Building the deepin apricot docker image in an elegant way.

Deepin has just released the latest version, codenamed as apricot. So, I try to build the docker image for this release from scratch using the following Dockerfile.

#https://github.com/bestwu/docker-deepin/blob/master/amd64/Dockerfile
FROM debian

ENV DEBIAN_FRONTEND=noninteractive

COPY stable /usr/share/debootstrap/scripts/apricot
COPY deepin-archive-keyring.gpg /usr/share/keyrings/deepin-archive-keyring.gpg
COPY deepin-pools-keyring.gpg /root/deepin-pools-keyring.gpg
RUN apt-get update && apt-get install -y debootstrap && \
    debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://community-packages.deepin.com/deepin/ && \
    cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \
    cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \
    chroot ./rootfs apt-get autoclean && \
    chroot ./rootfs apt-get clean

FROM scratch
LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
COPY --from=0 /rootfs /

ENV TERM=xterm \
    DEBIAN_FRONTEND=noninteractive \
    LANG=en_US.utf8 \
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

RUN rm /bin/sh && \
    ln -s /bin/bash /bin/sh && \
    sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile && \
    apt-get update && \
    apt --fix-broken -y install && \
    apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y

#CMD ["/bin/bash"]

ENV LANG en_US.utf8
ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games

# choose a mirror
RUN echo "deb http://community-packages.deepin.com/deepin/ apricot main non-free contrib" > /etc/apt/sources.list

# basics
RUN rm -rf /var/lib/apt/lists/* && \
    apt-get clean && \
    apt-get update && \
    apt-mark hold iptables && \
    apt-get dist-upgrade -y && \
    apt-get -y autoremove && \
    apt-get clean && \
env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    dbus-x11 \
    libxv1 \
    locales-all \
    mesa-utils \
    mesa-utils-extra \
    procps \
    psmisc

# deepin desktop
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
    dde \
    at-spi2-core \
    gnome-themes-standard \
    gtk2-engines-murrine \
    gtk2-engines-pixbuf \
    pciutils

# additional applications
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    deepin-calculator \
    deepin-image-viewer \
    deepin-screenshot \
    deepin-system-monitor \
    deepin-terminal \
    deepin-movie \
    gedit \
    oneko \
    sudo \
    synaptic \
    apt-transport-https

# chinese fonts
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    xfonts-wqy fonts-wqy-microhei fonts-wqy-zenhei

But I can't succeed. See below for the detailed error messages.

$ docker build --network host -f Dockerfiles/apricot . -t hongyi-zhao/deepin-apricot
Sending build context to Docker daemon  33.79kB
Step 1/18 : FROM debian
 ---> 1510e8501783
Step 2/18 : ENV DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> a4e0f4317265
Step 3/18 : COPY stable /usr/share/debootstrap/scripts/apricot
 ---> Using cache
 ---> aba183a348b5
Step 4/18 : COPY deepin-archive-keyring.gpg /usr/share/keyrings/deepin-archive-keyring.gpg
 ---> Using cache
 ---> aeb2d53ce429
Step 5/18 : COPY deepin-pools-keyring.gpg /root/deepin-pools-keyring.gpg
 ---> Using cache
 ---> 7a0c347b6974
Step 6/18 : RUN apt-get update && apt-get install -y debootstrap &&     debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://community-packages.deepin.com/deepin/ &&     cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ &&     cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ &&     chroot ./rootfs apt-get autoclean &&     chroot ./rootfs apt-get clean
 ---> Using cache
 ---> 860074a5eade
Step 7/18 : FROM scratch
 ---> 
Step 8/18 : LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
 ---> Using cache
 ---> a4ef154ea578
Step 9/18 : COPY --from=0 /rootfs /
 ---> Using cache
 ---> 2adb0add1c02
Step 10/18 : ENV TERM=xterm     DEBIAN_FRONTEND=noninteractive     LANG=en_US.utf8     PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
 ---> Using cache
 ---> e38f4e44bd99
Step 11/18 : RUN rm /bin/sh &&     ln -s /bin/bash /bin/sh &&     sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile &&     apt-get update &&     apt --fix-broken -y install &&     apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y
 ---> Running in 501cb2d0a19e
Ign:1 https://community-packages.deepin.com/deepin apricot InRelease
Err:2 https://community-packages.deepin.com/deepin apricot Release
  Certificate verification failed: The certificate is NOT trusted. The certificate issuer is unknown.  Could not handshake: Error in the certificate verification. [IP: 172.17.0.1 8080]
Reading package lists...
W: http://community-packages.deepin.com/deepin/dists/apricot/InRelease: No system certificates available. Try installing ca-certificates.
W: http://community-packages.deepin.com/deepin/dists/apricot/Release: No system certificates available. Try installing ca-certificates.
E: The repository 'http://community-packages.deepin.com/deepin apricot Release' no longer has a Release file.
The command '/bin/sh -c rm /bin/sh &&     ln -s /bin/bash /bin/sh &&     sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile &&     apt-get update &&     apt --fix-broken -y install &&     apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y' returned a non-zero code: 100

Any hints for fixing this problem?

Regards, HY

Likely these files need an update:

COPY deepin-archive-keyring.gpg /usr/share/keyrings/deepin-archive-keyring.gpg
COPY deepin-pools-keyring.gpg /root/deepin-pools-keyring.gpg

Instead of using COPY it would be more elegant to download them in the "debian" part of the Dockerfile. Though, i am not sure where to get the files. Somewhere from a deepin repository? On the other hand, I could assume there are already valid keyring files in the system downloaded by debootstrap. Maybe it works to drop all COPY and cp commands that affect the keyring files.

COPY deepin-archive-keyring.gpg /usr/share/keyrings/deepin-archive-keyring.gpg COPY deepin-pools-keyring.gpg /root/deepin-pools-keyring.gpg

Considering that the target filenames are the same as the source files, can I write these commands like the following?:

COPY deepin-archive-keyring.gpg /usr/share/keyrings/
COPY deepin-pools-keyring.gpg /root/

Maybe it works to drop all COPY and cp commands that affect the keyring files.

