Move build-time setup from startup script to Dockerfile

Packages, user creation, SAS config, and Apache proxy setup now run at
image build time instead of every container start, making restarts
faster. The startup script retains only runtime steps that depend on the
/data volume. Also removes initializeCommand from devcontainer configs
and adds tmpfs for /data/workspace.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: github-actions

src/aou-sas/.devcontainer.json

@@ -5,7 +5,6 @@
   "runServices": ["app", "wondershaper"],
   "shutdownAction": "none",
   "workspaceFolder": "/workspace",
-  "initializeCommand": "umount -f /tmp/wb-mount/*; rm -rf /tmp/wb-mount/*",
   "postCreateCommand": [
     "./startupscript/post-startup.sh",
     "aou",

src/aou-sas/Dockerfile

@@ -6,6 +6,72 @@ USER root
 # This must be in the Dockerfile because it references a build context (load-envs).
 COPY --from=load-envs /dist/load-env /dist/load-env.sh /opt/sas/aou/
 
+###############################################################################
+# Package-manager compatibility
+# Workbench startup scripts (post-startup.sh, resource-mount.sh) expect
+# apt-get / apt.  These shims delegate to yum on this RHEL-based SAS image.
+###############################################################################
+RUN printf '#!/bin/bash\ncase "$1" in\n  update) exec yum makecache -y ;;\n  install) shift; exec yum install -y "$@" ;;\n  *) exec yum "$@" ;;\nesac\n' > /usr/local/bin/apt-get && \
+    chmod +x /usr/local/bin/apt-get && \
+    cp /usr/local/bin/apt-get /usr/local/bin/apt && \
+    chmod +x /usr/local/bin/apt
+
+###############################################################################
+# System packages required by Workbench startup scripts
+###############################################################################
+RUN yum install -y jq curl fuse fuse-libs tar wget sudo git && \
+    yum clean all
+
+###############################################################################
+# gcsfuse — GCS bucket mounting
+###############################################################################
+RUN printf '[gcsfuse]\nname=gcsfuse (packages.cloud.google.com)\nbaseurl=https://packages.cloud.google.com/yum/repos/gcsfuse-el7-x86_64\nenabled=1\ngpgcheck=1\nrepo_gpgcheck=0\ngpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg\n       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg\n' > /etc/yum.repos.d/gcsfuse.repo && \
+    yum install -y gcsfuse && \
+    yum clean all
+
+###############################################################################
+# Google Cloud SDK
+###############################################################################
+RUN curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-565.0.0-linux-x86_64.tar.gz && \
+    tar -xf google-cloud-cli-565.0.0-linux-x86_64.tar.gz && \
+    ./google-cloud-sdk/install.sh -q && \
+    ln -sf /google-cloud-sdk/bin/* /bin/ && \
+    rm -f google-cloud-cli-565.0.0-linux-x86_64.tar.gz
+
+###############################################################################
+# AoU user (non-root, no sudo)
+###############################################################################
+RUN groupadd -g 1001 aougroup && \
+    useradd -u 1001 -g aougroup -m -d /data -s /bin/bash aou && \
+    echo "aou:aou" | chpasswd && \
+    rm -f /etc/sudoers.d/aou
+
+###############################################################################
+# SAS configuration
+###############################################################################
+RUN echo "-work /data/saswork" >> /opt/sas/viya/config/etc/workspaceserver/default/sasv9_usermods.cfg && \
+    echo "-utilloc /data/utilloc" >> /opt/sas/viya/config/etc/workspaceserver/default/sasv9_usermods.cfg && \
+    sed -Ei 's#^USERMODS=(.*)#USERMODS=-allowxcmd \1#g' \
+      /opt/sas/viya/config/etc/spawner/default/spawner_usermods.sh
+
+###############################################################################
+# Apache proxy — auto-login, header cleanup, and HTTPS scheme fix
+#
+# ServerName https://localhost: Apache only receives HTTP (the Workbench proxy
+# terminates TLS upstream), but it must still generate https:// Location
+# headers in redirects (RedirectMatch, Redirect, etc.).  Without this setting,
+# browsers receive http:// redirect URLs that fail behind the HTTPS proxy.
+###############################################################################
+RUN PROXY_CONF=/etc/httpd/conf.d/dkrapro-proxy.conf && \
+    sed -i "s/RequestHeader/#RequestHeader/g" "${PROXY_CONF}" && \
+    sed -i 's|^ServerName localhost$|ServerName https://localhost|' "${PROXY_CONF}" && \
+    sed -i '/ProxyPreserveHost On/a # AOU-CONFIGURED' "${PROXY_CONF}" && \
+    sed -i '/AOU-CONFIGURED/a RequestHeader set X-SAS-Authorization "Basic YW91OmFvdQ=="' "${PROXY_CONF}" && \
+    sed -i '/AOU-CONFIGURED/a RequestHeader set X-Forwarded-Proto "https"' "${PROXY_CONF}" && \
+    sed -i '/AOU-CONFIGURED/a Header unset X-Frame-Options' "${PROXY_CONF}" && \
+    sed -i '/AOU-CONFIGURED/a Header unset Content-Security-Policy' "${PROXY_CONF}" && \
+    sed -i '/AOU-CONFIGURED/a Header edit Set-Cookie "^(.*SameSite=None.*)\$" "\$1; Secure"' "${PROXY_CONF}"
+
 # Wrapper entrypoint: copies the SAS license from Mikey Secrets (if active)
 # to /sasinside/ before handing off to the SAS entrypoint.
 COPY sas-entrypoint.sh /opt/sas/aou/sas-entrypoint.sh

