From 9151566836b7f35a7be4c89f16ae69390419754a Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Tue, 15 Jul 2025 10:26:46 +0200
Subject: [PATCH 1/7] feat(docker): Switch to a distroless base image

---
 .github/workflows/ci.yml |  4 ++++
 Dockerfile.release       | 28 +++-------------------
 docker-entrypoint.sh     | 51 ----------------------------------------
 3 files changed, 7 insertions(+), 76 deletions(-)
 delete mode 100644 docker-entrypoint.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 538243089ff..1a3d4636ff5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -470,6 +470,8 @@ jobs:
         run: |
           docker login --username '${{ github.actor }}' --password '${{ secrets.GITHUB_TOKEN }}' ghcr.io
 
+          tree
+          chmod +x */*/relay
           docker buildx build \
             --platform "${PLATFORMS}" \
             --tag "${DOCKER_IMAGE}:${REVISION}" \
@@ -554,6 +556,8 @@ jobs:
 
       - name: Build and push to Internal AR
         run: |
+          tree
+          chmod +x */*/relay
           docker buildx build \
             --platform "${PLATFORMS}" \
             --tag "${AR_DOCKER_IMAGE}:${REVISION}" \
diff --git a/Dockerfile.release b/Dockerfile.release
index c30999d176e..437fea1c383 100644
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -1,31 +1,9 @@
-FROM debian:bookworm-slim
+FROM gcr.io/distroless/cc-debian12:nonroot
 
 ARG TARGETPLATFORM
-
-RUN apt-get update \
-  && apt-get install -y ca-certificates gosu curl --no-install-recommends \
-  && apt-get clean \
-  && rm -rf /var/lib/apt/lists/*
-
-ENV \
-  RELAY_UID=10001 \
-  RELAY_GID=10001
-
-# Create a new user and group with fixed uid/gid
-RUN groupadd --system relay --gid $RELAY_GID \
-  && useradd --system --gid relay --uid $RELAY_UID relay
-
-RUN mkdir /work /etc/relay \
-  && chown relay:relay /work /etc/relay
-VOLUME ["/work", "/etc/relay"]
-WORKDIR /work
-
+VOLUME ["/etc/relay"]
 EXPOSE 3000
 
 COPY $TARGETPLATFORM/relay /bin/relay
-RUN chmod +x /bin/relay
-
-COPY ./docker-entrypoint.sh /
-ENTRYPOINT ["/bin/bash", "/docker-entrypoint.sh"]
-CMD ["run"]
 
+ENTRYPOINT ["/bin/relay"]
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
deleted file mode 100644
index e6cd97d7982..00000000000
--- a/docker-entrypoint.sh
+++ /dev/null
@@ -1,51 +0,0 @@
-#!/usr/bin/env bash
-set -e
-
-# Enable core dumps. Requires privileged mode.
-if [[ "${RELAY_ENABLE_COREDUMPS:-}" == "1" ]]; then
-  mkdir -p /var/dumps
-  chmod a+rwx /var/dumps
-  echo '/var/dumps/core.%h.%e.%t' > /proc/sys/kernel/core_pattern
-  ulimit -c unlimited
-fi
-
-# Sleep for the specified number of seconds before starting.
-# For example, can be helpful to synchronize container startup in Kubernetes environment.
-if [[ -n "${RELAY_DELAY_STARTUP_SECONDS:-}" ]]; then
-  echo "Sleeping for ${RELAY_DELAY_STARTUP_SECONDS}s..."
-  sleep "${RELAY_DELAY_STARTUP_SECONDS}"
-fi
-
-# Make sure that a specified URL (e.g. the upstream or a proxy sidecar) is reachable before starting.
-# Only 200 response is accepted as success.
-if [[ -n "${RELAY_PRESTART_ENDPOINT:-}" ]]; then
-  max_retry="${RELAY_PRESTART_MAX_RETRIES:-120}"
-  curl_timeout="${RELAY_PRESTART_REQUEST_TIMEOUT:-1}"
-  for attempt in $(seq 0 "${max_retry}"); do
-    if [[ "${attempt}" == "${max_retry}" ]]; then
-      echo "The prestart endpoint has not returned 200 after ${max_retry} attempts, exiting!"
-      exit 1
-    fi
-    status=$(curl --max-time "${curl_timeout}" --show-error --silent \
-                  --output /dev/null --write-out "%{http_code}" \
-                  -H 'Connection: close' \
-                  "${RELAY_PRESTART_ENDPOINT}" \
-              || true)
-    if [[ "${status}" == "200" ]]; then
-      break
-    fi
-    echo "Waiting for a 200 response from ${RELAY_PRESTART_ENDPOINT}, got ${status}"
-    sleep 1
-  done
-fi
-
-# For compatibility with older images
-if [ "$1" == "bash" ]; then
-  set -- bash "${@:2}"
-elif [ "$(id -u)" == "0" ]; then
-  set -- gosu relay /bin/relay "$@"
-else
-  set -- /bin/relay "$@"
-fi
-
-exec "$@"

From 9dbb1d2a8aa3a1a8d3a64183fb841c271b46cf4e Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Tue, 15 Jul 2025 16:15:58 +0200
Subject: [PATCH 2/7] statically compile libz with kafka

