From 1778df278eb30974ec802885288c178c213c3257 Mon Sep 17 00:00:00 2001 From: Hanne Moa Date: Thu, 9 Nov 2023 10:13:52 +0100 Subject: [PATCH] Update root Dockerfile to bookworm Bookworm does not allow distro pip to install anything in the system tree (/usr). See PEP 668 and https://pythonspeed.com/articles/externally-managed-environment-pep-668/ More importantly: install python stuff into a virtualenv, mirroring how it is done in production. See https://pythonspeed.com/articles/activate-virtualenv-dockerfile/ The howto above doesn't use sudo. We do, so note the extra fun in the shell scripts. (Sudo does not by default preserve the caller's path.) --- Dockerfile | 30 ++++++++++++++++++------------ requirements/base.txt | 4 ++-- tools/docker/build.sh | 5 +++-- tools/docker/doc-watch.sh | 6 +++--- tools/docker/syncdb.sh | 2 +- 5 files changed, 27 insertions(+), 20 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2844de760e..5825f38752 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,20 +22,19 @@ # be world-readable! # # -FROM debian:bullseye +FROM python:3.11-slim-bookworm #### Prepare the OS base setup ### ENV DEBIAN_FRONTEND noninteractive -RUN echo 'deb-src http://deb.debian.org/debian bullseye main' >> /etc/apt/sources.list.d/srcpkg.list && \ - echo 'deb-src http://security.debian.org/debian-security bullseye-security main' >> /etc/apt/sources.list.d/srcpkg.list RUN apt-get update && \ apt-get -y --no-install-recommends install \ locales \ - python3-dbg gdb \ - sudo python3-dev python3-pip python3-virtualenv build-essential supervisor \ - debian-keyring debian-archive-keyring ca-certificates +# python3-dbg gdb \ +# cython3 python3-psycopg2 python3-twisted \ +# python3-dev python3-pip python3-build python3-virtualenv \ + debian-keyring debian-archive-keyring ca-certificates ARG TIMEZONE=Europe/Oslo ARG LOCALE=en_US.UTF-8 @@ -49,6 +48,8 @@ RUN echo "${TIMEZONE}" > /etc/timezone && cp /usr/share/zoneinfo/${TIMEZONE} /et RUN apt-get update \ && apt-get -y --no-install-recommends install \ + build-essential \ + supervisor \ git-core \ libsnmp40 \ cron \ @@ -70,10 +71,18 @@ RUN apt-get update \ iputils-ping \ snmp +ENV VIRTUAL_ENV=/opt/venv +RUN python3 -m venv $VIRTUAL_ENV +ENV PATH="$VIRTUAL_ENV/bin:$PATH" + RUN adduser --system --group --no-create-home --home=/source --shell=/bin/bash nav +RUN mkdir -p /source && echo "export PATH=$PATH" >> /source/.bashrc + +RUN pip install --upgrade 'setuptools>=61' wheel && \ + pip install --upgrade pip pip-tools build -RUN pip3 install --upgrade 'setuptools>=61' wheel && \ - pip3 install --upgrade 'pip<=23.1.0' pip-tools build +ARG CUSTOM_PIP=ipython +RUN pip install ${CUSTOM_PIP} ################################################################################# ### COPYing the requirements file to pip-install Python requirements may bust ### @@ -87,13 +96,10 @@ COPY requirements/ /requirements COPY requirements.txt / COPY tests/requirements.txt /test-requirements.txt COPY doc/requirements.txt /doc-requirements.txt -# Since we used pip3 to install pip globally, pip should now be for Python 3 + RUN pip-compile --resolver=backtracking --output-file /requirements.txt.lock /requirements.txt /test-requirements.txt /doc-requirements.txt RUN pip install -r /requirements.txt.lock -ARG CUSTOM_PIP=ipython -RUN pip install ${CUSTOM_PIP} - COPY tools/docker/full-nav-restore.sh /usr/local/sbin/full-nav-restore.sh # Set up for mounting live source code from git repo at /source diff --git a/requirements/base.txt b/requirements/base.txt index a5b1a93390..bebaf29307 100644 --- a/requirements/base.txt +++ b/requirements/base.txt @@ -2,11 +2,11 @@ # Dockerfile asciitree==0.3.3 # optional, for naventity -psycopg2==2.8.4 # requires libpq to build +psycopg2 # requires libpq to build IPy==1.01 pyaml -twisted>=20.0.0,<21 +twisted>=20.0.0 networkx==2.6.3 diff --git a/tools/docker/build.sh b/tools/docker/build.sh index 41fa1e5f2f..136a84d2ff 100755 --- a/tools/docker/build.sh +++ b/tools/docker/build.sh @@ -8,9 +8,10 @@ if [[ ! -f "/source/setup.py" ]]; then fi cd /source -sudo -u nav python3 -m build + +sudo -u nav env PATH=$PATH python3 -m build pip install -e . -sudo -u nav python3 setup.py build_sass +sudo -u nav env PATH=$PATH python3 setup.py build_sass if [[ ! -f "/etc/nav/nav.conf" ]]; then echo "Copying initial NAV config files into this container" diff --git a/tools/docker/doc-watch.sh b/tools/docker/doc-watch.sh index e03b8b50f1..e18a275fef 100755 --- a/tools/docker/doc-watch.sh +++ b/tools/docker/doc-watch.sh @@ -3,11 +3,11 @@ # cd /source # Build once first -sudo -u nav python3 -m build # ensure build data and .eggs aren't stored as root +sudo -u nav env PATH=$PATH python3 -m build # ensure build data and .eggs aren't stored as root pip install -e . -sudo -u nav sphinx-build doc/ doc/_build +sudo -u nav env PATH=$PATH sphinx-build doc/ doc/_build # Then re-build on any changes to the doc directory while inotifywait -e modify -e move -e create -e delete -r --exclude \# /source/doc /source/NOTES.rst do - sudo -u nav sphinx-build doc/ doc/_build + sudo -u nav env PATH=$PATH sphinx-build doc/ doc/_build done diff --git a/tools/docker/syncdb.sh b/tools/docker/syncdb.sh index 781ca67353..70dc9b2f77 100755 --- a/tools/docker/syncdb.sh +++ b/tools/docker/syncdb.sh @@ -2,4 +2,4 @@ cd /source export PGHOST=postgres PGUSER=postgres psql -l -t | grep -q '^ *nav' || navsyncdb -c -sudo -u nav navsyncdb -o +sudo -u nav env PATH=$PATH navsyncdb -o