Very good. I deleted all COPY and cp commands that affect the keyring files and import the public key in the Dockerfile as shown below:

FROM debian

ENV DEBIAN_FRONTEND=noninteractive

COPY stable /usr/share/debootstrap/scripts/apricot
RUN apt-get update && apt-get install -y debootstrap && \
    debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/

FROM scratch
LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
COPY --from=0 /rootfs /

ENV TERM=xterm \
    DEBIAN_FRONTEND=noninteractive \
    LANG=en_US.utf8 \
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

RUN rm /bin/sh && \
    ln -s /bin/bash /bin/sh && \
    sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile && \
    apt-get update && \
    apt --fix-broken -y install && \
    apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y

#CMD ["/bin/bash"]

ENV LANG en_US.utf8
ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games

# choose a mirror
RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list

# basics
RUN rm -rf /var/lib/apt/lists/* && \
    apt-get clean && \
    apt-get update && \
    apt-get install gnupg && \
    apt-key adv --keyserver keys.gnupg.net --recv-keys 425956BB3E31DF51 && \
    apt-get -y autoremove && \
    apt-get clean && \
env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    dbus-x11 \
    libxv1 \
    locales-all \
    mesa-utils \
    mesa-utils-extra \
    procps \
    psmisc

# deepin desktop
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
    dde \
    at-spi2-core \
    gnome-themes-standard \
    gtk2-engines-murrine \
    gtk2-engines-pixbuf \
    pciutils

# additional applications
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    deepin-calculator \
    deepin-image-viewer \
    deepin-screenshot \
    deepin-system-monitor \
    deepin-terminal \
    deepin-movie \
    gedit \
    oneko \
    sudo \
    synaptic \
    apt-transport-https

# chinese fonts
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    xfonts-wqy fonts-wqy-microhei fonts-wqy-zenhei

But I still meet the following errors:

$ docker build --network host -f Dockerfiles/apricot . -t hongyi-zhao/deepin-apricot
Sending build context to Docker daemon   34.3kB
Step 1/16 : FROM debian
 ---> 1510e8501783
Step 2/16 : ENV DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> a4e0f4317265
Step 3/16 : COPY stable /usr/share/debootstrap/scripts/apricot
 ---> Using cache
 ---> aba183a348b5
Step 4/16 : RUN apt-get update && apt-get install -y debootstrap &&     debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/
 ---> Using cache
 ---> 2a9e3b6435fa
Step 5/16 : FROM scratch
 ---> 
Step 6/16 : LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
 ---> Using cache
 ---> a4ef154ea578
Step 7/16 : COPY --from=0 /rootfs /
 ---> Using cache
 ---> 59bcb2f79e7d
Step 8/16 : ENV TERM=xterm     DEBIAN_FRONTEND=noninteractive     LANG=en_US.utf8     PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
 ---> Using cache
 ---> 74c78de8aaeb
Step 9/16 : RUN rm /bin/sh &&     ln -s /bin/bash /bin/sh &&     sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile &&     apt-get update &&     apt --fix-broken -y install &&     apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y
 ---> Using cache
 ---> d9edd4fe2f16
Step 10/16 : ENV LANG en_US.utf8
 ---> Using cache
 ---> 1fa710559c06
Step 11/16 : ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games
 ---> Using cache
 ---> a8aeea07c1aa
Step 12/16 : RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list
 ---> Using cache
 ---> 968ca1fe7baa
Step 13/16 : RUN rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get install gnupg &&     apt-key adv --keyserver keys.gnupg.net --recv-keys 425956BB3E31DF51 &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc
 ---> Running in 59a204ee4655
Get:1 http://mirrors.ustc.edu.cn/deepin apricot InRelease [19.6 kB]
Err:1 http://mirrors.ustc.edu.cn/deepin apricot InRelease
  The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 425956BB3E31DF51
Reading package lists...
W: GPG error: http://mirrors.ustc.edu.cn/deepin apricot InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 425956BB3E31DF51
E: The repository 'http://mirrors.ustc.edu.cn/deepin apricot InRelease' is not signed.
The command '/bin/sh -c rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get install gnupg &&     apt-key adv --keyserver keys.gnupg.net --recv-keys 425956BB3E31DF51 &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc' returned a non-zero code: 100

The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 425956BB3E31DF51

apt-get update fails because auf missing authentication keys. You'll have to provide them somehow. Searching for NO_PUBKEY 425956BB3E31DF51 gives e.g. this result: https://www.programmersought.com/article/14042246958/ So you have to execute:

apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51

This might fail in the deepin part of the Dockerfile, but should work in the debian part. If so, you could copy the authentication file from debian to deepin.

At this point I don't know the details how keyfiles and authentication are handled. The cp commands of bestwu give hints:

    cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \
    cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \

This might fail in the deepin part of the Dockerfile, but should work in the debian part.

This is just the problem I encountered, but why?

At this point I don't know the details how keyfiles and authentication are handled. The cp commands of bestwu give hints:

cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \ cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \

According to your above instructions, I changed the part the of the very beginning of my Dockerfile into the following and then rebuilt the image:

FROM debian

ENV DEBIAN_FRONTEND=noninteractive

COPY stable /usr/share/debootstrap/scripts/apricot
RUN apt-get update && apt-get install -y debootstrap && \
    apt-get install gnupg && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 && \
    apt-get update && \
    debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/ && \
    cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ && \
    cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/

FROM scratch
[...]

During the image building progress, I firstly see the following info:

Warning: apt-key output should not be parsed (stdout is not a terminal)
Executing: /tmp/apt-key-gpghome.57KXNEKVkS/gpg.1.sh --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51
gpg: key 425956BB3E31DF51: public key "pkg-builder <pkg-builder@packages.linuxdeepin.com>" imported
gpg: Total number processed: 1
gpg:               imported: 1

After a while, the following error was thrown out and the building progress terminated:

I: Base system installed successfully.
cp: cannot stat '/usr/share/keyrings/deepin-archive-keyring.gpg': No such file or directory
The command '/bin/sh -c apt-get update && apt-get install -y debootstrap &&     apt-get install gnupg &&     apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 &&     apt-get update &&     debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/ &&     cp /usr/share/keyrings/deepin-archive-keyring.gpg rootfs/etc/apt/trusted.gpg.d/ &&     cp /root/deepin-pools-keyring.gpg rootfs/etc/apt/trusted.gpg.d/' returned a non-zero code: 1

This is just the problem I encountered, but why?

