Rework the Dockerfile for dev images to be more like the bazel buildpjk25/restore-multi-arch-oci

10 files changed, 105 insertions, 315 deletions

diff --git a/.bazelrc b/.bazelrc
index e0a5757f5f..9911e9aa16 100644
--- a/.bazelrc
+++ b/.bazelrc
@@ -14,7 +14,7 @@ build:buildbuddy --remote_cache=grpcs://remote.buildbuddy.io
 build:buildbuddy --remote_timeout=1200
 build:buildbuddy --grpc_keepalive_time=360s
 build:buildbuddy --grpc_keepalive_timeout=360s
-build:buildbuddy --remote_download_minimal
+build:buildbuddy --remote_download_toplevel
 build:buildbuddy --build_metadata=REPO_URL=https://github.com/rabbitmq/rabbitmq-server.git
 build:buildbuddy --experimental_remote_cache_compression
 build:buildbuddy --experimental_remote_cache_async
diff --git a/.github/workflows/oci-base.yaml b/.github/workflows/oci-base.yaml
index 1ba8c56cb4..df3e36e805 100644
--- a/.github/workflows/oci-base.yaml
+++ b/.github/workflows/oci-base.yaml
@@ -19,6 +19,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
 
       - name: Set up Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@v2
 
       - name: Available platforms
diff --git a/.github/workflows/oci.yaml b/.github/workflows/oci.yaml
index 7cac49751b..3d9f85dd8f 100644
--- a/.github/workflows/oci.yaml
+++ b/.github/workflows/oci.yaml
@@ -98,6 +98,7 @@ jobs:
           platforms: linux/amd64,linux/arm64
 
       - name: Set up Docker Buildx
+        id: buildx
         uses: docker/setup-buildx-action@v2
 
       - name: Available platforms
@@ -130,7 +131,8 @@ jobs:
       - name: Expand generic-unix-package
         working-directory: packaging/docker-image
         run: |
-          xzcat ${{ steps.resolve-artifact-path.outputs.ARTIFACT_PATH }} | tar xvf -
+          xzcat ${{ steps.resolve-artifact-path.outputs.ARTIFACT_PATH }} \
+            > package-generic-unix.tar
 
       - name: Compute image tags
         id: compute-tags
diff --git a/packaging/docker-image/.gitignore b/packaging/docker-image/.gitignore
new file mode 100644
index 0000000000..bfd4973e48
--- /dev/null
+++ b/packaging/docker-image/.gitignore
@@ -0,0 +1 @@
+package-generic-unix.tar
diff --git a/packaging/docker-image/BUILD.bazel b/packaging/docker-image/BUILD.bazel
index d8516ba75d..b1c3503343 100644
--- a/packaging/docker-image/BUILD.bazel
+++ b/packaging/docker-image/BUILD.bazel
@@ -24,8 +24,8 @@ BUILD_DEPS_PACKAGES = [
     "autoconf",
     "ca-certificates",
     "dpkg-dev",
-    "g++",
     "gcc",
+    "g++",
     "libncurses5-dev",
     "make",
 ]
@@ -83,7 +83,7 @@ container_layer(
         "OPENSSL_VERSION": "1.1.1g",
     },
     files = [
-        "build_install_openssh.sh",
+        "build_install_openssl.sh",
     ],
     tags = ["manual"],
     tars = [
@@ -101,8 +101,8 @@ container_image(
 container_run_and_commit_layer(
     name = "openssl_layer",
     commands = [
-        "/usr/local/src/build_install_openssh.sh",
-        "rm /usr/local/src/build_install_openssh.sh",
+        "/usr/local/src/build_install_openssl.sh",
+        "rm /usr/local/src/build_install_openssl.sh",
     ],
     image = ":openssl_source.tar",
     tags = ["manual"],
@@ -191,7 +191,7 @@ container_image(
         "RABBITMQ_HOME": RABBITMQ_HOME,
         "RABBITMQ_LOGS": "-",
         "HOME": RABBITMQ_DATA_DIR,
-        "PATH": "%s/sbin:$$PATH" % RABBITMQ_HOME,
+        "PATH": "/opt/otp/bin:%s/sbin:$$PATH" % RABBITMQ_HOME,
         "LANG": C_UTF8,
         "LANGUAGE": C_UTF8,
         "LC_ALL": C_UTF8,
@@ -239,6 +239,9 @@ container_image(
 container_image(
     name = "otp_install_wrapper",
     base = ":rabbitmq_pkgs_image",
+    env = {
+        "PATH": "/opt/otp/bin:$$PATH",
+    },
     layers = [
         ":otp_layer",
     ],
diff --git a/packaging/docker-image/Dockerfile b/packaging/docker-image/Dockerfile
index ced2a49e76..64652f1b39 100644
--- a/packaging/docker-image/Dockerfile
+++ b/packaging/docker-image/Dockerfile
@@ -1,51 +1,10 @@
 # The official Canonical Ubuntu Bionic image is ideal from a security perspective,
 # especially for the enterprises that we, the RabbitMQ team, have to deal with
 ARG BASE=ubuntu
-FROM ${BASE}:20.04
+FROM ${BASE}:20.04 as otp
 
