From 2d5ba724fd94eec8baada72660fdce50cc2f0f9d Mon Sep 17 00:00:00 2001
From: lijianguo <lijianguo@zhumengyuan.com>
Date: Tue, 1 Mar 2022 08:56:10 +0800
Subject: [PATCH] chore(dockerfile): use drycc/base image

---
 Makefile                   |  2 +-
 rootfs/Dockerfile          | 60 +++++++++++++++++++++---------------
 rootfs/Dockerfile.test     | 62 +++++++++++++++++++++++---------------
 rootfs/bin/boot            |  3 +-
 rootfs/bin/install         | 23 --------------
 rootfs/bin/test-style      |  3 +-
 rootfs/bin/upload-coverage | 11 +++++++
 7 files changed, 89 insertions(+), 75 deletions(-)
 delete mode 100755 rootfs/bin/install
 create mode 100755 rootfs/bin/upload-coverage

diff --git a/Makefile b/Makefile
index 489ce92..0edae42 100644
--- a/Makefile
+++ b/Makefile
@@ -63,6 +63,6 @@ test-integration:
 
 upload-coverage:
 	$(eval CI_ENV := $(shell curl -s https://codecov.io/env | bash))
-	docker run --rm ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test codecov --required
+	docker run --rm ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test /test/rootfs/bin/upload-coverage
 
 .PHONY: check-kubectl check-docker build docker-build docker-build-test deploy clean commit-hook full-clean test test-style test-unit test-functional test-integration upload-coverage
diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile
index ce38f2a..85dd726 100644
--- a/rootfs/Dockerfile
+++ b/rootfs/Dockerfile
@@ -1,35 +1,47 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
-COPY requirements.txt /app/requirements.txt
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
 
-ENV PATH="/app/.venv/bin:${PATH}"
+ENV PYTHON_VERSION="3.10.2" \
+  HELM_VERSION="3.8.0"
 
 COPY . /app
 
 WORKDIR /app
-
-RUN apk add --update --virtual .build-deps \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='musl-dev openssl'; \
+    install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack helm $HELM_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .helmbroker-rundeps \
-    $runDeps \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    curl \
-  && apk del .build-deps \
-  && chmod +x /app/bin/* \
-  && /app/bin/install
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8}
 
-ENV PATH /app/.venv/bin:/app/bin:$PATH
-CMD ["/app/bin/boot"]
+USER drycc
+WORKDIR /app
+CMD ["PATH=/app/.venv/bin:\$PATH", "/app/bin/boot"]
 EXPOSE 8000
diff --git a/rootfs/Dockerfile.test b/rootfs/Dockerfile.test
index 8574611..e1b6f00 100644
--- a/rootfs/Dockerfile.test
+++ b/rootfs/Dockerfile.test
@@ -1,38 +1,50 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
-COPY requirements.txt /app/requirements.txt
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
 
-ENV PATH="/app/.venv/bin:${PATH}"
+ENV PYTHON_VERSION="3.10.2" \
+  HELM_VERSION="3.8.0" \
+  KUBECTL_VERSION="1.23.4"
 
 COPY . /app
-
 WORKDIR /app
 
-RUN apk add --update --virtual .build-deps \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='musl-dev openssl'; \
+  install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack helm $HELM_VERSION \
+  && install-stack kubectl $KUBECTL_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/dev_requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .helmbroker-rundeps \
-    $runDeps \
-    git \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    curl \
-  && apk del .build-deps \
-  && chmod +x /app/bin/* \
-  && /app/bin/install
-COPY . /app
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8} \
 
-ENV PATH /app/.venv/bin:/app/bin:$PATH
+USER drycc
+WORKDIR /app
 CMD ["/app/bin/boot"]
 EXPOSE 8000
diff --git a/rootfs/bin/boot b/rootfs/bin/boot
index e9a32d5..f1dbd69 100755
--- a/rootfs/bin/boot
+++ b/rootfs/bin/boot
@@ -5,7 +5,8 @@
 
 # fail hard and fast even on pipelines
 set -eo pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 # spawn a gunicorn server in the background
 echo ""
 echo "Starting up Gunicorn"
diff --git a/rootfs/bin/install b/rootfs/bin/install
deleted file mode 100755
index 03dc5c4..0000000
--- a/rootfs/bin/install
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/usr/bin/env bash
-
-initArch() {
-  ARCH=$(uname -m)
-  case $ARCH in
-    armv5*) ARCH="armv5";;
-    armv6*) ARCH="armv6";;
-    armv7*) ARCH="arm";;
-    aarch64) ARCH="arm64";;
-    x86) ARCH="386";;
-    x86_64) ARCH="amd64";;
-    i686) ARCH="386";;
-    i386) ARCH="386";;
-  esac
-}
-
-initArch
-
-curl -o /usr/local/bin/kubectl \
-  -L "https://dl.k8s.io/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/$ARCH/kubectl"
-chmod +x /usr/local/bin/kubectl
-
-curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | VERIFY_CHECKSUM=false bash
\ No newline at end of file
diff --git a/rootfs/bin/test-style b/rootfs/bin/test-style
index 7934e28..f734c0b 100755
--- a/rootfs/bin/test-style
+++ b/rootfs/bin/test-style
@@ -5,5 +5,6 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 flake8 --show-source --exclude .venv,migrations
diff --git a/rootfs/bin/upload-coverage b/rootfs/bin/upload-coverage
new file mode 100755
index 0000000..ac72863
--- /dev/null
+++ b/rootfs/bin/upload-coverage
@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+# This script is designed to be run inside the container
+#
+
+# fail hard and fast even on pipelines
+set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
+
+codecov --required