diff --git a/Makefile b/Makefile index e6db5d5..11420ab 100644 --- a/Makefile +++ b/Makefile @@ -66,6 +66,6 @@ test-integration: upload-coverage: $(eval CI_ENV := $(shell curl -s https://codecov.io/env | bash)) - docker run ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test codecov --required + docker run ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test /test/rootfs/bin/upload-coverage .PHONY: check-kubectl check-docker build docker-build docker-build-test deploy clean commit-hook full-clean test test-style test-unit test-functional test-integration upload-coverage diff --git a/rootfs/Dockerfile b/rootfs/Dockerfile index d7754b4..44945d5 100644 --- a/rootfs/Dockerfile +++ b/rootfs/Dockerfile @@ -1,44 +1,58 @@ -FROM node:16-alpine3.14 as build-app +FROM docker.io/drycc/base:bullseye as build-app ADD web /app WORKDIR /app -RUN yarn install \ +ENV NODE_VERSION="16.14.0" + +RUN install-stack node $NODE_VERSION && . init-stack \ + && npm install --global yarn \ + && yarn install \ && yarn build -FROM docker.io/library/python:3.9-alpine +FROM docker.io/drycc/base:bullseye + +RUN adduser --system \ + --shell /bin/bash \ + --disabled-password \ + --home /app \ + --group \ + drycc +ENV PYTHON_VERSION="3.10.2" COPY requirements.txt /app/requirements.txt -RUN apk add --update --virtual .build-deps \ - postgresql-dev \ - gcc \ - libffi-dev \ - musl-dev \ - openldap-dev \ - openssl-dev \ - cargo \ - rust \ - && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \ +RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \ + install-packages $buildDeps \ + && install-stack python $PYTHON_VERSION && . init-stack \ && python3 -m venv /app/.venv \ && source /app/.venv/bin/activate \ && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \ - && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \ - | xargs -rt apk add --no-cache --virtual .python-rundeps \ - && apk add --update --virtual .passport-rundeps \ - ca-certificates \ - su-exec \ - bash \ - shadow \ - && apk del .build-deps + # cleanup + && scanelp /app/.venv/lib > runtime.txt \ + && apt-get purge -y --auto-remove $buildDeps \ + && install-packages $(< runtime.txt) \ + && apt-get autoremove -y \ + && apt-get clean -y \ + && rm -rf \ + /usr/share/doc \ + /usr/share/man \ + /usr/share/info \ + /usr/share/locale \ + /var/lib/apt/lists/* \ + /var/log/* \ + /var/cache/debconf/* \ + /etc/systemd \ + /lib/lsb \ + /lib/udev \ + /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \ + /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \ + && mkdir -p /usr/share/man/man{1..8} COPY . /app COPY --from=build-app /app/dist /app/web/dist -ENV PATH /app/.venv/bin:/app/bin:$PATH +USER drycc WORKDIR /app -CMD ["/app/bin/boot"] +CMD ["PATH=/app/.venv/bin:\$PATH", "/app/bin/boot"] EXPOSE 8000 diff --git a/rootfs/Dockerfile.test b/rootfs/Dockerfile.test index 2ac84c4..b38568e 100644 --- a/rootfs/Dockerfile.test +++ b/rootfs/Dockerfile.test @@ -1,49 +1,48 @@ -FROM docker.io/library/python:3.9-alpine +FROM docker.io/drycc/base:bullseye COPY requirements.txt /app/requirements.txt COPY dev_requirements.txt /app/dev_requirements.txt -ENV PGDATA /var/lib/postgresql/12 +ENV PGDATA="/var/lib/postgresql/data" \ + PYTHON_VERSION="3.10.2" \ + POSTGRES_VERSION="14.2" \ + GOSU_VERSION="1.14" -ENV PATH="/app/.venv/bin:${PATH}" - -RUN echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >>/etc/apk/repositories \ - && apk add --update --virtual .build-deps \ - postgresql-dev \ - gcc \ - libffi-dev \ - musl-dev \ - openldap-dev \ - openssl-dev \ - cargo \ - rust \ - && ln /usr/lib/libldap.so /usr/lib/libldap_r.so \ +RUN buildDeps='gcc rustc cargo libffi-dev musl-dev libldap2-dev libsasl2-dev'; \ + install-packages ldap-utils mercurial ca-certificates openssl git $buildDeps \ + && install-stack python $PYTHON_VERSION \ + && install-stack postgresql $POSTGRES_VERSION \ + && install-stack gosu $GOSU_VERSION && . init-stack \ && python3 -m venv /app/.venv \ && source /app/.venv/bin/activate \ && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \ && pip3 install --disable-pip-version-check --no-cache-dir -r /app/dev_requirements.txt \ - && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \ - | xargs -rt apk add --no-cache --virtual .python-rundeps \ - && apk add --update --virtual .passport-rundeps \ - git \ - mercurial \ - ca-certificates \ - su-exec \ - bash \ - shadow \ - postgresql \ - openssl \ + # cleanup + && scanelp /app/.venv/lib > runtime.txt \ + && apt-get purge -y --auto-remove $buildDeps \ + && install-packages $(< runtime.txt) \ + && apt-get autoremove -y \ + && apt-get clean -y \ + && rm -rf \ + /usr/share/doc \ + /usr/share/man \ + /usr/share/info \ + /usr/share/locale \ + /var/lib/apt/lists/* \ + /var/log/* \ + /var/cache/debconf/* \ + /etc/systemd \ + /lib/lsb \ + /lib/udev \ + /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \ + /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \ + && mkdir -p /usr/share/man/man{1..8} \ && mkdir -p /run/postgresql $PGDATA \ + && groupadd postgres && useradd -g postgres postgres \ && chown -R postgres:postgres /run/postgresql $PGDATA \ - && apk del .build-deps \ - && su-exec postgres initdb -D $PGDATA + && gosu postgres initdb -D $PGDATA COPY . /app - -ENV PATH /app/.venv/bin:/app/bin:$PATH WORKDIR /app CMD ["/app/bin/boot"] EXPOSE 8000 diff --git a/rootfs/bin/boot b/rootfs/bin/boot index 4a54261..d138bde 100755 --- a/rootfs/bin/boot +++ b/rootfs/bin/boot @@ -5,7 +5,8 @@ # fail hard and fast even on pipelines set -eo pipefail - +# shellcheck disable=SC1091 +source /app/.venv/bin/activate # set debug based on envvar [[ $DRYCC_DEBUG == "true" ]] && set -x diff --git a/rootfs/bin/test-style b/rootfs/bin/test-style index 7e0c730..9feaaac 100755 --- a/rootfs/bin/test-style +++ b/rootfs/bin/test-style @@ -5,5 +5,6 @@ # fail hard and fast even on pipelines set -eou pipefail - +# shellcheck disable=SC1091 +source /app/.venv/bin/activate flake8 --show-source diff --git a/rootfs/bin/test-unit b/rootfs/bin/test-unit index 8ab0a9d..b9e327c 100755 --- a/rootfs/bin/test-unit +++ b/rootfs/bin/test-unit @@ -5,13 +5,15 @@ # fail hard and fast even on pipelines set -eou pipefail +# shellcheck disable=SC1091 +source /app/.venv/bin/activate function creating_rsa_key() { mkdir -p /var/run/secrets/drycc/passport/ \ && openssl genrsa -out /var/run/secrets/drycc/passport/oidc-rsa-private-key 4096 } -su-exec postgres pg_ctl -D "$PGDATA" start +gosu postgres pg_ctl -D "$PGDATA" start && ln -s /tmp/.s.PGSQL.5432 /var/run/postgresql/.s.PGSQL.5432 creating_rsa_key python3 manage.py check coverage run manage.py test --settings=api.settings.testing --noinput api diff --git a/rootfs/bin/upload-coverage b/rootfs/bin/upload-coverage new file mode 100755 index 0000000..ac72863 --- /dev/null +++ b/rootfs/bin/upload-coverage @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +# +# This script is designed to be run inside the container +# + +# fail hard and fast even on pipelines +set -eou pipefail +# shellcheck disable=SC1091 +source /app/.venv/bin/activate + +codecov --required