 RUN set -eux; \
-        apt-get update; \
-        apt-get install -y --no-install-recommends \
-# grab gosu for easy step-down from root
-        gosu \
-        ; \
-	rm -rf /var/lib/apt/lists/*; \
-# verify that the "gosu" binary works
-	gosu nobody true
-
-# PGP key servers are too flaky for us to verify during every CI triggered build
-# https://github.com/docker-library/official-images/issues/4252
-ARG SKIP_PGP_VERIFY=false
-# Default to a PGP keyserver that pgp-happy-eyeballs recognizes, but allow for substitutions locally
-ARG PGP_KEYSERVER=ha.pool.sks-keyservers.net
-# If you are building this image locally and are getting `gpg: keyserver receive failed: No data` errors,
-# run the build with a different PGP_KEYSERVER, e.g. docker build --tag rabbitmq:3.7 --build-arg PGP_KEYSERVER=pgpkeys.eu 3.7/ubuntu
-# For context, see https://github.com/docker-library/official-images/issues/4252
-
-# Using the latest OpenSSL LTS release, with support until September 2023 - https://www.openssl.org/source/
-ENV OPENSSL_VERSION 1.1.1g
-ENV OPENSSL_SOURCE_SHA256="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
-# https://www.openssl.org/community/omc.html
-ENV OPENSSL_PGP_KEY_IDS="0x8657ABB260F056B1E5190839D9C4D26D0E604491 0x5B2545DAB21995F4088CEFAA36CEE4DEB00CFE33 0xED230BEC4D4F2518B9D7DF41F0DB4D21C1D35231 0xC1F33DD8CE1D4CC613AF14DA9195C48241FBF7DD 0x7953AC1FBC3DC8B3B292393ED5E9E43F7DF9EE8C 0xE5E52560DD91C556DDBDA5D02064C53641C25E5D"
-
-# Use the latest stable Erlang/OTP release - make find-latest-otp - https://github.com/erlang/otp/tags
-ARG OTP_VERSION
-ENV OTP_VERSION ${OTP_VERSION}
-# TODO add PGP checking when the feature will be added to Erlang/OTP's build system
-# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html
-ARG OTP_SHA256
-ENV OTP_SOURCE_SHA256=${OTP_SHA256}
-ARG SKIP_OTP_VERIFY=false
-
-# Install dependencies required to build Erlang/OTP from source
-# https://erlang.org/doc/installation_guide/INSTALL.html
-# autoconf: Required to configure Erlang/OTP before compiling
-# dpkg-dev: Required to set up host & build type when compiling Erlang/OTP
-# gnupg: Required to verify OpenSSL artefacts
-# libncurses5-dev: Required for Erlang/OTP new shell & observer_cli - https://github.com/zhongwencool/observer_cli
-RUN set -eux; \
 	\
-	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
 	apt-get install --yes --no-install-recommends \
 		autoconf \
@@ -53,253 +12,128 @@ RUN set -eux; \
 		dpkg-dev \
 		gcc \
 		g++ \
-		gnupg \
 		libncurses5-dev \
 		make \
 		wget \
 	; \
-	rm -rf /var/lib/apt/lists/*; \
+	rm -rf /var/lib/apt/lists/*
+
+ENV OPENSSL_VERSION 1.1.1g
+ENV OPENSSL_SOURCE_SHA256="ddb04774f1e32f0c49751e21b67216ac87852ceb056b75209af2443400636d46"
+
+# we skip the cert check because it's broken on arm32v7, and we have a checksum anyway
+# https://github.com/dotnet/runtime/issues/66310
+RUN set -eux; \
 	\
 	OPENSSL_SOURCE_URL="https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz"; \
 	OPENSSL_PATH="/usr/local/src/openssl-$OPENSSL_VERSION"; \
 	OPENSSL_CONFIG_DIR=/usr/local/etc/ssl; \
 	\
-# Required by the crypto & ssl Erlang/OTP applications
-	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_SOURCE_URL.asc"; \
-	wget --progress dot:giga --output-document "$OPENSSL_PATH.tar.gz" "$OPENSSL_SOURCE_URL"; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	for key in $OPENSSL_PGP_KEY_IDS; do \
-		gpg --batch --keyserver "$PGP_KEYSERVER" --recv-keys "$key" || true; \
-	done; \
-	test "$SKIP_PGP_VERIFY" == "true" || gpg --batch --verify "$OPENSSL_PATH.tar.gz.asc" "$OPENSSL_PATH.tar.gz"; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME"; \
+	wget \
+		--no-check-certificate \
+		--progress dot:giga \
+		--output-document "$OPENSSL_PATH.tar.gz" \
+		"$OPENSSL_SOURCE_URL"; \
 	echo "$OPENSSL_SOURCE_SHA256 *$OPENSSL_PATH.tar.gz" | sha256sum --check --strict -; \
 	mkdir -p "$OPENSSL_PATH"; \
-	tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1; \
-	\
-# Configure OpenSSL for compilation
-	cd "$OPENSSL_PATH"; \
-# OpenSSL's "config" script uses a lot of "uname"-based target detection...
-	MACHINE="$(dpkg-architecture --query DEB_BUILD_GNU_CPU)" \
-	RELEASE="4.x.y-z" \
-	SYSTEM='Linux' \
-	BUILD='???' \
-	./config \
-		--openssldir="$OPENSSL_CONFIG_DIR" \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-		-Wl,-rpath=/usr/local/lib \