src/aou-sas/docker-compose.yaml

@@ -21,6 +21,8 @@ services:
       # With Mikey Secrets, the entrypoint wrapper populates /sasinside/ from
       # the SAS_LICENSE_PATH file descriptor instead.
       - ./sasinside:/sasinside
+    tmpfs:
+      - /data/workspace:uid=1001,gid=1001
     environment:
       HOST_AUTH: ""
       SAS_DEBUG: "0"

src/aou-sas/sas-startup.sh

@@ -1,78 +1,16 @@
 #!/bin/bash
-# sas-startup.sh — Pre-deployment setup for SAS Analytics Pro on VWB GCE.
+# sas-startup.sh — Runtime setup for SAS Analytics Pro on VWB GCE.
 #
 # Mounted at /opt/sas/aou/sas-startup.sh and invoked via PRE_DEPLOY_SCRIPT
-# before SAS services start.  The entrypoint writes PRE_DEPLOY_SCRIPT to
-# /tmp/pre_deploy.sh and runs it, so we must NOT mount at that path.
+# before SAS services start.  Only handles steps that depend on the /data
+# volume or runtime state; build-time setup is in the Dockerfile.
 #
 # All steps are idempotent so container restarts are fast.
 
 set -o errexit
 set -o nounset
 set -o pipefail
 
-###############################################################################
-# Package-manager compatibility
-# Workbench startup scripts (post-startup.sh, resource-mount.sh) expect
-# apt-get / apt.  These shims delegate to yum on this RHEL-based SAS image.
-###############################################################################
-if [ ! -f /usr/local/bin/apt-get ]; then
-  cat > /usr/local/bin/apt-get << 'SHIM'
-#!/bin/bash
-case "$1" in
-  update) exec yum makecache -y ;;
-  install) shift; exec yum install -y "$@" ;;
-  *) exec yum "$@" ;;
-esac
-SHIM
-  chmod +x /usr/local/bin/apt-get
-  cp /usr/local/bin/apt-get /usr/local/bin/apt
-  chmod +x /usr/local/bin/apt
-fi
-
-###############################################################################
-# System packages required by Workbench startup scripts
-###############################################################################
-yum install -y jq curl fuse fuse-libs tar wget sudo git 2>/dev/null || true
-
-###############################################################################
-# gcsfuse — GCS bucket mounting
-###############################################################################
-if ! command -v gcsfuse &>/dev/null; then
-  cat > /etc/yum.repos.d/gcsfuse.repo << 'EOF'
-[gcsfuse]
-name=gcsfuse (packages.cloud.google.com)
-baseurl=https://packages.cloud.google.com/yum/repos/gcsfuse-el7-x86_64
-enabled=1
-gpgcheck=1
-repo_gpgcheck=0
-gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
-       https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg
-EOF
-  yum install -y gcsfuse || true
-fi
-
-###############################################################################
-# Google Cloud SDK
-###############################################################################
-if ! command -v gcloud &>/dev/null; then
-  curl -O https://dl.google.com/dl/cloudsdk/channels/rapid/downloads/google-cloud-cli-565.0.0-linux-x86_64.tar.gz \
-    && tar -xf google-cloud-cli-565.0.0-linux-x86_64.tar.gz \
-    && ./google-cloud-sdk/install.sh -q \
-    && ln -sf /google-cloud-sdk/bin/* /bin/ \
-    && rm -f google-cloud-cli-565.0.0-linux-x86_64.tar.gz \
-    || true
-fi
-
-###############################################################################
-# AoU user (non-root, no sudo)
