ci: cleanup Dockerfile

ci/Dockerfile

@@ -1,39 +1,65 @@
 # initialize from the image
 
-FROM python:3.7.3
+FROM debian:10
 
 ARG TOOLCHAIN_FLAVOR=linux
-ENV TOOLCHAIN_FLAVOR=$TOOLCHAIN_FLAVOR
+ENV TOOLCHAIN_FLAVOR=${TOOLCHAIN_FLAVOR}
+
+ARG FULLDEPS_TESTING=0
+ENV FULLDEPS_TESTING=${FULLDEPS_TESTING}
 
 # install build tools and dependencies
 
 RUN apt-get update && apt-get install -y \
-    build-essential wget git libsodium-dev graphviz \
-    valgrind check libssl-dev libusb-1.0-0-dev libudev-dev zlib1g-dev \
-    libsdl2-dev libsdl2-image-dev
+        build-essential \
+        check \
+        clang-format \
+        git \
+        graphviz \
+        libjpeg-dev \
+        libsdl2-dev \
+        libsdl2-image-dev \
+        libsodium-dev \
+        libssl-dev \
+        libudev-dev \
+        libusb-1.0-0-dev \
+        valgrind \
+        wget \
+        zlib1g-dev
 
-# install clang-format 6 from backports
-RUN echo "deb http://deb.debian.org/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list
-RUN apt-get update && apt-get install -t stretch-backports -y clang-format-6.0
-RUN ln -s clang-format-6.0 /usr/bin/clang-format
+# install python 3.7.3 + pip from the image
 
-# TODO are all apt packages actually needed?
+RUN apt-get install -y \
+    python3-dev \
+    python3-pip
 
-# Install Python 3.5 from Debian
-RUN apt-get install -y python3.5-dev
+# install other python versions from their sources
 
-# Install Python 3.6 and 3.8 from source, assuming we have 3.7 from the docker image
-RUN wget --no-verbose https://www.python.org/ftp/python/3.6.9/Python-3.6.9.tgz
-RUN tar zxf Python-3.6.9.tgz
-RUN cd Python-3.6.9/ && ./configure && make && make install
+RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
+        export PYTHON35VER="3.5.7" ; \
+        wget --no-verbose https://www.python.org/ftp/python/${PYTHON35VER}/Python-${PYTHON35VER}.tgz ; \
+        tar zxf Python-${PYTHON35VER}.tgz ; \
+        cd Python-${PYTHON35VER}/ && ./configure && make && make install ; \
+    fi
 
-RUN wget --no-verbose https://www.python.org/ftp/python/3.8.0/Python-3.8.0b3.tgz
-RUN tar zxf Python-3.8.0b3.tgz
-RUN cd Python-3.8.0b3/ && ./configure && make && make install
+RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
+        export PYTHON36VER="3.6.9" ; \
+        wget --no-verbose https://www.python.org/ftp/python/${PYTHON36VER}/Python-${PYTHON36VER}.tgz ; \
+        tar zxf Python-${PYTHON36VER}.tgz ; \
+        cd Python-${PYTHON36VER}/ && ./configure && make && make install ; \
+    fi
+
+RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
+        export PYTHON38VER="3.8.0" ; \
+        export PYTHONSUBVER="b3"; \
+        wget --no-verbose https://www.python.org/ftp/python/${PYTHON38VER}/Python-${PYTHON38VER}${PYTHONSUBVER}.tgz ; \
+        tar zxf Python-${PYTHON38VER}${PYTHONSUBVER}.tgz ; \
+        cd Python-${PYTHON38VER}${PYTHONSUBVER}/ && ./configure && make && make install ; \
+    fi
 
 # install dependencies from toolchain source build
 
-RUN if [ "$TOOLCHAIN_FLAVOR" = "src" ]; then \
+RUN if [ "${TOOLCHAIN_FLAVOR}" = "src" ]; then \
         apt-get install -y autoconf autogen bison dejagnu \
                            flex flip gawk git gperf gzip nsis \
                            openssh-client p7zip-full perl python-dev \
@@ -43,24 +69,22 @@ RUN if [ "$TOOLCHAIN_FLAVOR" = "src" ]; then \
 
 # download toolchain
 
-ENV TOOLCHAIN_SHORTVER=8-2018q4
-ENV TOOLCHAIN_LONGVER=gcc-arm-none-eabi-8-2018-q4-major
-ENV TOOLCHAIN_URL=https://developer.arm.com/-/media/Files/downloads/gnu-rm/$TOOLCHAIN_SHORTVER/$TOOLCHAIN_LONGVER-$TOOLCHAIN_FLAVOR.tar.bz2
-ENV TOOLCHAIN_HASH_linux=fb31fbdfe08406ece43eef5df623c0b2deb8b53e405e2c878300f7a1f303ee52
-ENV TOOLCHAIN_HASH_src=bc228325dbbfaf643f2ee5d19e01d8b1873fcb9c31781b5e1355d40a68704ce7
+ENV TOOLCHAIN_LONGVER=gcc-arm-none-eabi-8-2019-q3-update
+ENV TOOLCHAIN_SUBDIR="8-2019q3/RC1.1"
+ENV TOOLCHAIN_URL=https://developer.arm.com/-/media/Files/downloads/gnu-rm/${TOOLCHAIN_SUBDIR}/${TOOLCHAIN_LONGVER}-${TOOLCHAIN_FLAVOR}.tar.bz2
+ENV TOOLCHAIN_HASH_linux=b50b02b0a16e5aad8620e9d7c31110ef285c1dde28980b1a9448b764d77d8f92
+ENV TOOLCHAIN_HASH_src=e8a8ddfec47601f2d83f1d80c0600f198476f227102121c8d6a5a781d0c2eeef
 