-	; \
-# Compile, install OpenSSL, verify that the command-line works & development headers are present
-	make -j "$(getconf _NPROCESSORS_ONLN)"; \
-	make install_sw install_ssldirs; \
-	cd ..; \
-	rm -rf "$OPENSSL_PATH"*; \
-	ldconfig; \
-# use Debian's CA certificates
-	rmdir "$OPENSSL_CONFIG_DIR/certs" "$OPENSSL_CONFIG_DIR/private"; \
-	ln -sf /etc/ssl/certs /etc/ssl/private "$OPENSSL_CONFIG_DIR"; \
-# smoke test
-	openssl version; \
+	tar --extract --file "$OPENSSL_PATH.tar.gz" --directory "$OPENSSL_PATH" --strip-components 1
+
+ADD build_install_openssl.sh /usr/local/src
+
+RUN set -eux; \
 	\
+	/usr/local/src/build_install_openssl.sh; \
+	rm /usr/local/src/build_install_openssl.sh
+
+ARG OTP_VERSION=25.0.4
+ENV OTP_VERSION ${OTP_VERSION}
+# TODO add PGP checking when the feature will be added to Erlang/OTP's build system
+# http://erlang.org/pipermail/erlang-questions/2019-January/097067.html
+ARG OTP_SHA256=05878cb51a64b33c86836b12a21903075c300409b609ad5e941ddb0feb8c2120
+ENV OTP_SOURCE_SHA256=${OTP_SHA256}
+
+RUN set -eux; \
 	OTP_SOURCE_URL="https://github.com/erlang/otp/archive/OTP-$OTP_VERSION.tar.gz"; \
-	OTP_PATH="/usr/local/src/otp-$OTP_VERSION"; \
+	OTP_PATH="/usr/local/src/otp-OTP-$OTP_VERSION"; \
 	\
 # Download, verify & extract OTP_SOURCE
 	mkdir -p "$OTP_PATH"; \
-	wget --progress dot:giga --output-document "$OTP_PATH.tar.gz" "$OTP_SOURCE_URL"; \
-	test "$SKIP_OTP_VERIFY" = "true" || echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
+	wget \
+		--no-check-certificate \
+		--progress dot:giga \
+		--output-document "$OTP_PATH.tar.gz" \
+		"$OTP_SOURCE_URL"; \
+	echo "$OTP_SOURCE_SHA256 *$OTP_PATH.tar.gz" | sha256sum --check --strict -; \
 	tar --extract --file "$OTP_PATH.tar.gz" --directory "$OTP_PATH" --strip-components 1; \
-	\
-# Configure Erlang/OTP for compilation, disable unused features & applications
-# https://erlang.org/doc/applications.html
-# ERL_TOP is required for Erlang/OTP makefiles to find the absolute path for the installation
-	cd "$OTP_PATH"; \
-	export ERL_TOP="$OTP_PATH"; \
-	./otp_build autoconf; \
-	CFLAGS="$(dpkg-buildflags --get CFLAGS)"; export CFLAGS; \
-# add -rpath to avoid conflicts between our OpenSSL's "libssl.so" and the libssl package by making sure /usr/local/lib is searched first (but only for Erlang/OpenSSL to avoid issues with other tools using libssl; https://github.com/docker-library/rabbitmq/issues/364)
-	export CFLAGS="$CFLAGS -Wl,-rpath=/usr/local/lib"; \
-	hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"; \
-	buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-	dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"; \
-	./configure \
-		--host="$hostArch" \
-		--build="$buildArch" \
-		--disable-dynamic-ssl-lib \
-		--disable-hipe \
-		--disable-sctp \
-		--disable-silent-rules \
-		--enable-jit \
-		--enable-clock-gettime \
-		--enable-hybrid-heap \
-		--enable-kernel-poll \
-		--enable-shared-zlib \
-		--enable-smp-support \
-		--enable-threads \
-		--with-microstate-accounting=extra \
-		--without-common_test \
-		--without-debugger \
-		--without-dialyzer \
-		--without-diameter \
-		--without-edoc \
-		--without-erl_docgen \
-		--without-et \
-		--without-eunit \
-		--without-ftp \
-		--without-hipe \
-		--without-jinterface \
-		--without-megaco \
-		--without-observer \
-		--without-odbc \
-		--without-reltool \
-		--without-ssh \
-		--without-tftp \
-		--without-wx \
-	; \
-# Compile & install Erlang/OTP
-	make -j "$(getconf _NPROCESSORS_ONLN)" GEN_OPT_FLGS="-O2 -fno-strict-aliasing"; \
-	make install; \
-	cd ..; \
-	rm -rf \
-		"$OTP_PATH"* \
-		/usr/local/lib/erlang/lib/*/examples \
-		/usr/local/lib/erlang/lib/*/src \
-	; \
-	\
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; \
-	find /usr/local -type f -executable -exec ldd '{}' ';' \
-		| awk '/=>/ { print $(NF-1) }' \
-		| sort -u \
-		| xargs -r dpkg-query --search \
-		| cut -d: -f1 \
-		| sort -u \
-		| xargs -r apt-mark manual \
-	; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-	\
-# Check that OpenSSL still works after purging build dependencies
-	openssl version; \
-# Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
-	erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
+	rm "$OTP_PATH.tar.gz"
 
