chore(dockerfile): use drycc/base image

Author: lijianguo

Makefile

@@ -66,6 +66,6 @@ test-integration:
 
 upload-coverage:
 	$(eval CI_ENV := $(shell curl -s https://codecov.io/env | bash))
-	docker run ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test codecov --required
+	docker run ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test /test/rootfs/bin/upload-coverage
 
 .PHONY: check-kubectl check-docker build docker-build docker-build-test deploy clean commit-hook full-clean test test-style test-unit test-functional test-integration upload-coverage

rootfs/Dockerfile

@@ -1,44 +1,58 @@
-FROM node:16-alpine3.14 as build-app
+FROM docker.io/drycc/base:bullseye  as build-app
 
 ADD web /app
 WORKDIR /app
 
-RUN yarn install \
+ENV NODE_VERSION="16.14.0"
+
+RUN install-stack node $NODE_VERSION && . init-stack \
+  && npm install --global yarn \
+  && yarn install \
   && yarn build
 
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
+
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
 
+ENV PYTHON_VERSION="3.10.2"
 COPY requirements.txt /app/requirements.txt
 
-RUN apk add --update --virtual .build-deps \
-    postgresql-dev \
-    gcc \
-    libffi-dev \
-    musl-dev \
-    openldap-dev \
-    openssl-dev \
-    cargo \
-    rust \
-  && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \
+RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \
+    install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .passport-rundeps \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-  && apk del .build-deps
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8}
 
 COPY . /app
 COPY --from=build-app /app/dist /app/web/dist
 
-ENV PATH /app/.venv/bin:/app/bin:$PATH
+USER drycc
 WORKDIR /app
-CMD ["/app/bin/boot"]
+CMD ["PATH=/app/.venv/bin:\$PATH", "/app/bin/boot"]
 EXPOSE 8000

rootfs/Dockerfile.test

@@ -1,49 +1,48 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
 COPY requirements.txt /app/requirements.txt
 COPY dev_requirements.txt /app/dev_requirements.txt
 
-ENV PGDATA /var/lib/postgresql/12
+ENV PGDATA="/var/lib/postgresql/14/data" \
+  PYTHON_VERSION="3.10.2" \
+  POSTGRES_VERSION="14.2" \
+  GOSU_VERSION="1.14"
 
-ENV PATH="/app/.venv/bin:${PATH}"
-
-RUN echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >>/etc/apk/repositories \
-  && apk add --update --virtual .build-deps \
-    postgresql-dev \
-    gcc \
-    libffi-dev \
-    musl-dev \
-    openldap-dev \
-    openssl-dev \
-    cargo \
-    rust \
-  && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \
+RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \
+  install-packages ldap-utils mercurial ca-certificates openssl git $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack postgresql $POSTGRES_VERSION \
+  && install-stack gosu $GOSU_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/dev_requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .passport-rundeps \
-    git \
-    mercurial \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    postgresql \
-    openssl \
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8} \
   && mkdir -p /run/postgresql $PGDATA \
+  && groupadd postgres && useradd -g postgres postgres \
   && chown -R postgres:postgres /run/postgresql $PGDATA \
-  && apk del .build-deps \
-  && su-exec postgres initdb -D $PGDATA
+  && gosu postgres initdb -D $PGDATA
 
 COPY . /app
-
-ENV PATH /app/.venv/bin:/app/bin:$PATH
 WORKDIR /app
 CMD ["/app/bin/boot"]
 EXPOSE 8000

rootfs/bin/boot

@@ -5,7 +5,8 @@
 
 # fail hard and fast even on pipelines
 set -eo pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 # set debug based on envvar
 [[ $DRYCC_DEBUG == "true" ]] && set -x
 

rootfs/bin/test-style

@@ -5,5 +5,6 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 flake8 --show-source

rootfs/bin/test-unit

@@ -5,13 +5,15 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 
 function creating_rsa_key() {
     mkdir -p /var/run/secrets/drycc/passport/ \
       && openssl genrsa -out /var/run/secrets/drycc/passport/oidc-rsa-private-key 4096
 }
 
-su-exec postgres pg_ctl -D "$PGDATA" start
+gosu postgres pg_ctl -D "$PGDATA" start && ln -s /tmp/.s.PGSQL.5432 /var/run/postgresql/.s.PGSQL.5432
 creating_rsa_key
 python3 manage.py check
 coverage run manage.py test --settings=api.settings.testing --noinput api

rootfs/bin/upload-coverage

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+# This script is designed to be run inside the container
+#
+
+# fail hard and fast even on pipelines
+set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
+
+codecov --required