centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
oncall-engine/engine/Dockerfile
Joey Orlando 65dd0a7d20
upgrade Docker base image from python:3.12.3-alpine3.18 to python:3.12.3-alpine3.20 (#4879) 
# What this PR does

Fixes [many
CVEs](https://ops.grafana-ops.net/a/grafana-vulnerabilityobs-app/sources/9/version/5561?var-package=&var-cve=CVE-2023-42363&var-riskLevel=$__all)
currently present in our `latest` tagged Docker image:

**Before**
<img width="1250" alt="Screenshot 2024-08-20 at 16 33 14"
src="https://github.com/user-attachments/assets/8215cefe-0a4c-44a8-a817-47d5d9633ceb">

**After**
<img width="1245" alt="Screenshot 2024-08-20 at 16 30 09"
src="https://github.com/user-attachments/assets/2ddc9246-edbc-4801-8dc4-cdc962786ef8">

## Checklist

- [ ] Unit, integration, and e2e (if applicable) tests updated
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] Added the relevant release notes label (see labels prefixed w/
`release:`). These labels dictate how your PR will
    show up in the autogenerated release notes.
2024-08-20 20:44:18 +00:00

81 lines
3.3 KiB
Docker
Raw Blame History

FROM python:3.12.3-alpine3.20 AS base
ARG TARGETPLATFORM
# Create a group and user to run an app
ENV APP_USER=appuser
RUN addgroup --system --gid 2000 ${APP_USER} && \
adduser --system --uid 1000 --ingroup ${APP_USER} ${APP_USER}
RUN apk add bash \
python3-dev \
build-base \
linux-headers \
pcre-dev \
mariadb-connector-c-dev \
libffi-dev \
git \
postgresql-dev
WORKDIR /etc/app
COPY ./requirements.txt ./
COPY ./grpcio-1.64.1-cp312-cp312-linux_aarch64.whl ./
# grpcio is not available for arm64 on pypi, so we need to install it from a local wheel
# this can be removed once https://github.com/grpc/grpc/issues/34998 is resolved
RUN if [ "$TARGETPLATFORM" = "linux/arm64" ]; then \
pip install grpcio-1.64.1-cp312-cp312-linux_aarch64.whl \
&& rm grpcio-1.64.1-cp312-cp312-linux_aarch64.whl; \
fi
RUN pip install uv setuptools
# TODO: figure out how to get this to work.. see comment in .github/workflows/e2e-tests.yml
# https://stackoverflow.com/a/71846527
# RUN --mount=type=cache,target=/root/.cache/pip,from=pip_cache pip install -r requirements.txt
RUN uv pip install --system -r requirements.txt
# we intentionally have two COPY commands, this is to have the requirements.txt in a separate build step
# which only invalidates when the requirements.txt actually changes. This avoids having to unneccasrily reinstall deps (which is time-consuming)
# https://stackoverflow.com/questions/34398632/docker-how-to-run-pip-requirements-txt-only-if-there-was-a-change/34399661#34399661
COPY ./ ./
# Collect static files
RUN DJANGO_SETTINGS_MODULE=settings.prod_without_db DATABASE_TYPE=sqlite3 DATABASE_NAME=/var/lib/oncall/oncall.db SECRET_KEY="ThEmUsTSecretKEYforBUILDstage123" SILK_PROFILER_ENABLED="True" python manage.py collectstatic --no-input
# Change permissions for the app folder, as previous commands run as root
RUN chown -R ${APP_USER}:${APP_USER} /etc/app
# Create SQLite database and set permissions
RUN mkdir -p /var/lib/oncall
RUN DATABASE_TYPE=sqlite3 DATABASE_NAME=/var/lib/oncall/oncall.db python manage.py create_sqlite_db
RUN chown -R ${APP_USER}:${APP_USER} /var/lib/oncall
# This is required for silk profilers to sync between uwsgi workers
RUN mkdir -p /tmp/silk_profiles;
RUN chown -R ${APP_USER}:${APP_USER} /tmp/silk_profiles
# This is required for prometheus_client to sync between uwsgi workers
RUN mkdir -p /tmp/prometheus_django_metrics;
RUN chown -R ${APP_USER}:${APP_USER} /tmp/prometheus_django_metrics
ENV prometheus_multiproc_dir "/tmp/prometheus_django_metrics"
FROM base AS dev
RUN apk add sqlite mysql-client postgresql-client
# TODO: figure out how to get this to work.. see comment in .github/workflows/e2e-tests.yml
# https://stackoverflow.com/a/71846527
# RUN --mount=type=cache,target=/root/.cache/pip,from=pip_cache pip install -r requirements-dev.txt
RUN uv pip install --system -r requirements-dev.txt
FROM dev AS dev-enterprise
# TODO: figure out how to get this to work.. see comment in .github/workflows/e2e-tests.yml
# https://stackoverflow.com/a/71846527
# RUN --mount=type=cache,target=/root/.cache/pip,from=pip_cache pip install -r requirements-enterprise-docker.txt
RUN uv pip install --system -r requirements-enterprise-docker.txt
FROM base AS prod
# Change to a non-root user (number is required by Kubernetes runAsNonRoot check)
USER 1000
CMD [ "uwsgi", "--ini", "uwsgi.ini" ]
Reference in a new issue View git blame Copy permalink