-ENV RABBITMQ_DATA_DIR=/var/lib/rabbitmq
-# Create rabbitmq system user & group, fix permissions & allow root user to connect to the RabbitMQ Erlang VM
-RUN set -eux; \
-	groupadd --gid 999 --system rabbitmq; \
-	useradd --uid 999 --system --home-dir "$RABBITMQ_DATA_DIR" --gid rabbitmq rabbitmq; \
-	mkdir -p "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
-	chown -fR rabbitmq:rabbitmq "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
-	chmod 777 "$RABBITMQ_DATA_DIR" /etc/rabbitmq /etc/rabbitmq/conf.d /tmp/rabbitmq-ssl /var/log/rabbitmq; \
-	ln -sf "$RABBITMQ_DATA_DIR/.erlang.cookie" /root/.erlang.cookie
+ADD build_install_otp.sh /usr/local/src
 
-# https://www.rabbitmq.com/signatures.html#importing-gpg
-# ENV RABBITMQ_PGP_KEY_ID="0x0A9AF2115F4687BD29803A206B73A36E6026DFCA"
-ENV RABBITMQ_HOME=/opt/rabbitmq
+RUN set -eux; \
+	\
+	/usr/local/src/build_install_otp.sh; \
+	rm /usr/local/src/build_install_otp.sh
 
-# Add RabbitMQ to PATH, send all logs to TTY
-ENV PATH=$RABBITMQ_HOME/sbin:$PATH \
-	RABBITMQ_LOGS=-
+FROM ${BASE}:20.04 as rabbitmq
 
