM package of Connect.
+        rpm \
+        && \
+    dpkg-reconfigure locales && \
+    apt-get -y clean && \
+    rm -rf /var/lib/apt/lists/*
+
+# Do not create the ci user as we do on other images, as node image
+# already has node user with UID:GID 1000:1000 user.
diff --git a/build.assets/Makefile b/build.assets/Makefile
index e11081270146..9556d9c119d7 100644
--- a/build.assets/Makefile
+++ b/build.assets/Makefile
@@ -233,12 +233,29 @@ ifeq ($(CONNECT_VERSION),)
 CONNECT_VERSION := $(BUILDBOX_VERSION)-dev
 endif
 
+#
+# Builds a Docker buildbox for Linux Connect builds
+#
+.PHONY:buildbox-connect
+buildbox-connect:
+	if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_CONNECT) 2>&1 >/dev/null; then docker pull $(BUILDBOX_CONNECT) || true; fi; \
+	DOCKER_BUILDKIT=1 docker build --platform=linux/$(RUNTIME_ARCH) \
+		--build-arg UID=$(UID) \
+		--build-arg GID=$(GID) \
+		--build-arg BUILDARCH=$(RUNTIME_ARCH) \
+		--build-arg NODE_VERSION=$(NODE_VERSION) \
+		--build-arg NODE_GRPC_TOOLS_VERSION=$(NODE_GRPC_TOOLS_VERSION) \
+		--build-arg NODE_PROTOC_TS_VERSION=$(NODE_PROTOC_TS_VERSION) \
+		--build-arg PROTOC_VER=$(PROTOC_VER) \
+		--cache-from $(BUILDBOX_CONNECT) \
+		--tag $(BUILDBOX_CONNECT) -f Dockerfile-connect . ;
+
 #
 # Builds Teleport Connect inside the buildbox container.
 #
 .PHONY:teleterm
-teleterm: buildbox
-	docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX) \
+teleterm: buildbox-connect
+	docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX_CONNECT) \
 		bash -c "cd $(SRCDIR) && export CONNECT_TSH_BIN_PATH=\$$PWD/../teleport/build/tsh && yarn install --frozen-lockfile && yarn build-term && yarn package-term -c.extraMetadata.version=$(CONNECT_VERSION)"
 
 # Builds webassets inside Docker.
diff --git a/build.assets/images.mk b/build.assets/images.mk
index 6f165efde644..bc45106a60a3 100644
--- a/build.assets/images.mk
+++ b/build.assets/images.mk
@@ -12,6 +12,7 @@ BUILDBOX_CENTOS7_FIPS=$(BUILDBOX_BASE_NAME)-centos7-fips:$(BUILDBOX_VERSION)
 BUILDBOX_ARM=$(BUILDBOX_BASE_NAME)-arm:$(BUILDBOX_VERSION)
 BUILDBOX_ARM_FIPS=$(BUILDBOX_BASE_NAME)-arm-fips:$(BUILDBOX_VERSION)
 BUILDBOX_UI=$(BUILDBOX_BASE_NAME)-ui:$(BUILDBOX_VERSION)
+BUILDBOX_CONNECT=$(BUILDBOX_BASE_NAME)-connect:$(BUILDBOX_VERSION)
 BUILDBOX_CENTOS7_ASSETS=$(BUILDBOX_BASE_NAME)-centos7-assets:$(BUILDBOX_VERSION)
 
 .PHONY:show-buildbox-base-image

From 3a136ffe85f844bf08d6d60249b2a94021207a7e Mon Sep 17 00:00:00 2001
From: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Date: Thu, 1 Jun 2023 03:06:17 -0400
Subject: [PATCH 2/4] Update comments

---
 build.assets/Dockerfile         | 4 ----
 build.assets/Dockerfile-connect | 8 ++++++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/build.assets/Dockerfile b/build.assets/Dockerfile
index 7fb2a7aa5028..e3fcb361af38 100644
--- a/build.assets/Dockerfile
+++ b/build.assets/Dockerfile
@@ -1,14 +1,10 @@
 # This Dockerfile makes the "build box" the container used to:
-# * build Teleport Connect
 # * run test and linters in CI
 # * building other Docker images
 #
 # For Teleport releases we're using CentOS 7 box to keep the binaries compatible
 # with older Linux distributions (glibc 2.17+).
 #
-# This image uses Ubuntu 20.04 as a base as Connect links against glibc and
-# we want to keep the required version as low as possible.
-#
 # Check the README to learn how to safely introduce changes to Dockerfiles.
 
 ## LIBFIDO2 ###################################################################
diff --git a/build.assets/Dockerfile-connect b/build.assets/Dockerfile-connect
index 4d8780ce27f2..5eb8e5ed6f04 100644
--- a/build.assets/Dockerfile-connect
+++ b/build.assets/Dockerfile-connect
@@ -1,5 +1,9 @@
-# This Dockerfile makes the "build box connect" the container used to:
-# * build Teleport Connect
+# This Dockerfile makes the "build box connect" the container used
+# to build the Teleport Connect.
+#
+# This image is base on the node image, which is based on Debian.
+# Using it as a image allows us to link agains the same version of
+# glibc as Node.js.
 #
 # Check the README to learn how to safely introduce changes to Dockerfiles.
 

