From 9b646a6ca49e36fd5861d2856a2f153f85ce9f65 Mon Sep 17 00:00:00 2001
From: Josh Deprez <jd@buildkite.com>
Date: Mon, 20 Jan 2025 16:07:36 +1100
Subject: [PATCH] Add retry around apt-get install

---
 ubuntu-noble/Dockerfile | 47 +++++++++++++++++++++++++++--------------
 1 file changed, 31 insertions(+), 16 deletions(-)

diff --git a/ubuntu-noble/Dockerfile b/ubuntu-noble/Dockerfile
index 25eab7b..a950f8c 100644
--- a/ubuntu-noble/Dockerfile
+++ b/ubuntu-noble/Dockerfile
@@ -9,23 +9,38 @@ set -eufo pipefail
 
 export DEBIAN_FRONTEND=noninteractive
 
-# Install main packages
 apt-get update
-apt-get install -y --no-install-recommends \
-  apt-transport-https \
-  bash \
-  ca-certificates \
-  curl \
-  git \
-  gnupg-agent \
-  jq \
-  openssh-client \
-  perl \
-  python3 \
-  python3-pip \
-  rsync \
-  software-properties-common \
-  tini
+
+# Install main packages
+#
+# There's a subtle flaky bug, somewhere in Linux or qemu, that happens when
+# running in an emulated arm64 environment. When installing various python3
+# dependencies (python3-six, python3-pip, etc), their maintainer scripts run
+# py3compile, which sometimes has an exception getting python3 to run
+# 'import sys; print(sys.implementation.cache_tag)'.
+# Seen at: https://www.kicksecure.com/wiki/Dev/todo#ISO_-_ARM64_build_failing
+# Weirdly, this isn't happening for the older Ubuntu LTSes, only Noble!
+#
+# It's a flake, so let's wrap `apt-get install` in a small retry.
+#
+install_main_pkgs() {
+    apt-get install -y --no-install-recommends \
+        apt-transport-https \
+        bash \
+        ca-certificates \
+        curl \
+        git \
+        gnupg-agent \
+        jq \
+        openssh-client \
+        perl \
+        python3 \
+        python3-pip \
+        rsync \
+        software-properties-common \
+        tini
+}
+(r=3; while ! install_main_pkgs; do ((--r)) || exit; done)
 
 # Install Docker Engine
 install -m 0755 -d /etc/apt/keyrings