Optimize runtime Docker image size (#11529)

Reduce the size of the runtime Docker image from `3.04GB` to `1.41GB`.

```
$ docker images
REPOSITORY                   TAG       IMAGE ID       CREATED         SIZE
runtime                      latest    ab76231c78c5   9 minutes ago   1.41GB
<none>                       <none>    c8f70807b04f   4 hours ago     3.04GB
```

The image was bloated because of `RUN chmod` and `RUN chown` commands. When the `RUN` command modifies the file, it copies it to a new layer, resulting in a final image with multiple layers containing the same files.

# Important Notes
Note that copying directories with `COPY --chmod=5xx` sets the executable flag to both files and directories. While it is suboptimal (we only need the executable attribute for directories), having executable files in `/opt/enso` should not be an issue. Permissions can be narrowed further when the new Dockerfile `COPY` syntax is stabilized.

tools/ci/README.md

@@ -11,18 +11,23 @@ from a desired _edition_. The root directory of the docker build context can be
 provided in the `docker build` command:
 
 ```bash
-docker build -t <my-custom-name> -f tools/ci/docker/Dockerfile --build-context docker-tools=tools/ci/docker built-distribution/enso-engine-$VERSION-linux-amd64/enso-$VERSION
+docker build \
+  -t runtime:latest \
+  -f tools/ci/docker/Dockerfile \
+  --build-context docker-tools=tools/ci/docker \
+  built-distribution/enso-engine-0.0.0-dev-linux-amd64/enso-0.0.0-dev
 ```
 
-where for a locally built distribution on Linux it would be `VERSION=0.0.0-dev`.
-
 ## Running
 
-To start Language Server with a default configuration simply run the built image
-with the chosen name:
+To start Language Server with a default configuration, run the built image and
+mount the project directory:
 
 ```bash
-docker run -t <my-custom-name>
+docker run -it --rm \
+  --network=host \
+  --mount type=bind,src=~/Documents/enso-projects/NewProject,dst=/volumes/workspace/project_root \
+  runtime:latest
 ```
 
 # Ydoc NodeJS Docker

tools/ci/docker/Dockerfile

@@ -23,35 +23,38 @@ RUN useradd -u 2000 -c 'Enso Developer' -U -m ensodev
 # Currently, only the /volumes/workspace/project_root needs to be initialized with the project structure when the project is created.
 # All other directories are created on-demand.
 
-ADD bin /opt/enso/bin
-ADD component /opt/enso/component
-ADD lib /opt/enso/lib
-ADD editions /opt/enso/editions
-
-RUN mkdir /opt/enso/work
-RUN mkdir /opt/enso/logs
-RUN mkdir /opt/enso/profiling
-
 ENV ENSO_DATA_DIRECTORY=/volumes/workspace/data_root
 ENV ENSO_CONFIG_DIRECTORY=/volumes/workspace/config
 ENV ENSO_RUNTIME_DIRECTORY=/opt/enso/work
 ENV ENSO_LOG_DIRECTORY=/opt/enso/logs
 ENV ENSO_HOME=/volumes/workspace/home
 
-RUN chown -hR ensodev:ensodev /opt/enso
-RUN chmod -R u=rX,g=rX /opt/enso
-RUN chmod a+x /opt/enso/bin/*
-RUN chmod a+rw /opt/enso/work
-RUN chmod a+rw /opt/enso/logs
-RUN chmod a+rw /opt/enso/profiling
+COPY --chown=ensodev:ensodev --chmod=555 bin /opt/enso/bin
+COPY --chown=ensodev:ensodev --chmod=555 --from=docker-tools docker-entrypoint.sh /opt/enso/bin/
+COPY --chown=ensodev:ensodev --chmod=554 component /opt/enso/component
+COPY --chown=ensodev:ensodev --chmod=554 lib /opt/enso/lib
+COPY --chown=ensodev:ensodev --chmod=554 editions /opt/enso/editions
+
+# When the non-octal COPY --chmod support `moby/buildkit#5380` is stabilized,
+# it will be possible to use the following syntax. It allows to set more precise
+# chmod modifiers, i.e. the `X` attribute here does not mark files executable
+# while keeping the executable flag for directories.
+#COPY --chown=ensodev:ensodev --chmod=a=rx bin /opt/enso/bin
+#COPY --chown=ensodev:ensodev --chmod=a=rx --from=docker-tools docker-entrypoint.sh /opt/enso/bin/
+#COPY --chown=ensodev:ensodev --chmod=u=rX,g=rX component /opt/enso/component
+#COPY --chown=ensodev:ensodev --chmod=u=rX,g=rX lib /opt/enso/lib
+#COPY --chown=ensodev:ensodev --chmod=u=rX,g=rX editions /opt/enso/editions
 
 RUN mkdir -p /volumes
 RUN chown -hR ensodev:ensodev /volumes
 RUN chmod -R u=rwX,g=rwX /volumes
-COPY --from=docker-tools docker-entrypoint.sh /opt/enso/bin/
 
 USER ensodev:ensodev
 
+RUN mkdir -m 777 /opt/enso/work
+RUN mkdir -m 777 /opt/enso/logs
+RUN mkdir -m 777 /opt/enso/profiling
+
 WORKDIR /opt/enso
 
 ENTRYPOINT [ "/opt/enso/bin/docker-entrypoint.sh" ]