-###############################################################################
-AOU_GID=${AOU_GID:-1001}
-groupadd -f -g "${AOU_GID}" aougroup
-id aou &>/dev/null || useradd -g aougroup -m -d /data -s /bin/bash aou
-echo "aou:aou" | chpasswd
-rm -f /etc/sudoers.d/aou
-
 ###############################################################################
 # Data directories (on the sas-data volume)
 ###############################################################################
@@ -98,49 +36,3 @@ if [ -d /opt/sas/aou ]; then
   grep -q "load-env.sh" /data/.bashrc 2>/dev/null || \
     echo "source /data/load-env.sh" >> /data/.bashrc
 fi
-
-###############################################################################
-# SAS configuration
-###############################################################################
-USERMODS_CFG=/opt/sas/viya/config/etc/workspaceserver/default/sasv9_usermods.cfg
-grep -q "saswork" "${USERMODS_CFG}" 2>/dev/null || \
-  echo "-work /data/saswork" >> "${USERMODS_CFG}"
-grep -q "utilloc" "${USERMODS_CFG}" 2>/dev/null || \
-  echo "-utilloc /data/utilloc" >> "${USERMODS_CFG}"
-
-sed -Ei 's#^USERMODS=(.*)#USERMODS=-allowxcmd \1#g' \
-  /opt/sas/viya/config/etc/spawner/default/spawner_usermods.sh
-
-###############################################################################
-# Apache proxy — auto-login and header cleanup
-###############################################################################
-PROXY_CONF=/etc/httpd/conf.d/dkrapro-proxy.conf
-
-# Comment out default RequestHeader lines from the SAS image, then re-add
-# exactly the ones we need.  Use a marker so restarts are idempotent.
-if ! grep -q "AOU-CONFIGURED" "${PROXY_CONF}"; then
-  sed -i "s/RequestHeader/#RequestHeader/g" "${PROXY_CONF}"
-
-  # Force Apache to generate https:// URLs in redirects (RedirectMatch etc.)
-  # since the Workbench proxy terminates TLS upstream.
-  sed -i 's|^ServerName localhost$|ServerName https://localhost|' "${PROXY_CONF}"
-
-  sed -i '/ProxyPreserveHost On/a # AOU-CONFIGURED' "${PROXY_CONF}"
-
-  # Auto-login (base64 of "aou:aou" = YW91OmFvdQ==)
-  sed -i '/AOU-CONFIGURED/a RequestHeader set X-SAS-Authorization "Basic YW91OmFvdQ=="' \
-    "${PROXY_CONF}"
-  sed -i '/AOU-CONFIGURED/a RequestHeader set X-Forwarded-Proto "https"' \
-    "${PROXY_CONF}"
-
-  # Strip framing restrictions so SAS Studio can be iframed by the Workbench UI.
-  sed -i '/AOU-CONFIGURED/a Header unset X-Frame-Options' \
-    "${PROXY_CONF}"
-  sed -i '/AOU-CONFIGURED/a Header unset Content-Security-Policy' \
-    "${PROXY_CONF}"
-
-  # SameSite=None cookies require the Secure flag.  The app sees HTTP
-  # (proxy terminates TLS) so SAS omits it — add it via Apache.
-  sed -i '/AOU-CONFIGURED/a Header edit Set-Cookie "^(.*SameSite=None.*)$" "$1; Secure"' \
-    "${PROXY_CONF}"
-fi

src/jupyter-aou/.devcontainer.json

@@ -5,7 +5,6 @@
   "runServices": ["app", "wondershaper"],
   "shutdownAction": "none",
   "workspaceFolder": "/workspace",
-  "initializeCommand": "umount -f /tmp/wb-mount/*; rm -rf /tmp/wb-mount/*",
   "postCreateCommand": "./startupscript/post-startup.sh jupyter /home/jupyter \"${templateOption:cloud}\" \"${templateOption:login}\"",
   // re-mount bucket files on container start up
   "postStartCommand": "./startupscript/remount-on-restart.sh jupyter /home/jupyter \"${templateOption:cloud}\" \"${templateOption:login}\"",