From ce0460d39a142205df05d887b9ca44f446e060ed Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Tue, 2 Jul 2024 22:28:21 +0100 Subject: [PATCH 1/3] feat(build): wolfi-os based build --- Dockerfile | 35 +++++++++++++++++++++-------------- 1 file changed, 21 insertions(+), 14 deletions(-) diff --git a/Dockerfile b/Dockerfile index 55a2f71fcb83..268e3e195289 100644 --- a/Dockerfile +++ b/Dockerfile @@ -32,9 +32,9 @@ # * build-node [node] # * build-node-django [build-node] # * build-node-selfhosted [build-node] -# * build-python [python] +# * build-python [wolfi-base] # * build-python-private [build-python] -# * api-runtime [python:slim] +# * api-runtime [wolfi-base] # * api-runtime-private [api-runtime] # - Target (shippable) stages @@ -52,9 +52,7 @@ ARG NODE_VERSION=16 ARG PYTHON_VERSION=3.11 FROM node:${NODE_VERSION}-bookworm as node -FROM node:${NODE_VERSION}-bookworm-slim as node-slim -FROM python:${PYTHON_VERSION}-bookworm as python -FROM python:${PYTHON_VERSION}-slim-bookworm as python-slim +FROM cgr.dev/chainguard/wolfi-base:latest as wolfi-base # - Intermediary stages # * build-node @@ -82,9 +80,15 @@ FROM build-node as build-node-selfhosted RUN cd frontend && npm run bundle # * build-python -FROM python as build-python +FROM wolfi-base as build-python WORKDIR /build +ARG PYTHON_VERSION +RUN apk add build-base linux-headers curl git \ + python-${PYTHON_VERSION} \ + python-${PYTHON_VERSION}-dev \ + py${PYTHON_VERSION}-pip + COPY api/pyproject.toml api/poetry.lock api/Makefile ./ ENV POETRY_VIRTUALENVS_IN_PROJECT=true \ POETRY_VIRTUALENVS_OPTIONS_ALWAYS_COPY=true \ @@ -108,12 +112,12 @@ RUN --mount=type=secret,id=github_private_cloud_token \ make install-private-modules # * api-runtime -FROM python-slim as api-runtime +FROM wolfi-base as api-runtime -# Uninstall pip to reduce CVE-2018-20225 noise -# and make system Python available to venv entrypoints -RUN pip uninstall -y pip && mkdir -p /build/.venv/bin && \ - ln -s /usr/local/bin/python /build/.venv/bin/python +# Install Python and make it available to venv entrypoints +ARG PYTHON_VERSION +RUN apk add python-${PYTHON_VERSION} && \ + mkdir /build/ && ln -s /usr/local/ /build/.venv WORKDIR /app @@ -136,7 +140,7 @@ CMD ["migrate-and-serve"] FROM api-runtime as api-runtime-private # Install SAML binary dependency -RUN apt-get update && apt-get install -y xmlsec1 && rm -rf /var/lib/apt/lists/* +RUN apk add xmlsec # - Target (shippable) stages # * private-cloud-api [api-runtime-private, build-python-private] @@ -165,7 +169,7 @@ FROM api-runtime-private as saas-api # Install GnuPG and import private key RUN --mount=type=secret,id=sse_pgp_pkey \ - apt-get update && apt-get install -y gnupg && \ + apk add gnupg && \ gpg --import /run/secrets/sse_pgp_pkey && \ mv /root/.gnupg/ /app/ && \ chown -R nobody /app/.gnupg/ @@ -187,7 +191,10 @@ RUN python manage.py collectstatic --no-input USER nobody # * oss-frontend [build-node-selfhosted] -FROM node-slim AS oss-frontend +FROM wolfi-base AS oss-frontend + +ARG NODE_VERSION +RUN apk add node-${NODE_VERSION} USER node WORKDIR /srv/bt From c73086ffc6d19e3e6d2351200b95cb140ec29bd1 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Tue, 2 Jul 2024 22:35:37 +0100 Subject: [PATCH 2/3] fix frontend build --- Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 268e3e195289..03a816150b8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -194,12 +194,11 @@ USER nobody FROM wolfi-base AS oss-frontend ARG NODE_VERSION -RUN apk add node-${NODE_VERSION} +RUN apk add nodejs-${NODE_VERSION} -USER node WORKDIR /srv/bt -COPY --from=build-node-selfhosted --chown=node:node /build/frontend . +COPY --from=build-node-selfhosted /build/frontend/ /srv/bt/ ENV NODE_ENV=production @@ -208,8 +207,11 @@ RUN echo ${CI_COMMIT_SHA} > /srv/bt/CI_COMMIT_SHA COPY .release-please-manifest.json /srv/bt/.versions.json EXPOSE 8080 + CMD ["node", "./api/index.js"] +USER node + # * oss-unified [api-runtime, build-python, build-node-django] FROM api-runtime as oss-unified From 44c6d04d5ef71a3fc258275c6bbeded7e1f775a4 Mon Sep 17 00:00:00 2001 From: Kim Gustyr Date: Tue, 2 Jul 2024 22:43:23 +0100 Subject: [PATCH 3/3] fix shebang --- api/scripts/run-docker.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/scripts/run-docker.sh b/api/scripts/run-docker.sh index 7fa0ff47dda9..6f63ebbf5532 100755 --- a/api/scripts/run-docker.sh +++ b/api/scripts/run-docker.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh set -e # The script can take 2 optional arguments: