Update root Dockerfile to bookworm

Bookworm does not allow distro pip to install anything in the system tree (/usr). See PEP 668 and https://pythonspeed.com/articles/externally-managed-environment-pep-668/ More importantly: install python stuff into a virtualenv, mirroring how it is done in production. See https://pythonspeed.com/articles/activate-virtualenv-dockerfile/ The howto above doesn't use sudo. We do, so note the extra fun in the shell scripts. (Sudo does not by default preserve the caller's path.)
hmpf · Nov 21, 2023 · 1778df2 · 1778df2
1 parent d0f3a5b
commit 1778df2
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 20 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,20 +22,19 @@
 # be world-readable!
 #
 #
-FROM debian:bullseye
+FROM python:3.11-slim-bookworm
 
 #### Prepare the OS base setup ###
 
 ENV DEBIAN_FRONTEND noninteractive
 
-RUN echo 'deb-src http://deb.debian.org/debian bullseye main' >> /etc/apt/sources.list.d/srcpkg.list && \
-    echo 'deb-src http://security.debian.org/debian-security bullseye-security main' >> /etc/apt/sources.list.d/srcpkg.list
 RUN apt-get update && \
     apt-get -y --no-install-recommends install \
             locales \
-            python3-dbg gdb \
-            sudo python3-dev python3-pip python3-virtualenv build-essential supervisor \
-	    debian-keyring debian-archive-keyring ca-certificates
+#             python3-dbg gdb \
+#             cython3 python3-psycopg2 python3-twisted \
+#             python3-dev python3-pip python3-build python3-virtualenv \
+            debian-keyring debian-archive-keyring ca-certificates
 
 ARG TIMEZONE=Europe/Oslo
 ARG LOCALE=en_US.UTF-8
@@ -49,6 +48,8 @@ RUN echo "${TIMEZONE}" > /etc/timezone && cp /usr/share/zoneinfo/${TIMEZONE} /et
 
 RUN apt-get update \
     && apt-get -y --no-install-recommends install \
+       build-essential \
+       supervisor \
        git-core \
        libsnmp40 \
        cron \
@@ -70,10 +71,18 @@ RUN apt-get update \
        iputils-ping \
        snmp
 
+ENV VIRTUAL_ENV=/opt/venv
+RUN python3 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
 RUN adduser --system --group --no-create-home --home=/source --shell=/bin/bash nav
+RUN mkdir -p /source && echo "export PATH=$PATH" >> /source/.bashrc
+
+RUN pip install --upgrade 'setuptools>=61' wheel && \
+    pip install --upgrade pip pip-tools build
 
-RUN pip3 install --upgrade 'setuptools>=61' wheel && \
-    pip3 install --upgrade 'pip<=23.1.0' pip-tools build
+ARG CUSTOM_PIP=ipython
+RUN pip install ${CUSTOM_PIP}
 
 #################################################################################
 ### COPYing the requirements file to pip-install Python requirements may bust ###
@@ -87,13 +96,10 @@ COPY requirements/ /requirements
 COPY requirements.txt /
 COPY tests/requirements.txt /test-requirements.txt
 COPY doc/requirements.txt /doc-requirements.txt
-# Since we used pip3 to install pip globally, pip should now be for Python 3
+
 RUN pip-compile --resolver=backtracking --output-file /requirements.txt.lock /requirements.txt /test-requirements.txt /doc-requirements.txt
 RUN pip install -r /requirements.txt.lock
 
-ARG CUSTOM_PIP=ipython
-RUN pip install ${CUSTOM_PIP}
-
 COPY tools/docker/full-nav-restore.sh /usr/local/sbin/full-nav-restore.sh
 
 # Set up for mounting live source code from git repo at /source

diff --git a/requirements/base.txt b/requirements/base.txt
@@ -2,11 +2,11 @@
 # Dockerfile
 
 asciitree==0.3.3  # optional, for naventity
-psycopg2==2.8.4  # requires libpq to build
+psycopg2  # requires libpq to build
 IPy==1.01
 pyaml
 
-twisted>=20.0.0,<21
+twisted>=20.0.0
 
 
 networkx==2.6.3

diff --git a/tools/docker/build.sh b/tools/docker/build.sh
@@ -8,9 +8,10 @@ if [[ ! -f "/source/setup.py" ]]; then
 fi
 
 cd /source
-sudo -u nav python3 -m build
+
+sudo -u nav env PATH=$PATH python3 -m build
 pip install -e .
-sudo -u nav python3 setup.py build_sass
+sudo -u nav env PATH=$PATH python3 setup.py build_sass
 
 if [[ ! -f "/etc/nav/nav.conf" ]]; then
     echo "Copying initial NAV config files into this container"

diff --git a/tools/docker/doc-watch.sh b/tools/docker/doc-watch.sh
@@ -3,11 +3,11 @@
 #
 cd /source
 # Build once first
-sudo -u nav python3 -m build  # ensure build data and .eggs aren't stored as root
+sudo -u nav env PATH=$PATH python3 -m build  # ensure build data and .eggs aren't stored as root
 pip install -e .
-sudo -u nav sphinx-build doc/ doc/_build
+sudo -u nav env PATH=$PATH sphinx-build doc/ doc/_build
 # Then re-build on any changes to the doc directory
 while inotifywait -e modify -e move -e create -e delete -r --exclude \# /source/doc /source/NOTES.rst
 do
-  sudo -u nav sphinx-build doc/ doc/_build
+  sudo -u nav env PATH=$PATH sphinx-build doc/ doc/_build
 done
diff --git a/tools/docker/syncdb.sh b/tools/docker/syncdb.sh
@@ -2,4 +2,4 @@
 cd /source
 export PGHOST=postgres PGUSER=postgres
 psql -l -t | grep -q '^ *nav' || navsyncdb -c
-sudo -u nav navsyncdb -o
+sudo -u nav env PATH=$PATH navsyncdb -o