Refactor Images to Multi-Stage Builds

[jan-abel-inwt]

The r-base image has been refactored to implement a multi-stage build pattern and enforce non-root user execution, significantly improving image security, size, and build efficiency with 7d6f819.

Changes Implemented

Feature	Description	Benefit
Multi-Stage Build	Separated the build environment (Stage 1: builder) from the runtime environment (Stage 2: final).	Drastic reduction in final image size by discarding build dependencies (e.g., autoconf, cmake, apt caches) and improving layer caching.
Non-Root User	Created a dedicated unprivileged user, user (UID 1000/GID 1000), for container runtime. The user is added to the staff group (see rocker) to ensure write access to /usr/local/lib/R/site-library.	Adheres to the Principle of Least Privilege, significantly mitigating potential security risks if code is exploited at runtime.
Dependency Management	Ensured only necessary runtime scripts (build.R, check.R, validate-settings.R, etc.) and installed packages are carried over to the final image.	Further reduces image size and tightens security by removing build-only clutter.

Image Size Reduction

The multi-stage refactoring resulted in a significant reduction in the final image size, demonstrating a tangible efficiency gain.

Image Repository	Tag	Image ID	Size	Change vs. Old Build
rocker/r-ver	4.5.1 (Base Image)	c71059b67e6a	948MB	-
inwt/r-base	4.5.1 (Old Build)	4c69c1c07c7c	1.33GB	-
inwt/r-base	4.5.1.non-root (New Multi-Stage)	9148f94c81e8	1.07GB	-260MB (20% reduction)

Action Required for Dependent Images

All downstream images:

• r-batch
• r-shiny
• r-model
• r-geos

must now be updated to use the same multi-stage pattern, starting FROM inwt/r-base:4.5.1 and explicitly enforcing the non-root user for package installation and runtime.

The recommended pattern is:

1. Stage 1 (<name>-builder): FROM inwt/r-base:4.5.1
2. Run as root to install any new system dependencies (apt-get).
3. Switch to user to install R packages.
4. Stage 2 (final-<name>): FROM inwt/r-base:4.5.1
5. COPY --from the newly installed R packages and other artifacts.
6. USER user for final execution.

[jan-abel-inwt]

Refactoring of r-batch

This commit refactors the r-batch Docker image.

Key Changes

1. Enforced Root/Non-Root Separation: Explicitly used USER root to install system dependencies (Java, database libs, AWS CLI) and USER user to install R packages.
2. AWS Config Removal: Removed the aws.config file, as environment configuration can be handled at deployment time.
3. Efficiency: Continued using the multi-stage pattern to ensure all build-time artifacts (like the AWS CLI zip file, system headers) are discarded, keeping the final image as lean as possible.

Image Size Reduction

Image Repository	Tag	Build Type	Size	Change vs. Old Build
inwt/r-batch	4.5.1	Old Build	1.93GB	-
inwt/r-batch	4.5.1.non-root	New Multi-Stage	1.55GB	-380MB (20% reduction)

[jan-abel-inwt]

Refactor r-model & r.geos

8b97fde & ab200ff

Key Changes Implemented

1. Enforced Root/Non-Root Separation:
   • USER root was explicitly used to install the system dependency.

Image Size Reduction

Image Repository	Tag	Build Type	Size	Change vs. Old Build
inwt/r-model	4.5.1 (Old Build)	-	2.23GB	-
inwt/r-model	4.5.1.non-root	New Multi-Stage	2.03GB	-200MB (9% reduction)
inwt/r-geos	4.5.1 (Old Build)	-	2.38GB	-
inwt/r-geos	4.5.1.non-root	New Multi-Stage	1.85GB	-530MB (22% reduction)

[jan-abel-inwt]

Some minor enhancements:

1. Global Versioning All core configuration (R_VERSION, USER_NAME, TZ, etc.) is now defined as ARGs once in r-base and inherited by all children. This makes future version bumps clean and fast.
2. Automated Tagging: The update-version Makefile target is ready to quickly update the R version in all five Dockerfiles.
3. OCI Compliance: Added Open Container Initiative (OCI) Labels to all Dockerfiles and dynamic Labels (revision & date) via the Jenkinsfile.
4. Dependabot: dependabot.yaml to check for monthly updates in the rocker/rver:*.*.* Base Image