I'd say, access to keyserver.ubuntu.com needs an authentication key, too. If the system has no authentication keys at all, it can access nothing.

During the image building progress, I firstly see the following info:

That looks good.

cp: cannot stat '/usr/share/keyrings/deepin-archive-keyring.gpg': No such file or directory

Check the content of /usr/share/keyrings after adding the key with RUN ls /usr/share/keyrings for valid file names. Maybe just copy the entire folder with

COPY --from=0 /usr/share/keyrings /usr/share/keyrings

I'd say, access to keyserver.ubuntu.com needs an authentication key, too. If the system has no authentication keys at all, it can access nothing.

If so, what about using other keyservers, say, keys.gnupg.net?

Check what keys deepin might have in /usr/share/keyrings already. I just don't know.

I finally find the deepin-keyring package and solved this problem with the following Dockerfile:

FROM debian

ENV DEBIAN_FRONTEND=noninteractive

COPY stable /usr/share/debootstrap/scripts/apricot
RUN apt-get update && apt-get install -y debootstrap && \
    debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/

FROM scratch
LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
COPY --from=0 /rootfs /
RUN apt-get install -y gnupg curl

#http://packages.deepin.com/deepin/pool/main/d/deepin-keyring/deepin-keyring_2020.03.13-1_all.deb

# The following method will fail to install this package, I still don't know the reason:
#RUN cd tmp && \
#    curl -Lx socks5://127.0.0.1:18888 http://packages.deepin.com/deepin/pool/main/d/deepin-keyring/deepin-keyring_2020.03.13-1_all.deb -o deepin-keyring_2020.03.13-1_all.deb && \
#    dpkg -i deepin-keyring_2020.03.13-1_all.deb && rm deepin-keyring_2020.03.13-1_all.deb

# First downoad the package and then copy to container for installation. This method can succeed.
COPY ./deepin-keyring_2020.03.13-1_all.deb /tmp
RUN dpkg -i /tmp/deepin-keyring_2020.03.13-1_all.deb && rm /tmp/deepin-keyring_2020.03.13-1_all.deb

ENV TERM=xterm \
    DEBIAN_FRONTEND=noninteractive \
    LANG=en_US.utf8 \
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

RUN rm /bin/sh && \
    ln -s /bin/bash /bin/sh && \
    sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile && \
    apt-get update && \
    apt --fix-broken -y install && \
    apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y

#CMD ["/bin/bash"]

ENV LANG en_US.utf8
ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games

# choose a mirror
RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list

# basics
RUN rm -rf /var/lib/apt/lists/* && \
    apt-get clean && \
    apt-get update && \
    apt-get dist-upgrade -y && \
    apt-get -y autoremove && \
    apt-get clean && \
env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    dbus-x11 \
    libxv1 \
    locales-all \
    mesa-utils \
    mesa-utils-extra \
    procps \
    psmisc

# deepin desktop
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    dde \
    at-spi2-core \
    gnome-themes-standard \
    gtk2-engines-murrine \
    gtk2-engines-pixbuf \
    pciutils

# additional applications
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    deepin-calculator \
    deepin-image-viewer \
    deepin-screenshot \
    deepin-system-monitor \
    deepin-terminal \
    deepin-movie \
    gedit \
    oneko \
    sudo \
    synaptic \
    apt-transport-https

# chinese fonts
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y \
    xfonts-wqy fonts-wqy-microhei fonts-wqy-zenhei

But when I build the image with the following command:

$ docker build --network host -f Dockerfiles/apricot --build-arg http_proxy='' --build-arg https_proxy='' -t hongyi-zhao/deepin-apricot .

The following errors will occur:

$ docker build --network host -f Dockerfiles/apricot --build-arg http_proxy='' --build-arg https_proxy='' -t hongyi-zhao/deepin-apricot .
Sending build context to Docker daemon  41.98kB
Step 1/19 : FROM debian
 ---> 1510e8501783
Step 2/19 : ENV DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> b1106120c688
Step 3/19 : COPY stable /usr/share/debootstrap/scripts/apricot
 ---> Using cache
 ---> c2d504d789ed
Step 4/19 : RUN apt-get update && apt-get install -y debootstrap &&     debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/
 ---> Using cache
 ---> d998c0eefb42
Step 5/19 : FROM scratch
 ---> 
Step 6/19 : LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
 ---> Using cache
 ---> a4ef154ea578
Step 7/19 : COPY --from=0 /rootfs /
 ---> Using cache
 ---> d325aa37a40e
Step 8/19 : RUN apt-get install -y gnupg curl
 ---> Using cache
 ---> f2bf63a354de
Step 9/19 : COPY ./deepin-keyring_2020.03.13-1_all.deb /tmp
 ---> c1dac9a177e5
Step 10/19 : RUN dpkg -i /tmp/deepin-keyring_2020.03.13-1_all.deb && rm /tmp/deepin-keyring_2020.03.13-1_all.deb
 ---> Running in 980f8529a412
Selecting previously unselected package deepin-keyring.
(Reading database ... 7300 files and directories currently installed.)
Preparing to unpack .../deepin-keyring_2020.03.13-1_all.deb ...
Unpacking deepin-keyring (2020.03.13-1) ...
Setting up deepin-keyring (2020.03.13-1) ...
Warning: apt-key should not be used in scripts (called from postinst maintainerscript of the package deepin-keyring)
Warning: 'apt-key update' is deprecated and should not be used anymore!
Note: In your distribution this command is a no-op and can therefore be removed safely.
Removing intermediate container 980f8529a412
 ---> 7713ce8aac27
Step 11/19 : ENV TERM=xterm     DEBIAN_FRONTEND=noninteractive     LANG=en_US.utf8     PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
 ---> Running in b175559d5f03
Removing intermediate container b175559d5f03
 ---> c011047b3000
Step 12/19 : RUN rm /bin/sh &&     ln -s /bin/bash /bin/sh &&     sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile &&     apt-get update &&     apt --fix-broken -y install &&     apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y
 ---> Running in 40a3dee9ac63
Hit:1 http://mirrors.ustc.edu.cn/deepin apricot InRelease
Reading package lists...

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
Removing intermediate container 40a3dee9ac63
 ---> d367158e0b00
Step 13/19 : ENV LANG en_US.utf8
 ---> Running in c35704f14b3f
Removing intermediate container c35704f14b3f
 ---> 9fde9bfcb480
Step 14/19 : ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games
 ---> Running in 38e505b7b96f
Removing intermediate container 38e505b7b96f
 ---> af61ce096141
Step 15/19 : RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list
 ---> Running in da0c547b650d
Removing intermediate container da0c547b650d
 ---> 17b3c138512c
Step 16/19 : RUN rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get dist-upgrade -y &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc
 ---> Running in 8ed82df83e68
Get:1 http://mirrors.ustc.edu.cn/deepin apricot InRelease [19.6 kB]
Get:2 http://mirrors.ustc.edu.cn/deepin apricot/main amd64 Packages [18.1 MB]
Get:4 http://mirrors.ustc.edu.cn/deepin apricot/contrib amd64 Packages [103 kB]
Ign:3 http://rsync.deepin.com/deepin apricot/non-free amd64 Packages
Err:3 http://rsync.deepin.com/deepin apricot/non-free amd64 Packages
  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out
Fetched 18.2 MB in 31s (579 kB/s)
Reading package lists...
W: Failed to fetch http://rsync.deepin.com/deepin/dists/apricot/non-free/binary-amd64/Packages  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
Package locales-all is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Unable to locate package dbus-x11
E: Unable to locate package libxv1
E: Package 'locales-all' has no installation candidate
E: Unable to locate package mesa-utils
E: Unable to locate package mesa-utils-extra
E: Unable to locate package procps
E: Unable to locate package psmisc
The command '/bin/sh -c rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get dist-upgrade -y &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc' returned a non-zero code: 100
werner@X10DAi:~/Public/repo/github.com/docker/dockerfile/deepin$ docker build --network host -f Dockerfiles/apricot --build-arg http_proxy='' --build-arg https_proxy='' -t hongyi-zhao/deepin-apricot .
Sending build context to Docker daemon   42.5kB
Step 1/19 : FROM debian
 ---> 1510e8501783
Step 2/19 : ENV DEBIAN_FRONTEND=noninteractive
 ---> Using cache
 ---> b1106120c688
Step 3/19 : COPY stable /usr/share/debootstrap/scripts/apricot
 ---> Using cache
 ---> c2d504d789ed
Step 4/19 : RUN apt-get update && apt-get install -y debootstrap &&     debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/
 ---> Using cache
 ---> d998c0eefb42
Step 5/19 : FROM scratch
 ---> 
Step 6/19 : LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
 ---> Using cache
 ---> a4ef154ea578
Step 7/19 : COPY --from=0 /rootfs /
 ---> Using cache
 ---> d325aa37a40e
Step 8/19 : RUN apt-get install -y gnupg curl
 ---> Using cache
 ---> f2bf63a354de
Step 9/19 : COPY ./deepin-keyring_2020.03.13-1_all.deb /tmp
 ---> Using cache
 ---> c1dac9a177e5
Step 10/19 : RUN dpkg -i /tmp/deepin-keyring_2020.03.13-1_all.deb && rm /tmp/deepin-keyring_2020.03.13-1_all.deb
 ---> Using cache
 ---> 7713ce8aac27
Step 11/19 : ENV TERM=xterm     DEBIAN_FRONTEND=noninteractive     LANG=en_US.utf8     PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
 ---> Using cache
 ---> c011047b3000
Step 12/19 : RUN rm /bin/sh &&     ln -s /bin/bash /bin/sh &&     sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile &&     apt-get update &&     apt --fix-broken -y install &&     apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y
 ---> Using cache
 ---> d367158e0b00
Step 13/19 : ENV LANG en_US.utf8
 ---> Using cache
 ---> 9fde9bfcb480
Step 14/19 : ENV PATH /usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games
 ---> Using cache
 ---> af61ce096141
Step 15/19 : RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list
 ---> Using cache
 ---> 17b3c138512c
Step 16/19 : RUN rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get dist-upgrade -y &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc
 ---> Running in bec1d73cd082
Get:1 http://mirrors.ustc.edu.cn/deepin apricot InRelease [19.6 kB]
Get:2 http://mirrors.ustc.edu.cn/deepin apricot/main amd64 Packages [18.1 MB]
Get:4 http://mirrors.ustc.edu.cn/deepin apricot/contrib amd64 Packages [103 kB]
Ign:3 http://rsync.deepin.com/deepin apricot/non-free amd64 Packages
Err:3 http://rsync.deepin.com/deepin apricot/non-free amd64 Packages
  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out
Fetched 18.2 MB in 31s (579 kB/s)
Reading package lists...
W: Failed to fetch http://rsync.deepin.com/deepin/dists/apricot/non-free/binary-amd64/Packages  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out
W: Some index files failed to download. They have been ignored, or old ones used instead.
Reading package lists...
Building dependency tree...
Reading state information...
Calculating upgrade...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Reading package lists...
Building dependency tree...
Reading state information...
Package locales-all is not available, but is referred to by another package.
This may mean that the package is missing, has been obsoleted, or
is only available from another source

E: Unable to locate package dbus-x11
E: Unable to locate package libxv1
E: Package 'locales-all' has no installation candidate
E: Unable to locate package mesa-utils
E: Unable to locate package mesa-utils-extra
E: Unable to locate package procps
E: Unable to locate package psmisc
The command '/bin/sh -c rm -rf /var/lib/apt/lists/* &&     apt-get clean &&     apt-get update &&     apt-get dist-upgrade -y &&     apt-get -y autoremove &&     apt-get clean && env DEBIAN_FRONTEND=noninteractive apt-get install -y     dbus-x11     libxv1     locales-all     mesa-utils     mesa-utils-extra     procps     psmisc' returned a non-zero code: 100

Err:3 http://rsync.deepin.com/deepin apricot/non-free amd64 Packages
  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out
Fetched 18.2 MB in 31s (579 kB/s)
Reading package lists...
W: Failed to fetch http://rsync.deepin.com/deepin/dists/apricot/non-free/binary-amd64/Packages  Could not connect to rsync.deepin.com:80 (202.141.160.113), connection timed out

This sounds like a server error, not a Dockerfile issue. Maybe it is just some random error and will work later, or the mirror is not complete yet and misses some files. I've encountered similar issues in my very first deepin builds, too. You can just try again, or try another mirror. As you say apricot is quite new, the mirrors might just not be ready.