 RUN set -eux; \
 	\
-	savedAptMark="$(apt-mark showmanual)"; \
 	apt-get update; \
 	apt-get install --yes --no-install-recommends \
-		ca-certificates \
-		gnupg \
-		wget \
-		xz-utils \
+		gosu \
+		python3 \
+		dstat \
+		sysstat \
+		htop \
+		nmon \
+		tmux \
+		neovim \
 	; \
-	rm -rf /var/lib/apt/lists/*; \
-	\
-	apt-mark auto '.*' > /dev/null; \
-	apt-mark manual $savedAptMark; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false
+	rm -rf /var/lib/apt/lists/*
+
+ARG OPENSSL_CONFIG_DIR=/usr/local/etc/ssl
+COPY --from=otp ${OPENSSL_CONFIG_DIR} ${OPENSSL_CONFIG_DIR}
+RUN ln -sf /etc/ssl/certs /etc/ssl/private "${OPENSSL_CONFIG_DIR}"
+
+ARG OTP_INSTALL_DIR=/opt/otp
+COPY --from=otp ${OTP_INSTALL_DIR} ${OTP_INSTALL_DIR}
+
+ADD 10-default-guest-user.conf /opt
+ADD docker-entrypoint.sh /opt
+ADD install_rabbitmq.sh /opt
 
-# Install RabbitMQ
-ARG RABBITMQ_BUILD
-COPY ${RABBITMQ_BUILD} $RABBITMQ_HOME
+ARG RABBITMQ_ARCHIVE=package-generic-unix.tar
+ADD ${RABBITMQ_ARCHIVE} /opt
+
+ENV RABBITMQ_DATA_DIR /var/lib/rabbitmq
+ENV RABBITMQ_HOME /opt/rabbitmq
+ENV RABBITMQ_LOGS -
+
+ADD install_rabbitmq.sh /usr/local/src
 
 RUN set -eux; \
-# Do not default SYS_PREFIX to RABBITMQ_HOME, leave it empty
-	grep -qE '^SYS_PREFIX=\$\{RABBITMQ_HOME\}$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
-	sed -i 's/^SYS_PREFIX=.*$/SYS_PREFIX=/' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
-	grep -qE '^SYS_PREFIX=$' "$RABBITMQ_HOME/sbin/rabbitmq-defaults"; \
-	chown -R rabbitmq:rabbitmq "$RABBITMQ_HOME"; \
 	\
-# verify assumption of no stale cookies
-	[ ! -e "$RABBITMQ_DATA_DIR/.erlang.cookie" ]; \
-# Ensure RabbitMQ was installed correctly by running a few commands that do not depend on a running server, as the rabbitmq user
-# If they all succeed, it's safe to assume that things have been set up correctly
-	gosu rabbitmq rabbitmqctl help; \
-	gosu rabbitmq rabbitmqctl list_ciphers; \
-	gosu rabbitmq rabbitmq-plugins list; \
-# no stale cookies
-	rm "$RABBITMQ_DATA_DIR/.erlang.cookie"
-
-# Added for backwards compatibility - users can simply COPY custom plugins to /plugins
-RUN ln -sf /opt/rabbitmq/plugins /plugins
+	/usr/local/src/install_rabbitmq.sh; \
+	rm /usr/local/src/install_rabbitmq.sh
 
-# set home so that any `--user` knows where to put the erlang cookie
-ENV HOME $RABBITMQ_DATA_DIR
-# Hint that the data (a.k.a. home dir) dir should be separate volume
-VOLUME $RABBITMQ_DATA_DIR
+ENV HOME ${RABBITMQ_DATA_DIR}
+ENV PATH /opt/otp/bin:${RABBITMQ_HOME}/sbin:${PATH}
+ENV LANG C.UTF-8
+ENV LANGUAGE C.UTF-8
+ENV LC_ALL C.UTF-8
 
-# warning: the VM is running with native name encoding of latin1 which may cause Elixir to malfunction as it expects utf8. Please ensure your locale is set to UTF-8 (which can be verified by running "locale" in your shell)
-# Setting all environment variables that control language preferences, behaviour differs - https://www.gnu.org/software/gettext/manual/html_node/The-LANGUAGE-variable.html#The-LANGUAGE-variable
-# https://docs.docker.com/samples/library/ubuntu/#locales
-ENV LANG=C.UTF-8 LANGUAGE=C.UTF-8 LC_ALL=C.UTF-8
+VOLUME ${RABBITMQ_DATA_DIR}
 
