update to debian trixie; postgres 18; fix cron; use tcmalloc

actions: bump github/codeql-action from 3.29.11 to 3.30.0 in the actions-dependencies group

.github/workflows/build-and-test.yaml

@@ -1,5 +1,4 @@
-name: Build and test image
-
+name: Build
 on:
   push:
     branches:
@@ -17,7 +16,6 @@ concurrency:
 
 env:
   IMAGE : ${{ github.repository_owner }}/openstreetmap-tile-server
-  TAG   : ${{ github.sha }}
   # Use docker.io for Docker Hub if empty
   REGISTRY: ghcr.io
   # github.repository as <account>/<repo>
@@ -33,11 +31,9 @@ jobs:
       matrix:
         include:
         - arch    : amd64
-          mode    : build-and-test
           runner  : ubuntu-24.04
         - arch    : arm64
           variant : v8
-          mode    : build-and-test
           runner  : ubuntu-24.04-arm
     runs-on: ${{ matrix.runner }}
     permissions:
@@ -70,7 +66,7 @@ jobs:
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
       with:
         pull       : true
-        load       : ${{ matrix.mode == 'build-and-test' }}
+        load       : true
         platforms  : ${{ env.PLATFORM }}
         context    : .
         file       : ./Dockerfile
@@ -79,20 +75,17 @@ jobs:
         cache-to   : type=gha,scope=${{ github.workflow }}:${{ env.PLATFORM }},mode=max
     -
       name: Import Luxembourg
-      if  : ${{ matrix.mode == 'build-and-test' }}
       run : |
         docker volume create ${VOLUME}
         docker run --rm --shm-size=4GB -v ${VOLUME}:${MOUNT} -e UPDATES=enabled ${{ env.IMAGE }}:testbuild-${{ matrix.arch }} import
     -
       name: Start server
-      if  : ${{ matrix.mode == 'build-and-test' }}
       run : |
         docker run --shm-size=4GB -v ${VOLUME}:${MOUNT} -e UPDATES=enabled -p 80:80 -d --name ${CONTAINER} ${{ env.IMAGE }}:testbuild-${{ matrix.arch }} run
         sleep 30
         docker logs ${CONTAINER}
     -
       name: Download tiles
-      if  : ${{ matrix.mode == 'build-and-test' }}
       run : |
         curl  http://localhost/tile/0/0/0.png            --fail  -o 000.png
         curl  http://localhost/tile/1/0/0.png            --fail  -o 100.png
@@ -103,7 +96,6 @@ jobs:
         curl  http://localhost/tile/18/135536/89345.png  --fail  -o example.png
     -
       name: Verify tiles
-      if  : ${{ matrix.mode == 'build-and-test' }}
       run : |
         sha1sum  *.png
         sha1sum  --check  <<EOF
@@ -124,7 +116,6 @@ jobs:
         done
     -
       name: Cleanup
-      if  : ${{ matrix.mode == 'build-and-test' }}
       run : |
         docker rm --force --volumes ${CONTAINER}
         docker volume rm --force ${VOLUME}
@@ -225,7 +216,7 @@ jobs:
     needs: deploy
     permissions:
       security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
-      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+      contents: write # for sbom-action artifact uploads
     runs-on: ubuntu-latest
     steps:
       - 
@@ -267,6 +258,6 @@ jobs:
           output-format: sarif
       -
         name: Upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/upload-sarif@2d92b76c45b91eb80fc44c74ce3fce0ee94e8f9d # v3.29.5
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}

Dockerfile

@@ -1,16 +1,16 @@
-FROM ubuntu:24.04@sha256:7c06e91f61fa88c08cc74f7e1b7c69ae24910d745357e0dfe1d2c0322aaf20f9 AS compiler-common
+FROM debian:trixie AS compiler-common
 ENV DEBIAN_FRONTEND=noninteractive
-ENV LANG C.UTF-8
-ENV LC_ALL C.UTF-8
+ENV LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8
 
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN apt-get update \
 && apt-get install -y --no-install-recommends \
  ca-certificates gnupg lsb-release locales \
  wget curl \
- git-core unzip unrar postgresql-common \
+ git-core unzip unrar-free postgresql-common \
 && locale-gen $LANG && update-locale LANG=$LANG \
-&& /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -i -v 17\
+&& /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -i -v 18 \
 && apt-get update && apt-get -y upgrade\
 && apt-get clean \
 && rm -rf /var/lib/apt/lists/*
@@ -46,10 +46,10 @@ FROM compiler-common
 # https://switch2osm.org/serving-tiles/manually-building-a-tile-server-18-04-lts/
 ENV DEBIAN_FRONTEND=noninteractive
 ENV AUTOVACUUM=on
-ENV UPDATES=enabled
+ENV UPDATES=disabled
 ENV REPLICATION_URL=https://planet.openstreetmap.org/replication/hour/
 ENV MAX_INTERVAL_SECONDS=3600
-ENV PG_VERSION 17
+ENV PG_VERSION=18
 