# The following method will fail to install this package, I still don't know the reason:
#RUN cd tmp && \
#    curl -Lx socks5://127.0.0.1:18888 http://packages.deepin.com/deepin/pool/main/d/deepin-keyring/deepin-keyring_2020.03.13-1_all.deb -o deepin-keyring_2020.03.13-1_all.deb && \
#    dpkg -i deepin-keyring_2020.03.13-1_all.deb && rm deepin-keyring_2020.03.13-1_all.deb

# First downoad the package and then copy to container for installation. This method can succeed.
COPY ./deepin-keyring_2020.03.13-1_all.deb /tmp
RUN dpkg -i /tmp/deepin-keyring_2020.03.13-1_all.deb && rm /tmp/deepin-keyring_2020.03.13-1_all.deb

Maybe curl fails due to authentication issues, too. You could try to download in the debian part and copy it with COPY --from=0 in the deepin/scratch part. Imho that would be more elegant than to COPY from outside.

Through trial and error, I figured out the following Dockerfile which can successfully do the trick in a rather elegant way from my point of view:

FROM debian

# set proxy
ARG http_proxy
ARG https_proxy
ARG no_proxy
ENV http_proxy=$http_proxy \
    https_proxy=$http_proxy \
    no_proxy=$no_proxy \
    DEBIAN_FRONTEND=noninteractive \
    TERM=xterm-256color \
    LANG=en_US.utf8 \
    PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/sbin:/usr/sbin:/sbin:/usr/local/games:/usr/games

COPY stable /usr/share/debootstrap/scripts/apricot
RUN sed -ri 's|^(deb(-src)?[[:blank:]]+https?://)([^/]+)|\1mirrors.ustc.edu.cn|' /etc/apt/sources.list && \
    apt-get update && apt-get install -y debootstrap curl && \
    debootstrap --variant=minbase --no-check-gpg --arch=amd64 apricot rootfs http://mirrors.ustc.edu.cn/deepin/ && \
    curl -fsSL http://mirrors.ustc.edu.cn/deepin/pool/main/d/deepin-keyring/deepin-keyring_2020.03.13-1_all.deb | dpkg -x - /rootfs 

#Use the rootfs directory name based on the naming convention used by the Dockerfile here:
# https://github.com/debuerreotype/docker-debian-artifacts/blob/794e462d2825fb1ebb3d54ff5c93dd401cf28b9a/stable/Dockerfile   
FROM scratch
LABEL maintainer='Hongyi Zhao <hongyi.zhao@gmail.com>'
COPY --from=0 /rootfs /
# For the case of rootfs prepared separately outsite of the docker container.
#COPY rootfs /

RUN rm /bin/sh && \
    ln -s /bin/bash /bin/sh && \
    sed -i "s/mesg n/tty -s \&\& mesg n/" /root/.profile && \
    apt-get update && \
    apt --fix-broken -y install && \
    apt-get -y autoremove --purge && apt-get autoclean -y && apt-get clean -y && \
    find /var/lib/apt/lists -type f -delete && \
    find /var/cache -type f -delete

# choose a mirror
RUN echo "deb http://mirrors.ustc.edu.cn/deepin/ apricot main non-free contrib" > /etc/apt/sources.list

# basics
RUN rm -rf /var/lib/apt/lists/* && \
    apt-get clean && \
    apt-get update && \
    apt-get dist-upgrade -y && \
    apt-get -y autoremove && \
    apt-get clean && \
    apt-get install -y gnupg \
    dbus-x11 \
    libxv1 \
    locales-all \
    mesa-utils \
    mesa-utils-extra \
    procps \
    psmisc

# deepin desktop
# Obtain the possible packages list from the already installed deepin distro.
#$ dpkg --get-selections | grep -i dde | awk '{print $1}' |  xargs 
RUN apt-get install -y --no-install-recommends \
    dde dde-account-faces dde-api dde-calendar dde-clipboard dde-control-center dde-daemon \
    dde-desktop dde-device-formatter dde-disk-mount-plugin dde-dock dde-dock-onboard-plugin \
    dde-file-manager dde-introduction dde-kwin dde-launcher dde-polkit-agent dde-preload \
    dde-printer dde-qt5integration dde-qt5xcb-plugin dde-session-shell dde-session-ui \
    libdde-file-manager:amd64 libdde-network-utils startdde

# additional applications
RUN apt-get install -y \
    deepin-calculator \
    deepin-image-viewer \
    deepin-screenshot \
    deepin-system-monitor \
    deepin-terminal \
    deepin-movie \
    gedit \
    oneko \
    sudo \
    synaptic \
    apt-transport-https

# chinese fonts
RUN apt-get install -y \
    xfonts-wqy fonts-wqy-microhei fonts-wqy-zenhei

# unset proxy
ENV http_proxy= \
    https_proxy= \
    no_proxy= \
    DEBIAN_FRONTEND=

# If commented out the folloiwng line, see the issue dissussed here: 
#https://github.com/mviereck/dockerfile-x11docker-deepin/issues/17#issuecomment-723879088
#https://github.com/mviereck/dockerfile-x11docker-deepin/issues/17#issuecomment-723893642
CMD ["startdde"]

Build the image with the following command:

$ docker build --network host -f Dockerfiles/apricot --build-arg http_proxy='' --build-arg https_proxy='' -t deepin/apricot --no-cache .

