diff --git a/api/Dockerfile b/api/Dockerfile index a56dd9e..e1a7463 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -58,15 +58,57 @@ RUN npm ci --omit=dev && npm cache clean --force # Stage 3: Static ffmpeg binary (avoids apt ffmpeg pulling mesa/libllvm for # hardware acceleration we don't use server-side). +# +# Resilient download: johnvansickle.com is the primary source but it's a single +# self-hosted host with no CDN and goes down intermittently. Use bounded-timeout +# retries, then fall back to a pinned BtbN/FFmpeg-Builds autobuild. Every archive +# is SHA256-verified before extraction. The two sources have different internal +# layouts, so locate the binaries with `find` rather than a fixed strip path. FROM debian:trixie-slim AS ffmpeg-static ARG TARGETARCH RUN apt-get update && apt-get install -y --no-install-recommends \ curl ca-certificates xz-utils \ - && curl -fsSL -o /tmp/ffmpeg.tar.xz "https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-${TARGETARCH}-static.tar.xz" \ + && rm -rf /var/lib/apt/lists/* \ + && case "${TARGETARCH}" in \ + amd64) \ + primary_url="https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-amd64-static.tar.xz" ; \ + primary_sha256="abda8d77ce8309141f83ab8edf0596834087c52467f6badf376a6a2a4c87cf67" ; \ + fallback_url="https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2026-05-30-13-19/ffmpeg-N-124681-gb8c5376eb4-linux64-gpl.tar.xz" ; \ + fallback_sha256="6cfd689ee95ff128e89080af10c93f16e48760eb2acc124c5c8258dc922cc13b" ; \ + ;; \ + arm64) \ + primary_url="https://johnvansickle.com/ffmpeg/releases/ffmpeg-release-arm64-static.tar.xz" ; \ + primary_sha256="f4149bb2b0784e30e99bdda85471c9b5930d3402014e934a5098b41d0f7201b1" ; \ + fallback_url="https://github.com/BtbN/FFmpeg-Builds/releases/download/autobuild-2026-05-30-13-19/ffmpeg-N-124681-gb8c5376eb4-linuxarm64-gpl.tar.xz" ; \ + fallback_sha256="b90a31f1d0b030f5d8a3d11cfec736e369bd5a1371b19bf65421a07f72b1d547" ; \ + ;; \ + *) echo "unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \ + esac \ && mkdir -p /tmp/ffmpeg \ - && tar -xJf /tmp/ffmpeg.tar.xz -C /tmp/ffmpeg --strip-components=1 \ - && mv /tmp/ffmpeg/ffmpeg /tmp/ffmpeg/ffprobe /usr/local/bin/ \ - && chmod +x /usr/local/bin/ffmpeg /usr/local/bin/ffprobe + && ok= \ + && for source in \ + "primary ${primary_sha256} ${primary_url}" \ + "fallback ${fallback_sha256} ${fallback_url}" ; do \ + source_name="${source%% *}" ; \ + source_data="${source#* }" ; \ + sha256="${source_data%% *}" ; \ + url="${source_data#* }" ; \ + echo "Downloading ffmpeg (${source_name}) from ${url}" ; \ + if curl -fsSL --connect-timeout 20 --max-time 300 \ + --retry 3 --retry-delay 5 --retry-all-errors \ + -o /tmp/ffmpeg.tar.xz "${url}" \ + && echo "${sha256} /tmp/ffmpeg.tar.xz" | sha256sum -c - ; then ok=1 ; break ; fi ; \ + rm -f /tmp/ffmpeg.tar.xz ; \ + echo "ffmpeg source failed, trying next: ${url}" >&2 ; \ + done \ + && [ -n "${ok}" ] || { echo "all ffmpeg download sources failed" >&2 ; exit 1 ; } \ + && tar -xJf /tmp/ffmpeg.tar.xz -C /tmp/ffmpeg \ + && ffmpeg_bin="$(find /tmp/ffmpeg -type f -name ffmpeg | head -n1)" \ + && ffprobe_bin="$(find /tmp/ffmpeg -type f -name ffprobe | head -n1)" \ + && [ -n "${ffmpeg_bin}" ] && [ -n "${ffprobe_bin}" ] \ + && mv "${ffmpeg_bin}" "${ffprobe_bin}" /usr/local/bin/ \ + && chmod +x /usr/local/bin/ffmpeg /usr/local/bin/ffprobe \ + && rm -rf /tmp/ffmpeg /tmp/ffmpeg.tar.xz # Stage 4: Runtime - Minimal image with only runtime dependencies FROM python:3.13-slim AS runner