-COPY --chown=rabbitmq:rabbitmq 10-default-guest-user.conf /etc/rabbitmq/conf.d/
-COPY docker-entrypoint.sh /usr/local/bin/
 ENTRYPOINT ["docker-entrypoint.sh"]
 
 # EPMD AMQP-TLS AMQP ERLANG
 EXPOSE 4369 5671 5672 25672
 CMD ["rabbitmq-server"]
 
-# rabbitmq_management
-RUN rabbitmq-plugins enable --offline rabbitmq_management && \
-    rabbitmq-plugins is_enabled rabbitmq_management --offline
-# extract "rabbitmqadmin" from inside the "rabbitmq_management-X.Y.Z.ez" plugin zipfile
-# see https://github.com/docker-library/rabbitmq/issues/207
-# RabbitMQ 3.9 onwards uses uncompressed plugins by default, in which case extraction is
-# unnecesary
-RUN set -eux; \
-	if [ -s /plugins/rabbitmq_management-*.ez ]; then \
-		erl -noinput -eval ' \
-			{ ok, AdminBin } = zip:foldl(fun(FileInArchive, GetInfo, GetBin, Acc) -> \
-				case Acc of \
-					"" -> \
-						case lists:suffix("/rabbitmqadmin", FileInArchive) of \
-							true -> GetBin(); \
-							false -> Acc \
-						end; \
-					_ -> Acc \
-				end \
-			end, "", init:get_plain_arguments()), \
-			io:format("~s", [ AdminBin ]), \
-			init:stop(). \
-		' -- /plugins/rabbitmq_management-*.ez > /usr/local/bin/rabbitmqadmin; \
-	else \
-		cp /plugins/rabbitmq_management-*/priv/www/cli/rabbitmqadmin /usr/local/bin/rabbitmqadmin; \
-	fi; \
-	[ -s /usr/local/bin/rabbitmqadmin ]; \
-	chmod +x /usr/local/bin/rabbitmqadmin; \
-	apt-get update; apt-get install -y --no-install-recommends python3 dstat sysstat htop nmon tmux neovim; rm -rf /var/lib/apt/lists/*; \
-	rabbitmqadmin --version
 # MANAGEMENT-TLS MANAGEMENT
 EXPOSE 15671 15672
-
-RUN rabbitmq-plugins enable --offline rabbitmq_prometheus && \
-    rabbitmq-plugins is_enabled rabbitmq_prometheus --offline
 # PROMETHEUS-TLS PROMETHEUS
 EXPOSE 15691 15692
-
-RUN rabbitmq-plugins enable --all
 # STREAM-TLS STREAM
 EXPOSE 5551 5552
 # MQTT-TLS MQTT
diff --git a/packaging/docker-image/Makefile b/packaging/docker-image/Makefile
index 6e82080b60..e8fe13ca49 100644
--- a/packaging/docker-image/Makefile
+++ b/packaging/docker-image/Makefile
@@ -1,69 +1,15 @@
-# PROJECT_VERSION defaults to:
-#   1. the version exported by rabbitmq-server-release;
-#   2. the version stored in `git-revisions.txt`, if it exists;
-#   3. a version based on git-describe(1), if it is a Git clone;
-#   4. 0.0.0
-
-PROJECT_VERSION := $(RABBITMQ_VERSION)
-
-ifeq ($(PROJECT_VERSION),)
-PROJECT_VERSION := $(shell \
-if test -f git-revisions.txt; then \
-	head -n1 git-revisions.txt | \
-	awk '{print $$$(words $(PROJECT_DESCRIPTION) version);}'; \
-else \
-	(git describe --dirty --abbrev=7 --tags --always --first-parent \
-	 2>/dev/null || echo rabbitmq_v0_0_0) | \
-	sed -e 's/^rabbitmq_v//' -e 's/^v//' -e 's/_/./g' -e 's/-/+/' \
-	 -e 's/-/./g'; \
-fi)
-endif
-
-ifeq ($(filter-out all dist push clean,$(MAKECMDGOALS)),)
-GENERIC_UNIX_ARCHIVE ?= $(wildcard $(PACKAGES_DIR)/rabbitmq-server-generic-unix-$(PROJECT_VERSION).tar.xz)
-
-ifeq ($(GENERIC_UNIX_ARCHIVE),)
-$(error Cannot find generic-unix archive; please specify GENERIC_UNIX_ARCHIVE)
-endif
-
-VERSION ?= $(patsubst rabbitmq-server-generic-unix-%.tar.xz,%,$(notdir $(GENERIC_UNIX_ARCHIVE)))
-ifeq ($(VERSION),)
-$(error Cannot determine version; please specify VERSION)
-endif
-
-IMAGE_TAG_1 ?= $(subst +,-,$(VERSION))
-endif
-
-OTP_VERSION ?= 25.0.4
-OTP_SHA256 ?= 05878cb51a64b33c86836b12a21903075c300409b609ad5e941ddb0feb8c2120
-REPO ?= pivotalrabbitmq/rabbitmq
-SKIP_PGP_VERIFY ?= false
-PGP_KEYSERVER ?= pgpkeys.eu
-ALT1_PGP_KEYSERVER ?= keyserver.ubuntu.com
-ALT2_PGP_KEYSERVER ?= pgpkeys.uk
-
 all: dist
 
