Slim public Chromium runtime package set

[IlyaasK]

Summary

This is the public-repo equivalent of the private runtime slimming PR. It narrows the public Chromium runtime package install lists so the final headless/headful images stop carrying build-time tooling that is not used by the current runtime path.

What changed:

• Headless final runtime image: remove build-essential, libssl-dev, git, and software-properties-common.
• Headful final runtime image: remove the old Python/pyenv-style build block: build-essential, libssl-dev, zlib1g-dev, libbz2-dev, libreadline-dev, libsqlite3-dev, git, libncursesw5-dev, xz-utils, tk-dev, libxml2-dev, libxmlsec1-dev, libffi-dev, and liblzma-dev.
• Headful final runtime image: remove the old add-apt-repository ppa:mozillateam/ppa flow and its software-properties-common dependency.
• Headful final runtime image: remove python2 from the later runtime install block.
• Both final runtime images: replace gpg-agent with gpg. The Envoy installer needs the gpg binary for gpg --dearmor; it does not need the agent package.

The net diff is only the two Dockerfiles.

Why

The image already uses multi-stage builds for native/Xorg/neko build inputs. Those build-stage dependencies stay where they are.

The packages removed here were still installed in the final runtime image, where they increase image size and runtime surface area without being referenced by the current launch/supervisor/API/browser path.

Git History / Removal Rationale

The package history points to old image lineage rather than current runtime requirements.

removed item	why it appears to have been added	why this PR removes it
build-essential, gcc, make	Introduced in 5c71470 (WebRTC OSS launch, PR #13) under a Dockerfile comment labeled # Python/pyenv reqs. That commit moved the old unikraft/WebRTC image structure into images/chromium-*.	Final runtime no longer builds Python or native modules. Native/Xorg/neko compilation remains isolated in builder stages.
libssl-dev, zlib1g-dev, libbz2-dev, libreadline-dev, libsqlite3-dev, libncursesw5-dev, tk-dev, libxml2-dev, libxmlsec1-dev, libffi-dev, liblzma-dev	Added in the same # Python/pyenv reqs block from 5c71470. These are typical compile headers for Python/native dependency builds.	They are development headers, not runtime browser/session packages. Current runtime paths use installed shared libraries and copied artifacts, not compile headers.
git	Added with the old Python/build helper set in 5c71470, and also used in builder/release contexts elsewhere in the repo.	The final image should not clone/build source at runtime. git remains available in builder contexts where it is actually referenced.
xz-utils	Added in the old Python/pyenv block from 5c71470, likely to unpack source archives during legacy build flows.	Runtime does not extract .tar.xz source archives. Downloader/build stages that need archive handling keep their own tools.
software-properties-common / add-apt-repository	Added for old PPA install paths in 5c71470: ppa:mozillateam/ppa for headful and ppa:xtradeb/apps for Chromium in the older image path.	Current Dockerfiles no longer need those PPA flows in the final runtime package install. Keeping the PPA helper only preserves dead install machinery.
python2	Added in 5c71470 with the old WebRTC/neko/demo runtime setup. The remaining obvious Python script path is the legacy headful demo payload handled separately.	Current public runtime startup is Go wrapper/API + supervised services; no current runtime entrypoint requires Python 2.
gpg-agent	Added later during apt/key setup work, but the actual needed binary is gpg.	This PR keeps gpg because shared/envoy/install-proxy.sh runs gpg --dearmor, and removes only the agent package.

Measured Impact

Controlled local builds were run with --no-cache and unique cache IDs during the split work.

image	before	after	size delta	cold build
public headless	1985.2 MB	1738.1 MB	-247.1 MB	196s -> 173s
public headful	2695.0 MB	2329.3 MB	-365.7 MB	347s -> 268s
private headless	1975.6 MB	1717.1 MB	-258.5 MB	182s -> 183s
private headful	2674.0 MB	2296.9 MB	-377.1 MB	332s -> 318s

Exact final public numbers can shift slightly because this branch intentionally keeps gpg after the Envoy installer dependency was confirmed.

Validation

Ran locally:

• docker build --check -f images/chromium-headless/image/Dockerfile .
• docker build --check -f images/chromium-headful/Dockerfile .
• cd server && go test -run TestDoesNotExist ./e2e
• cd server && go test $(go list ./... | grep -v '/e2e$')

Unknowns / Final Gates

• The remaining product question is whether final runtime images are expected to support arbitrary user process-exec workloads that require git, compilers, Python 2, xz, or development headers. The current repo/runtime paths do not show that dependency, but that is still the compatibility decision to make before merging.
• Full image CI/e2e needs to pass on the pushed branch before this is ready to merge.

Fast Docker Review

This PR follows the fast-build guidance by keeping build-only packages out of the final runtime image. The Xorg/neko/native build inputs stay in builder stages; the runtime stage only keeps packages needed by the current browser/session path.

Against the checklist:

• Build tools and development headers are removed from final images instead of being shipped to runtime.
• Existing multi-stage build boundaries stay intact; compiled artifacts are still copied from builder stages.
• Stable dependency work remains before volatile application source in the Dockerfiles.
• No new broad COPY statements or early source copies are added.
• gpg stays because the Envoy install step actually needs the gpg binary; gpg-agent does not stay just because it used to be adjacent.