The only problem is the build procedure will throw the following ERROR/WARNING which I still don't know how to fix:

Processing triggers for initramfs-tools (0.137.18-1+eagle) ...
update-initramfs: Generating /boot/initrd.img-5.4.0-52-generic
W: missing /lib/modules/5.4.0-52-generic
W: Ensure all necessary drivers are built into the linux image!
depmod: ERROR: could not open directory /lib/modules/5.4.0-52-generic: No such file or directory
depmod: FATAL: could not search modules: No such file or directory
cat: /var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/modules.builtin: No such file or directory
find: '/var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/kernel': No such file or directory
cryptsetup: ERROR: Couldn't resolve device overlay
cryptsetup: WARNING: Couldn't determine root device
cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries nor crypto modules. If that's on purpose, you may want to uninstall the 'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs integration and avoid this warning.
setupcon is missing. Please install the 'console-setup' package.
W: plymouth: The plugin label.so is missing, the selected theme might not work as expected.
W: plymouth: You might want to install the plymouth-themes package to fix this.
depmod: WARNING: could not open modules.order at /var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic: No such file or directory
depmod: WARNING: could not open modules.builtin at /var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic: No such file or directory

Regards, HY

Great that you succeeded to build! Does the desktop run with x11docker?

Processing triggers for initramfs-tools (0.137.18-1+eagle) ... update-initramfs: Generating /boot/initrd.img-5.4.0-52-generic W: missing /lib/modules/5.4.0-52-generic W: Ensure all necessary drivers are built into the linux image! depmod: ERROR: could not open directory /lib/modules/5.4.0-52-generic: No such file or directory depmod: FATAL: could not search modules: No such file or directory cat: /var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/modules.builtin: No such file or directory find: '/var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/kernel': No such file or directory cryptsetup: ERROR: Couldn't resolve device overlay cryptsetup: WARNING: Couldn't determine root device cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries nor crypto modules. If that's on purpose, you may want to uninstall the 'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs integration and avoid this warning.

Those are issues with kernel setup. kernel files in a container are not used, instead a container runs on the host kernel. Maybe it is possible to remove some kernel packages to avoid this errors. This could also shrink the image size.

W: plymouth: The plugin label.so is missing, the selected theme might not work as expected. W: plymouth: You might want to install the plymouth-themes package to fix this.

plymouth allows a graphical boot screen. It is not needed at all. Maybe it can be removed, too.

Based on your investigations I have created a deepin apricot Dockerfile, too. It is currently stored at https://github.com/mviereck/test. On Docker hub there is a successful build x11docker/test. A Download failed here, I currently try to build locally. I hope the apricot image will run without --security-opt seccomp=unconfined.

Great that you succeeded to build! Does the desktop run with x11docker?

Yes.

Processing triggers for initramfs-tools (0.137.18-1+eagle) ... update-initramfs: Generating /boot/initrd.img-5.4.0-52-generic W: missing /lib/modules/5.4.0-52-generic W: Ensure all necessary drivers are built into the linux image! depmod: ERROR: could not open directory /lib/modules/5.4.0-52-generic: No such file or directory depmod: FATAL: could not search modules: No such file or directory cat: /var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/modules.builtin: No such file or directory find: '/var/tmp/mkinitramfs_XbjFI4/lib/modules/5.4.0-52-generic/kernel': No such file or directory cryptsetup: ERROR: Couldn't resolve device overlay cryptsetup: WARNING: Couldn't determine root device cryptsetup: WARNING: The initramfs image may not contain cryptsetup binaries nor crypto modules. If that's on purpose, you may want to uninstall the 'cryptsetup-initramfs' package in order to disable the cryptsetup initramfs integration and avoid this warning.

Those are issues with kernel setup. kernel files in a container are not used, instead a container runs on the host kernel. Maybe it is possible to remove some kernel packages to avoid this errors. This could also shrink the image size.

I think the corresponding packages can be inspected/listed with the following command in the dockerfile after the bootstrapped base system has been copied to the deepin/scratch.

$ dpkg -l |grep 5.4.0-52 | awk '{print $2}'

W: plymouth: The plugin label.so is missing, the selected theme might not work as expected. W: plymouth: You might want to install the plymouth-themes package to fix this.

plymouth allows a graphical boot screen. It is not needed at all. Maybe it can be removed, too.

Similar to the above, this can be conveyed by the following command in the dockerfile:

$ dpkg -l |grep plymouth | awk '{print $2}'

Based on your investigations I have created a deepin apricot Dockerfile, too. It is currently stored at https://github.com/mviereck/test.

Some notes on the above dockerfile:

Why don't you try to remove the packages, as you analyzed, which trigger the above mentioned problems?
A possible enhancement for the downloading of the deepin-keyring package is use the cross-distro apt-get download method, with which you only need to supply the package name, instead of the precise cumbersome URL.
You selected the following packages for deepin desktop:

# deepin desktop
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends dde-session-ui
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        dde \
        at-spi2-core \
        gnome-themes-standard \
        gtk2-engines-murrine \
        gtk2-engines-pixbuf \
        pciutils

To be frank, I still can't figure out how you got this list.

This command: mkdir -p /rootfs && \ is redundant, as the dpkg -x will automatically create it if necessary.

On Docker hub there is a successful build x11docker/test. A Download failed here, I currently try to build locally. I hope the apricot image will run without --security-opt seccomp=unconfined.

I've tried your above image and succeed to run it w/o --security-opt seccomp=unconfined as the screenshot shown below:

BTW, the default shell is dash. It can be symlinked to bash for more powerful capability under terminal.

I did some changes to the Dockerfile and checked them with builds on Docker hub.

A possible enhancement for the downloading of the deepin-keyring package is use the cross-distro apt-get download method, with which you only need to supply the package name, instead of the precise cumbersome URL.

I have included a method based on apt-get now:

RUN apt-get update && \
    env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        debootstrap \
        gnupg && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 && \
    mv /etc/apt/sources.list /etc/apt/sources.list.debian && \
    echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /etc/apt/sources.list && \
    apt-get update && \
    apt-get download deepin-keyring && \
    dpkg -i /deepin-keyring* && \
    rm /etc/apt/sources.list && \
    mv /etc/apt/sources.list.debian /etc/apt/sources.list && \
    mkdir -p /rootfs && \
    dpkg -x /deepin-keyring* /rootfs && \
    echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /rootfs/etc/apt/sources.list

This command: mkdir -p /rootfs && \ is redundant, as the dpkg -x will automatically create it if necessary.

Yes, that is right. I've added it to make it more obvious what is going on.