-dist:
-	xzcat $(GENERIC_UNIX_ARCHIVE) | tar xvf -
-	docker build --pull \
-	  --build-arg SKIP_PGP_VERIFY=$(SKIP_PGP_VERIFY) \
-	  --build-arg PGP_KEYSERVER=$(PGP_KEYSERVER) \
-	  --build-arg OTP_VERSION=$(OTP_VERSION) \
-	  --build-arg OTP_SHA256=$(OTP_SHA256) \
-	  --build-arg RABBITMQ_BUILD=rabbitmq_server-$(VERSION) \
-	  --tag $(REPO):$(IMAGE_TAG_1) \
+dist: package-generic-unix.tar
+	docker buildx build --pull \
+	  --platform linux/arm/v7,linux/amd64 \
 	  .
 
-push:
-	docker push $(REPO):$(IMAGE_TAG_1)
-ifdef IMAGE_TAG_2
-	docker tag $(REPO):$(IMAGE_TAG_1) $(REPO):$(IMAGE_TAG_2)
-	docker push $(REPO):$(IMAGE_TAG_2)
-endif
-
 clean:
-	rm -rf rabbitmq_server-*
+	rm package-generic-unix.tar
+
+package-generic-unix.tar:
+	xzcat ../../bazel-bin/package-generic-unix.tar.xz > $@
 
 OTP_VERSION_MATCH ?= 25[0-9.]+
 define LATEST_STABLE_OTP_VERSION
diff --git a/packaging/docker-image/build_install_openssh.sh b/packaging/docker-image/build_install_openssl.sh
index c77fefce2d..c77fefce2d 100755
--- a/packaging/docker-image/build_install_openssh.sh
+++ b/packaging/docker-image/build_install_openssl.sh
diff --git a/packaging/docker-image/build_install_otp.sh b/packaging/docker-image/build_install_otp.sh
index eb8a126786..7cdcfcd8c1 100755
--- a/packaging/docker-image/build_install_otp.sh
+++ b/packaging/docker-image/build_install_otp.sh
@@ -17,6 +17,7 @@ hostArch="$(dpkg-architecture --query DEB_HOST_GNU_TYPE)"
 buildArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"
 dpkgArch="$(dpkg --print-architecture)"; dpkgArch="${dpkgArch##*-}"
 ./configure \
+    --prefix=/opt/otp \
     --host="$hostArch" \
     --build="$buildArch" \
     --disable-dynamic-ssl-lib \
@@ -60,4 +61,4 @@ rm -rf \
     /usr/local/lib/erlang/lib/*/src
 
 # Check that Erlang/OTP crypto & ssl were compiled against OpenSSL correctly
-erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
+/opt/otp/bin/erl -noshell -eval 'io:format("~p~n~n~p~n~n", [crypto:supports(), ssl:versions()]), init:stop().'
diff --git a/packaging/docker-image/install_rabbitmq.sh b/packaging/docker-image/install_rabbitmq.sh
index 5555e639e4..05b81188f3 100644..100755
--- a/packaging/docker-image/install_rabbitmq.sh
+++ b/packaging/docker-image/install_rabbitmq.sh
@@ -2,6 +2,8 @@
 
 set -euxo pipefail
 
+export PATH="/opt/otp/bin:$PATH"
+
 mv /opt/rabbitmq_server-* $RABBITMQ_HOME
 
 groupadd --gid 999 --system rabbitmq