 RUN ln -snf "/usr/share/zoneinfo/$TZ" /etc/localtime && echo "$TZ" > /etc/timezone
 
@@ -84,6 +84,7 @@ RUN apt-get update \
  python3-shapely \
  python3-pip \
  renderd \
+ libgoogle-perftools4 \
  sudo \
  vim \
  pipx \
@@ -136,7 +137,7 @@ RUN chmod +x /usr/bin/openstreetmap-tiles-update-expire.sh \
 && mkdir /var/log/tiles \
 && chmod a+rw /var/log/tiles \
 && ln -s /home/renderer/src/mod_tile/osmosis-db_replag /usr/bin/osmosis-db_replag \
-&& echo "* * * * *   renderer    openstreetmap-tiles-update-expire.sh\n" >> /etc/crontab
+&& echo "* * * * *   renderer    openstreetmap-tiles-update-expire.sh" >> /etc/crontab
 
 # Configure PosgtreSQL
 COPY postgresql.custom.conf.tmpl /etc/postgresql/$PG_VERSION/main/

apache.conf

@@ -14,5 +14,6 @@
 
     <IfDefine ALLOW_CORS>
         Header set Access-Control-Allow-Origin "*"
+        Header set Access-Control-Allow-Methods "GET, OPTIONS"
     </IfDefine>
 </VirtualHost>

renderd.conf

@@ -3,11 +3,11 @@
 [renderd]
 stats_file=/run/renderd/renderd.stats
 socketname=/run/renderd/renderd.sock
-num_threads=4
+num_threads=16
 tile_dir=/var/cache/renderd/tiles
 
 [mapnik]
-plugins_dir=/usr/lib/mapnik/3.1/input
+plugins_dir=/usr/lib/x86_64-linux-gnu/mapnik/4.0/input
 font_dir=/usr/share/fonts
 font_dir_recurse=true
 

run.sh

@@ -116,14 +116,6 @@ if [ "$1" == "import" ]; then
       ${OSM2PGSQL_EXTRA_ARGS:-}  \
     ;
 
-    # clean up downloaded files
-    if [ -n "${DOWNLOAD_PBF:-}" ] && [ -f /data/region.osm.pbf ]; then
-        rm /data/region.osm.pbf
-    fi
-    if [ -n "${DOWNLOAD_POLY:-}" ] && [ -f /data/region.poly ]; then
-        rm /data/region.poly
-    fi
-
     # old flat-nodes dir
     if [ -f /nodes/flat_nodes.bin ] && ! [ -f /data/database/flat_nodes.bin ]; then
         mv /nodes/flat_nodes.bin /data/database/flat_nodes.bin
@@ -196,24 +188,28 @@ if [ "$1" == "run" ]; then
     # Configure renderd threads
     sed -i -E "s/num_threads=[0-9]+/num_threads=${THREADS:-4}/g" /etc/renderd.conf
 
+    cronPID=0
     # start cron job to trigger consecutive updates
     if [ "${UPDATES:-}" == "enabled" ] || [ "${UPDATES:-}" == "1" ]; then
         printenv > /etc/environment
-        /etc/init.d/cron start
+        cron &
+        cronPID=$!
         sudo -u renderer touch /var/log/tiles/run.log; tail -f /var/log/tiles/run.log >> /proc/1/fd/1 &
         sudo -u renderer touch /var/log/tiles/osmosis.log; tail -f /var/log/tiles/osmosis.log >> /proc/1/fd/1 &
         sudo -u renderer touch /var/log/tiles/expiry.log; tail -f /var/log/tiles/expiry.log >> /proc/1/fd/1 &
         sudo -u renderer touch /var/log/tiles/osm2pgsql.log; tail -f /var/log/tiles/osm2pgsql.log >> /proc/1/fd/1 &
-
     fi
 
     # Run while handling docker stop's SIGTERM
     stop_handler() {
         kill -TERM "$child"
+        if [ $cronPID -gt 0 ] ; then
+          kill -TERM "$cronPID"
+        fi
     }
     trap stop_handler SIGTERM
 
-    sudo -u renderer renderd -f -c /etc/renderd.conf &
+    sudo LD_PRELOAD=libtcmalloc.so.4 -u renderer renderd -f -c /etc/renderd.conf &
     child=$!
     wait "$child"