I've tried your above image and succeed to run it w/o --security-opt seccomp=unconfined as the screenshot shown below:

Great! That makes running the deepin desktop more secure.

BTW, the default shell is dash. It can be symlinked to bash for more powerful capability under terminal.

I have fixed this with ENV SHELL=/bin/bash.

You selected the following packages for deepin desktop:

# deepin desktop
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends dde-session-ui
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
dde \
at-spi2-core \
gnome-themes-standard \
gtk2-engines-murrine \
gtk2-engines-pixbuf \
pciutils

To be frank, I still can't figure out how you got this list.

The core idea is to use the dde metapackage to get all deepin dependencies. However, although it once worked, it currently fails in dependency dde-session-ui. With apt-get show dde I had a look at the dependencies and dropped some from the list. This also removes the error messages of initramfs and plymouth you've noted above:


# Dependencies of 'apt-get show dde'
# (excluded: dde-session-ui deepin-manual eject plymouth-theme-deepin-logo dde-printer deepin-screensaver)
RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        dde-control-center \
        dde-clipboard \
        dde-desktop \
        dde-dock \
        dde-file-manager \
        dde-kwin \
        dde-launcher \
        dde-qt5integration \
        deepin-artwork \
        deepin-default-settings \
        deepin-desktop-base \
        deepin-wallpapers \
        fonts-noto \
        startdde

These packages were needed once, observed by error messages during a running container. Not sure if they are still needed:

# once needed to add, obsolete now?
#RUN env DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
#        at-spi2-core \
#        gnome-themes-standard \
#        gtk2-engines-murrine \
#        gtk2-engines-pixbuf \
#        pciutils

I have included a method based on apt-get now:


RUN apt-get update && \
    env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        debootstrap \
        gnupg && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 && \

I'm still not so clear on the differences between the public key retrieved by the apt-key command and the keyrings included in the deepin-keyring packge. In one word: can they replace each other? In more deatail, why supply public key and keyring at the same time?

mv /etc/apt/sources.list /etc/apt/sources.list.debian && \
echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /etc/apt/sources.list && \
apt-get update && \
apt-get download deepin-keyring && \
dpkg -i /deepin-keyring* && \

In fact, you don't need this keyring for the debian base system. Why you still install it at this stage?

rm /etc/apt/sources.list && \
mv /etc/apt/sources.list.debian /etc/apt/sources.list && \
mkdir -p /rootfs && \
dpkg -x /deepin-keyring* /rootfs && \
echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /rootfs/etc/apt/sources.list

Can we do the job in the chroot part used by you currently, i.e., the following?

RUN debootstrap --variant=minbase --arch=amd64 $DEEPIN_RELEASE /rootfs $DEEPIN_MIRROR && \
    chroot ./rootfs apt-get update && \
    chroot ./rootfs env DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y && \
    chroot ./rootfs /cleanup

The core idea is to use the dde metapackage to get all deepin dependencies. However, although it once worked, it currently fails in dependency dde-session-ui. With apt-get show dde I had a look at the dependencies and dropped some from the list. This also removes the error messages of initramfs and plymouth you've noted above:

See here for some relevant solution.

I'm still not so clear on the differences between the public key retrieved by the apt-key command the keyrings included in the deepin-keyring packge. In one word: can they replace each other? In more deatail, why need public key and keyrings at the same time?

You are right, we don't need both of them. I admit, I am still confused about all the key stuff and I am happy if I just get it working without circumventing authentication. I've reduced the authentication part with just copying the key file to the rootfs file system. The deepin-keyring package is installed later in stage 1, just in case:

# prepare sources and keys
RUN apt-get update && \
    env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        debootstrap \
        gnupg && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 && \
    mkdir -p /rootfs/etc/apt && \
    cp /etc/apt/trusted.gpg /rootfs/etc/apt/trusted.gpg && \
    echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /rootfs/etc/apt/sources.list

In fact, you don't need this keyring for the debian base system. Why you still install it at this stage?

I thought I would need it for debootstrap. But in fact the received key is enough.

I've introduced a /cleanup script that is called after each apt-get:

# cleanup script for use after apt-get
RUN echo '#! /bin/sh\n\
env DEBIAN_FRONTEND=noninteractive apt-get autoremove -y\n\
apt-get clean\n\
find /var/lib/apt/lists -type f -delete\n\
find /var/cache -type f -delete\n\
find /var/log -type f -delete\n\
exit 0\n\
' > /rootfs/cleanup && chmod +x /rootfs/cleanup

This reduced the compressed image size on docker hub from 1.6GB to 0.9GB. That is a lot! The official debian and ubuntu base images on docker hub automatically run apt-get clean after each apt-get install. But the deepin system installed with debootstrap does not. Most important is apt-get clean to remove the downloaded .deb packages, the other commands save some MB, too.

The deepin-keyring package is installed later in stage 1, just in case:

According to my current understanding, there is really no need to install the deepin-keyring package after the public key has been added into /etc/apt/trusted.gpg. See the following for more info:

$ man apt-key
[...]
FILES
       /etc/apt/trusted.gpg
           Keyring of local trusted keys, new keys will be added here.
           Configuration Item: Dir::Etc::Trusted.

       /etc/apt/trusted.gpg.d/
           File fragments for the trusted keys, additional keyrings can be
           stored here (by other packages or the administrator). Configuration
           Item Dir::Etc::TrustedParts.

$ gpg2 -n --with-fingerprint --keyid-format=long --show-keys /etc/apt/trusted.gpg | grep -A4 425956BB3E31DF51
pub   rsa2048/425956BB3E31DF51 2014-12-16 [SC]
      Key fingerprint = 6BDB FE94 72C9 961F 4C19  73A1 4259 56BB 3E31 DF51
uid                            pkg-builder <pkg-builder@packages.linuxdeepin.com>
sub   rsa2048/66331C382787C58B 2014-12-16 [E]

I've re-written all the operations in stage 0 used by you into the following:

#### stage 0: debian, debootstrap ####
FROM debian

# Choose a deepin mirror close to your location.
# Many further mirrors are listed at: https://www.deepin.org/en/mirrors/packages/
ENV MIRROR_USTC=mirrors.ustc.edu.cn
#ENV DEEPIN_MIRROR=http://packages.deepin.com/deepin/
ENV DEEPIN_MIRROR=http://mirrors.ustc.edu.cn/deepin/
#ENV DEEPIN_MIRROR=http://mirrors.kernel.org/deepin/
#ENV DEEPIN_MIRROR=http://ftp.fau.de/deepin/

ENV DEEPIN_RELEASE=apricot

# debootstrap script
# prepare sources and keys
# cleanup script for use after apt-get
RUN sed -ri "s|^(deb(-src)?[[:blank:]]+https?://)([^/]+)|\1$MIRROR_USTC|" /etc/apt/sources.list && \
    apt-get update && \
    env DEBIAN_FRONTEND=noninteractive apt-get install -y \
        debootstrap \
        gnupg && \
    apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 425956BB3E31DF51 && \
    mkdir -p /usr/share/debootstrap/scripts && \
    echo "mirror_style release\n\
download_style apt\n\
finddebs_style from-indices\n\
variants - buildd fakechroot minbase\n\
keyring /usr/share/keyrings/deepin-archive-camel-keyring.gpg\n\
. /usr/share/debootstrap/scripts/debian-common\n\
" > /usr/share/debootstrap/scripts/$DEEPIN_RELEASE && \
    debootstrap --variant=minbase --arch=amd64 $DEEPIN_RELEASE /rootfs $DEEPIN_MIRROR && \
    cp /etc/apt/trusted.gpg /rootfs/etc/apt/trusted.gpg && \
    echo "deb $DEEPIN_MIRROR $DEEPIN_RELEASE main non-free contrib" > /rootfs/etc/apt/sources.list && \
    echo "#!/bin/sh\n\
env DEBIAN_FRONTEND=noninteractive apt-get autoremove -y\n\
apt-get clean\n\
find /var/lib/apt/lists -type f -delete\n\
find /var/cache -type f -delete\n\
find /var/log -type f -delete\n\
exit 0\n\
" > /rootfs/cleanup && chmod +x /rootfs/cleanup && \
    chroot ./rootfs apt-get update && \
    chroot ./rootfs env DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y && \
    chroot ./rootfs /cleanup

Some further notes on running/extending the created deepin apricot image:

After I start the image with x11docker, I find that the desktop window size is too high and out of the range of my host's screen window. Furthermore, the size of the deepin window can't be resized. As a result, I can't see and use the toolbars shown at the bottom of the window. See the following screenshot for more info:

For the deepin apricot, the wine and relevant packages have been moved to a new created repo, named as appstore. See the following websites for detailed description about this new repo:

https://www.deepin.org/zh/2020/08/06/deepin-system-updates-2020-08-06/ https://www.deepin.org/en/2020/11/19/statements/

In order to use this repo, the following operations must be executed:

$ cat /etc/apt/sources.list.d/appstore.list 
deb https://community-store-packages.deepin.com/appstore eagle appstore

$ sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 1C30362C0A53D5BB

The current names of wechat and qq packages are as follows:
```
com.qq.weixin.deepin
com.qq.im.deepin  
```

I've re-written all the operations in stage 0 used by you into the following:

This is hard to read now. Although one should use only few RUN instructions, it is also important that code is easy to read and easy to maintain. In this special case using multiple stages it is not needed to reduce RUN instructions in stage 0. All layers of stage 0 are dropped in stage 1 with FROM scratch and won't be part of the resulting image.

After I start the image with x11docker, I find that the desktop window size is too high and out of the range of my host's screen window. Furthermore, the size of the deepin window can't be resized. As a result, I can't see and use the toolbars shown at the bottom of the window.

Yes, that is annoying. It can be avoided with --nxagent or --weston-xwayland. This only happens with default --xephyr. deepin apricot is based on Gnome 3, and I have the same issue with x11docker/gnome and x11docker/cinnamon. Gnome 3 changes the display size on its own. I have no idea how to stop this behaviour.

For the deepin apricot, the wine and relevant packages have been moved to a new created repo, named as appstore.

I am confused about this. I'll look closer later again.

Other issues I've noted so far:

It is not possible to log out or shut down with the logout button. But systemctl poweroff works.
I could not set up fcitx for chinese input.

Yes, that is annoying. It can be avoided with --nxagent or --weston-xwayland.

But you told me the following usage here:

Use --xephyr instead of --nxagent to run the deepin desktop.

And furthermore, based on tries, only --xpra can fix this problem. See the running command and the screenshot for my case:

$ x11docker --runasroot 'sed -r "s/^[[:blank:]]*[|]//" <<-EOF > /etc/sudoers
        |#$ sudo grep -Ev '\''^[ ]*(#|$)'\'' /etc/sudoers  
        |Defaults   env_reset
        |Defaults   mail_badpass
        |Defaults   secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
        |root   ALL=(ALL:ALL) ALL
        |%admin ALL=(ALL) ALL
        |%sudo  ALL=(ALL:ALL) ALL
        |$USER ALL=(ALL) NOPASSWD:ALL
    EOF' --share=$HOME/docker --sudouser -c --xpra --desktop --init=systemd -- --cap-add=ALL -- hongyizhao/deepin:apricot

I could not set up fcitx for chinese input.

AFAIK, fcitx has so many dependencies, and you use the --no-install-recommends option to install this package. I don't know whether this will trigger the problem.

I've updated x11docker/deepin to apricot. The README contains some explanations how to add the community repository. I did a test install of WeChat. Unfortunately it does not appear in the application menu, I could only access it with the terminal.

But you told me the following usage here: Use --xephyr instead of --nxagent to run the deepin desktop.

That was an older version of deepin that worked better with --xephyr. apricot works better with other X server options.

And furthermore, based on tries, only --xpra can fix this problem.

I did some test runs, too. Sometimes the resize happens, sometimes it does not. --xpra, --nxagent and --weston-xwayland all allow to resize or maximize the window to mitigate this issue.

AFAIK, fcitx has so many dependencies, and you use the --no-install-recommends option to install this package. I don't know whether this will trigger the problem.

I might do a check with all install recommends later.

I think we can close this long ticket now. Thank you for your investigation and tests!

mviereck / dockerfile-x11docker-deepin

Building the deepin apricot docker image in an elegant way. #25