From 54cc7acb8acdc42a7df274bb6d3f0e93decebffa Mon Sep 17 00:00:00 2001
From: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Date: Thu, 1 Jun 2023 11:54:33 -0400
Subject: [PATCH 3/4] Update comments Remove unused packages and unused
 arguments

---
 build.assets/Dockerfile-connect | 9 ++++-----
 build.assets/Makefile           | 8 +-------
 2 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/build.assets/Dockerfile-connect b/build.assets/Dockerfile-connect
index 5eb8e5ed6f04..a6235025814f 100644
--- a/build.assets/Dockerfile-connect
+++ b/build.assets/Dockerfile-connect
@@ -1,7 +1,7 @@
 # This Dockerfile makes the "build box connect" the container used
 # to build the Teleport Connect.
 #
-# This image is base on the node image, which is based on Debian.
+# This image is base on the node image, which is based on Debian Buster.
 # Using it as a image allows us to link agains the same version of
 # glibc as Node.js.
 #
@@ -9,8 +9,9 @@
 
 ## BUILDBOX-CONNECT ###################################################################
 
+# Pin the tag to Debian Buster to make sure the Glibc compatibility.
 ARG NODE_VERSION
-FROM node:${NODE_VERSION} AS buildbox
+FROM node:${NODE_VERSION}-buster AS buildbox
 
 COPY locale.gen /etc/locale.gen
 COPY profile /etc/profile
@@ -22,9 +23,7 @@ ENV LANGUAGE="en_US.UTF-8" \
 
 # Install packages.
 RUN apt-get -y update && \
-    apt-get -y install software-properties-common && \
     apt-get install -q -y --no-install-recommends \
-        apt-utils \
         build-essential \
         ca-certificates \
         git \
@@ -32,10 +31,10 @@ RUN apt-get -y update && \
         libssl-dev \
         locales \
         openssh-client \
+        pkg-config \
         python3-pip \
         python3-setuptools \
         python3-wheel \
-        pkg-config \
         # Used during tag builds to build the RPM package of Connect.
         rpm \
         && \
diff --git a/build.assets/Makefile b/build.assets/Makefile
index 9556d9c119d7..b1abbcbacac9 100644
--- a/build.assets/Makefile
+++ b/build.assets/Makefile
@@ -239,14 +239,8 @@ endif
 .PHONY:buildbox-connect
 buildbox-connect:
 	if [[ $${DRONE} == "true" ]] && ! docker inspect --type=image $(BUILDBOX_CONNECT) 2>&1 >/dev/null; then docker pull $(BUILDBOX_CONNECT) || true; fi; \
-	DOCKER_BUILDKIT=1 docker build --platform=linux/$(RUNTIME_ARCH) \
-		--build-arg UID=$(UID) \
-		--build-arg GID=$(GID) \
-		--build-arg BUILDARCH=$(RUNTIME_ARCH) \
+	DOCKER_BUILDKIT=1 docker build \
 		--build-arg NODE_VERSION=$(NODE_VERSION) \
-		--build-arg NODE_GRPC_TOOLS_VERSION=$(NODE_GRPC_TOOLS_VERSION) \
-		--build-arg NODE_PROTOC_TS_VERSION=$(NODE_PROTOC_TS_VERSION) \
-		--build-arg PROTOC_VER=$(PROTOC_VER) \
 		--cache-from $(BUILDBOX_CONNECT) \
 		--tag $(BUILDBOX_CONNECT) -f Dockerfile-connect . ;
 

From 84e2ccf24b917f790158c8b086e1464d0a66e5d0 Mon Sep 17 00:00:00 2001
From: Jakub Nyckowski <jakub.nyckowski@goteleport.com>
Date: Tue, 6 Jun 2023 02:36:19 -0400
Subject: [PATCH 4/4] Always use UID=1000 for building teleterm.

---
 build.assets/Makefile | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/build.assets/Makefile b/build.assets/Makefile
index b1abbcbacac9..f3495391ca59 100644
--- a/build.assets/Makefile
+++ b/build.assets/Makefile
@@ -249,7 +249,8 @@ buildbox-connect:
 #
 .PHONY:teleterm
 teleterm: buildbox-connect
-	docker run $(DOCKERFLAGS) $(NOROOT) $(BUILDBOX_CONNECT) \
+	# Always run this image as user 1000, as the Node base image assumes that.
+	docker run $(DOCKERFLAGS) -u 1000:1000 $(BUILDBOX_CONNECT) \
 		bash -c "cd $(SRCDIR) && export CONNECT_TSH_BIN_PATH=\$$PWD/../teleport/build/tsh && yarn install --frozen-lockfile && yarn build-term && yarn package-term -c.extraMetadata.version=$(CONNECT_VERSION)"
 
 # Builds webassets inside Docker.