From 91aaad3ab9cd1e49b03ec0ed568230515332a202 Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Thu, 9 Nov 2023 10:13:52 +0100 Subject: [PATCH 1/3] Update root Dockerfile to bookworm Bookworm does not allow distro pip to install anything in the system tree (/usr). See PEP 668 and https://pythonspeed.com/articles/externally-managed-environment-pep-668/ More importantly: install python stuff into a virtualenv, mirroring how it is done in production. See https://pythonspeed.com/articles/activate-virtualenv-dockerfile/ The howto above doesn't use sudo. We do, so note the extra fun in the shell scripts. (Sudo does not by default preserve the caller's path.) --- Dockerfile | 24 ++++++++++++++---------- tools/docker/build.sh | 5 +++-- tools/docker/doc-watch.sh | 6 +++--- tools/docker/syncdb.sh | 2 +- 4 files changed, 21 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index cf8d0fb79f..c04a5fc9b0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,20 +22,18 @@ # be world-readable! # # -FROM --platform=linux/amd64 debian:bullseye +FROM --platform=linux/amd64 python:3.11-slim-bookworm #### Prepare the OS base setup ### ENV DEBIAN_FRONTEND noninteractive -RUN echo 'deb-src http://deb.debian.org/debian bullseye main' >> /etc/apt/sources.list.d/srcpkg.list && \ - echo 'deb-src http://security.debian.org/debian-security bullseye-security main' >> /etc/apt/sources.list.d/srcpkg.list RUN apt-get update && \ apt-get -y --no-install-recommends install \ locales \ python3-dbg gdb \ sudo python3-dev python3-pip python3-virtualenv build-essential supervisor \ - debian-keyring debian-archive-keyring ca-certificates curl gpg + debian-keyring debian-archive-keyring ca-certificates curl gpg ## Use deb.nodesource.com to fetch more modern versions of Node/NPM than Debian can provide RUN curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /usr/share/keyrings/nodesource.gpg && \ @@ -55,6 +53,8 @@ RUN echo "${TIMEZONE}" > /etc/timezone && cp /usr/share/zoneinfo/${TIMEZONE} /et RUN apt-get update \ && apt-get -y --no-install-recommends install \ + build-essential \ + supervisor \ git-core \ libsnmp40 \ cron \ @@ -76,10 +76,18 @@ RUN apt-get update \ iputils-ping \ snmp +ENV VIRTUAL_ENV=/opt/venv +RUN python3 -m venv $VIRTUAL_ENV +ENV PATH="$VIRTUAL_ENV/bin:$PATH" + RUN adduser --system --group --no-create-home --home=/source --shell=/bin/bash nav +RUN mkdir -p /source && echo "export PATH=$PATH" >> /source/.bashrc + +RUN pip install --upgrade 'setuptools>=61' wheel && \ + pip install --upgrade pip pip-tools build -RUN pip3 install --upgrade 'setuptools>=61' wheel && \ - pip3 install --upgrade 'pip<=23.1.0' pip-tools build +ARG CUSTOM_PIP=ipython +RUN pip install ${CUSTOM_PIP} ################################################################################# ### COPYing the requirements file to pip-install Python requirements may bust ### @@ -94,13 +102,9 @@ COPY requirements.txt / COPY constraints.txt / COPY tests/requirements.txt /test-requirements.txt COPY doc/requirements.txt /doc-requirements.txt -# Since we used pip3 to install pip globally, pip should now be for Python 3 RUN pip-compile --resolver=backtracking --output-file /requirements.txt.lock -c /constraints.txt /requirements.txt /test-requirements.txt /doc-requirements.txt RUN pip install -r /requirements.txt.lock -ARG CUSTOM_PIP=ipython -RUN pip install ${CUSTOM_PIP} - COPY tools/docker/full-nav-restore.sh /usr/local/sbin/full-nav-restore.sh # Set up for mounting live source code from git repo at /source diff --git a/tools/docker/build.sh b/tools/docker/build.sh index 41fa1e5f2f..136a84d2ff 100755 --- a/tools/docker/build.sh +++ b/tools/docker/build.sh @@ -8,9 +8,10 @@ if [[ ! -f "/source/setup.py" ]]; then fi cd /source -sudo -u nav python3 -m build + +sudo -u nav env PATH=$PATH python3 -m build pip install -e . -sudo -u nav python3 setup.py build_sass +sudo -u nav env PATH=$PATH python3 setup.py build_sass if [[ ! -f "/etc/nav/nav.conf" ]]; then echo "Copying initial NAV config files into this container" diff --git a/tools/docker/doc-watch.sh b/tools/docker/doc-watch.sh index 371a85cab9..533daee98c 100755 --- a/tools/docker/doc-watch.sh +++ b/tools/docker/doc-watch.sh @@ -3,11 +3,11 @@ # cd /source # Build once first -sudo -u nav python3 -m build # ensure build data and .eggs aren't stored as root +sudo -u nav env PATH=$PATH python3 -m build # ensure build data and .eggs aren't stored as root pip install -e . -sudo -u nav sphinx-build doc/ build/sphinx/html/ +sudo -u nav env PATH=$PATH sphinx-build doc/ build/sphinx/html/ # Then re-build on any changes to the doc directory while inotifywait -e modify -e move -e create -e delete -r --exclude \# /source/doc /source/NOTES.rst do - sudo -u nav sphinx-build doc/ build/sphinx/html/ + sudo -u nav env PATH=$PATH sphinx-build doc/ build/sphinx/html/ done diff --git a/tools/docker/syncdb.sh b/tools/docker/syncdb.sh index 781ca67353..70dc9b2f77 100755 --- a/tools/docker/syncdb.sh +++ b/tools/docker/syncdb.sh @@ -2,4 +2,4 @@ cd /source export PGHOST=postgres PGUSER=postgres psql -l -t | grep -q '^ *nav' || navsyncdb -c -sudo -u nav navsyncdb -o +sudo -u nav env PATH=$PATH navsyncdb -o From 28574ef8e142189ffde8fb642238cc7d1d341e8a Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Thu, 9 Nov 2023 14:38:44 +0100 Subject: [PATCH 2/3] Update graphite Dockerfile to bookworm --- tools/docker/graphite/Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/tools/docker/graphite/Dockerfile b/tools/docker/graphite/Dockerfile index abc706eb95..3a24e029bf 100644 --- a/tools/docker/graphite/Dockerfile +++ b/tools/docker/graphite/Dockerfile @@ -1,13 +1,9 @@ -FROM debian:buster +FROM debian:bookworm #### Prepare the OS base setup ### ENV DEBIAN_FRONTEND noninteractive -RUN echo 'deb-src http://deb.debian.org/debian buster main' >> /etc/apt/sources.list.d/srcpkg.list && \ - echo 'deb-src http://security.debian.org/debian-security buster/updates main' >> /etc/apt/sources.list.d/srcpkg.list && \ - echo 'deb-src http://deb.debian.org/debian buster-updates main' >> /etc/apt/sources.list.d/srcpkg.list - RUN apt-get update && \ apt-get -y --no-install-recommends install \ locales \ From 8101a8bd1074ba53b4e1670e4a59afac608a72c9 Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Thu, 9 Nov 2023 14:46:33 +0100 Subject: [PATCH 3/3] Update forward Dockerfile to bookworm --- tools/forward/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/forward/Dockerfile b/tools/forward/Dockerfile index dc02f9586b..f06f91067d 100644 --- a/tools/forward/Dockerfile +++ b/tools/forward/Dockerfile @@ -1,4 +1,4 @@ -FROM debian:bullseye +FROM debian:bookworm RUN apt-get update && apt-get install -y openssh-server socat sudo tini RUN echo '%adm ALL=NOPASSWD: /usr/bin/socat' > /etc/sudoers.d/socat RUN chmod 0440 /etc/sudoers.d/socat