 # extract toolchain
 
-RUN cd /opt && wget --no-verbose $TOOLCHAIN_URL
-
-RUN cd /opt && echo "$TOOLCHAIN_HASH_linux $TOOLCHAIN_LONGVER-linux.tar.bz2\n$TOOLCHAIN_HASH_src $TOOLCHAIN_LONGVER-src.tar.bz2" | sha256sum -c --ignore-missing
-
-RUN cd /opt && tar xfj $TOOLCHAIN_LONGVER-$TOOLCHAIN_FLAVOR.tar.bz2
+RUN cd /opt && wget --no-verbose ${TOOLCHAIN_URL}
+RUN cd /opt && echo "${TOOLCHAIN_HASH_linux} ${TOOLCHAIN_LONGVER}-linux.tar.bz2\n${TOOLCHAIN_HASH_src} ${TOOLCHAIN_LONGVER}-src.tar.bz2" | sha256sum -c --ignore-missing
+RUN cd /opt && tar xfj ${TOOLCHAIN_LONGVER}-${TOOLCHAIN_FLAVOR}.tar.bz2
 
 # build toolchain (if required)
 
-RUN if [ "$TOOLCHAIN_FLAVOR" = "src" ]; then \
-        pushd /opt/$TOOLCHAIN_LONGVER ; \
+RUN if [ "${TOOLCHAIN_FLAVOR}" = "src" ]; then \
+        pushd /opt/${TOOLCHAIN_LONGVER} ; \
         ./install-sources.sh --skip_steps=mingw32 ; \
         ./build-prerequisites.sh --skip_steps=mingw32 ; \
         ./build-toolchain.sh --skip_steps=mingw32,manual ; \
@@ -76,14 +100,14 @@ RUN echo "${PROTOBUF_HASH} protoc-${PROTOBUF_VERSION}-linux-x86_64.zip" | sha256
 
 # setup toolchain
 
-ENV PATH=/opt/$TOOLCHAIN_LONGVER/bin:$PATH
+ENV PATH=/opt/${TOOLCHAIN_LONGVER}/bin:${PATH}
 
 ENV LC_ALL=C.UTF-8 LANG=C.UTF-8
 
-# use zipfile module to extract files world-readable
-ENV PYTHON=python
+ENV PYTHON=python3
 
-RUN $PYTHON -m zipfile -e "protoc-${PROTOBUF_VERSION}-linux-x86_64.zip" /usr/local && chmod 755 /usr/local/bin/protoc
+# use zipfile module to extract files world-readable
+RUN ${PYTHON} -m zipfile -e "protoc-${PROTOBUF_VERSION}-linux-x86_64.zip" /usr/local && chmod 755 /usr/local/bin/protoc
 
 ENV WORKON_HOME=/tmp/.venvs
 
@@ -93,14 +117,16 @@ ENV TREZOR_MONERO_TESTS_SHA256SUM=140a16b3d6105b5e8e88a93b451e9600a36ed23928ea3c
 ENV TREZOR_MONERO_TESTS_URL="https://github.com/ph4r05/monero/releases/download/v0.14.1.0-tests-u14.04-01/trezor_tests"
 ENV TREZOR_MONERO_TESTS_PATH="/opt/trezor_monero_tests"
 
-RUN wget --no-verbose "$TREZOR_MONERO_TESTS_URL" -O "$TREZOR_MONERO_TESTS_PATH" \
-    && chmod +x "$TREZOR_MONERO_TESTS_PATH"
-RUN echo "${TREZOR_MONERO_TESTS_SHA256SUM} ${TREZOR_MONERO_TESTS_PATH}" | sha256sum -c
+RUN if [ "${FULLDEPS_TESTING}" = "1" ]; then \
+        wget --no-verbose "${TREZOR_MONERO_TESTS_URL}" -O "${TREZOR_MONERO_TESTS_PATH}" ; \
+        chmod +x "${TREZOR_MONERO_TESTS_PATH}" ; \
+        echo "${TREZOR_MONERO_TESTS_SHA256SUM} ${TREZOR_MONERO_TESTS_PATH}" | sha256sum -c ; \
+    fi
 
 # install python dependencies
 
-RUN pip install pipenv
+RUN ${PYTHON} -m pip install pipenv
 
-RUN $PYTHON --version
-RUN pip --version
+RUN ${PYTHON} --version
+RUN ${PYTHON} -m pip --version
 RUN pipenv --version

ci/environment.yml

@@ -11,6 +11,6 @@ environment:
     - docker login $CI_REGISTRY -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD
   script:
     - docker pull $CONTAINER_NAME:latest || true
-    - docker build --cache-from $CONTAINER_NAME:latest --tag $CONTAINER_NAME:$CI_COMMIT_SHA --tag $CONTAINER_NAME:latest ci/
+    - docker build --cache-from $CONTAINER_NAME:latest --tag $CONTAINER_NAME:$CI_COMMIT_SHA --tag $CONTAINER_NAME:latest --build-arg FULLDEPS_TESTING=1 ci/
     - docker push $CONTAINER_NAME:$CI_COMMIT_SHA
     - docker push $CONTAINER_NAME:latest

ci/test.yml

@@ -48,7 +48,6 @@ test crypto:
     - cd crypto
     - ./tests/aestst
     - ./tests/test_check
-    - CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./tests/test_check
     - ./tests/test_openssl 1000
     - ITERS=10 pipenv run pytest tests