---
 relay-kafka/Cargo.toml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/relay-kafka/Cargo.toml b/relay-kafka/Cargo.toml
index 3ff488679e7..00f3c798198 100644
--- a/relay-kafka/Cargo.toml
+++ b/relay-kafka/Cargo.toml
@@ -13,7 +13,7 @@ publish = false
 workspace = true
 
 [dependencies]
-rdkafka = { workspace = true, optional = true, features = ["tracing", "ssl"] }
+rdkafka = { workspace = true, optional = true, features = ["tracing", "ssl", "libz-static"] }
 rdkafka-sys = { workspace = true, optional = true }
 relay-log = { workspace = true, optional = true }
 relay-statsd = { workspace = true, optional = true }

From c7aac11a9f04c79752b917aaf30098bf25dbf6ae Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Wed, 16 Jul 2025 08:45:45 +0200
Subject: [PATCH 3/7] multistage

---
 Dockerfile.release | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/Dockerfile.release b/Dockerfile.release
index 437fea1c383..cb40ae74daf 100644
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -1,9 +1,20 @@
+FROM gcr.io/distroless/cc-debian12:debug AS builder
+
+RUN ["/busybox/busybox", "mkdir", "/work", "/etc/relay"]
+
+
 FROM gcr.io/distroless/cc-debian12:nonroot
 
 ARG TARGETPLATFORM
-VOLUME ["/etc/relay"]
+
 EXPOSE 3000
 
-COPY $TARGETPLATFORM/relay /bin/relay
+COPY --from=builder --chown=nonroot:noonroot /etc/relay /etc/relay
+COPY --from=builder --chown=nonroot:noonroot /work /work
+
+VOLUME ["/etc/relay", "/work"]
+WORKDIR /work
+
+COPY --chmod=755 $TARGETPLATFORM/relay /bin/relay
 
 ENTRYPOINT ["/bin/relay"]

From 239d681537105f7d9d90c4c3265f4a7989f645ad Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Wed, 16 Jul 2025 09:54:26 +0200
Subject: [PATCH 4/7] rm tree and chmod

---
 .github/workflows/ci.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1a3d4636ff5..538243089ff 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -470,8 +470,6 @@ jobs:
         run: |
           docker login --username '${{ github.actor }}' --password '${{ secrets.GITHUB_TOKEN }}' ghcr.io
 
-          tree
-          chmod +x */*/relay
           docker buildx build \
             --platform "${PLATFORMS}" \
             --tag "${DOCKER_IMAGE}:${REVISION}" \
@@ -556,8 +554,6 @@ jobs:
 
       - name: Build and push to Internal AR
         run: |
-          tree
-          chmod +x */*/relay
           docker buildx build \
             --platform "${PLATFORMS}" \
             --tag "${AR_DOCKER_IMAGE}:${REVISION}" \

From 1bd4688382deef7d4a52919d8fd1cb6340cc389b Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Thu, 17 Jul 2025 08:37:27 +0200
Subject: [PATCH 5/7] try to debug self hosted failure

---
 .github/workflows/ci.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 538243089ff..d0c70acedf1 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -572,7 +572,7 @@ jobs:
       matrix:
         image_name: ["relay"] # Don't publish relay-pop (for now)
 
-    if: github.event_name == 'merge_group' 
+    if: github.event_name == 'merge_group'
 
     env:
       GHCR_DOCKER_IMAGE: "ghcr.io/getsentry/${{ matrix.image_name }}"
@@ -854,6 +854,12 @@ jobs:
           image_url: ghcr.io/getsentry/relay:${{ github.event.pull_request.head.sha || github.sha }}
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
+      - name: Inspect failure
+        if: failure()
+        run: |
+          docker compose ps
+          docker compose logs
+
   validate-devservices-config:
       runs-on: ubuntu-24.04
       needs: devservices-files-changed

From c1f60016e0886204b6f1b4e43d582917c8f49551 Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Thu, 17 Jul 2025 09:26:43 +0200
Subject: [PATCH 6/7] Update .github/workflows/ci.yml

Co-authored-by: Reinaldy Rafli <reinaldyrafli@gmail.com>
---
 .github/workflows/ci.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d0c70acedf1..cfd54ce4a12 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -857,6 +857,7 @@ jobs:
       - name: Inspect failure
         if: failure()
         run: |
+          cd /home/runner/work/_actions/getsentry/self-hosted/master
           docker compose ps
           docker compose logs
 

From 305272bb77e25a3feafb1bae78805df78c30e56e Mon Sep 17 00:00:00 2001
From: David Herberth <david.herberth@sentry.io>
Date: Thu, 17 Jul 2025 13:17:40 +0200
Subject: [PATCH 7/7] missing cmd directive

---
 Dockerfile.release | 1 +
 1 file changed, 1 insertion(+)

diff --git a/Dockerfile.release b/Dockerfile.release
index cb40ae74daf..efe353582d5 100644
--- a/Dockerfile.release
+++ b/Dockerfile.release
@@ -18,3 +18,4 @@ WORKDIR /work
 COPY --chmod=755 $TARGETPLATFORM/relay /bin/relay
 
 ENTRYPOINT ["/bin/relay"]
+CMD ["run"]