Merge pull request #869 from DSD-DBS/support-non-root-base

build: Add support for non-root base images
DSD-DBS · Jul 26, 2023 · 815d829 · 815d829
2 parents b18ff75 + 8d90236
commit 815d829
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 19 deletions.
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -1,40 +1,53 @@
 # SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BASE_IMAGE=python:3.11-bookworm
+ARG BASE_IMAGE=debian:bookworm-slim
 FROM $BASE_IMAGE
 
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
+USER root
+
 RUN apt-get update && \
     apt-get upgrade --yes && \
     apt-get install --yes \
     ca-certificates \
     unzip \
     libpq-dev \
     curl \
+    python3 \
+    python3-pip \
+    python3-venv \
+    gnupg \
+    git-lfs \
     && rm -rf /var/lib/apt/lists/*
 
+ARG KUBECTL_APT_REMOTE=https://apt.kubernetes.io/
+
 # Install kubectl if not available in base image
 # kubectl is needed for the list files endpoint
-RUN kubectl_installed="yes"; dpkg -s kubectl || kubectl_installed="no"; \
-    if [[ "$kubectl_installed" == "no" ]]; \
-    then \
-    mkdir -p /etc/apt/keyrings; \
-    curl -fsSLo /etc/apt/keyrings/kubernetes-archive-keyring.gpg https://dl.k8s.io/apt/doc/apt-key.gpg; \
-    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list; \
-    apt-get update && apt-get install -y kubectl && rm -rf /var/lib/apt/lists/*; \
-    fi
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://packages.cloud.google.com/apt/doc/apt-key.gpg | gpg --dearmor -o /etc/apt/keyrings/kubernetes-archive-keyring.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/kubernetes-archive-keyring.gpg] $KUBECTL_APT_REMOTE kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list && \
+    apt-get update && apt-get install -y kubectl && rm -rf /var/lib/apt/lists/*
 
 EXPOSE 8000
 COPY . /tmp/backend
 COPY .git_archival.txt /tmp/.git_archival.txt
 COPY startup.sh /opt/.startup.sh
 
+# Activate venv
+RUN ln -s $(which python3.11) /usr/bin/python && \
+    ln -sf $(which python3.11) /usr/bin/python3 && \
+    python -m venv /opt/.venv
+ENV _OLD_VIRTUAL_PATH="$PATH"
+ENV VIRTUAL_ENV=/opt/.venv
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
+
 WORKDIR /tmp/backend
 RUN --mount=type=cache,id=capella-collaboration-backend-dependencies,target=/root/.cache/pip,sharing=locked \
-    pip install ".[psycopg2]"
+    pip install .
 
 RUN mkdir -p /var/log/backend && \
     chmod -R 777 /var/log/backend

diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -66,9 +66,6 @@ dev = [
   "pytest-cov",
   "aioresponses"
 ]
-psycopg2 = [
-  "psycopg2", # Need when running in a Docker container with AArch64: https://github.com/psycopg/psycopg2/issues/1360
-]
 
 [project.entry-points."capellacollab.authentication.providers"]
 oauth = "capellacollab.core.authentication.provider.oauth"

diff --git a/ci-templates/gitlab/image-builder.yml b/ci-templates/gitlab/image-builder.yml
@@ -26,7 +26,8 @@ variables:
   GUACAMOLE_IMAGE_NAME: "capella/collab/guacamole"
   DOCKER_BUILD_ARGS: "--no-cache"
   DOCKER_BUILDKIT: "1"
-  BASE_IMAGE: "debian:bullseye"
+  BASE_IMAGE: "debian:bookworm"
+  KUBECTL_APT_REMOTE: "https://apt.kubernetes.io/"
 
 default:
   image: $DOCKER_REGISTRY/base
@@ -82,7 +83,11 @@ frontend:
     - mv ../environment.prod.ts frontend/src/environments
     - npm i undici
     - python frontend/fetch-version.py
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} frontend
+    - >
+      docker build ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        frontend
     - *push
 
 backend:
@@ -95,7 +100,13 @@ backend:
     - IMAGE=${DOCKER_REGISTRY}/${BACKEND_IMAGE_NAME:?}
     - *docker
     - python backend/generate_git_archival.py
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} backend
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        --build-arg KUBECTL_APT_REMOTE="${KUBECTL_APT_REMOTE}" \
+        backend
     - *push
 
 docs:
@@ -107,7 +118,12 @@ docs:
     - *prepare
     - IMAGE=${DOCKER_REGISTRY}/${DOCS_IMAGE_NAME:?}
     - *docker
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=${BASE_IMAGE} docs/user
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=${BASE_IMAGE} \
+        docs/user
     - *push
 
 guacamole:
@@ -119,5 +135,10 @@ guacamole:
     - *prepare
     - IMAGE=${DOCKER_REGISTRY}/${GUACAMOLE_IMAGE_NAME:?}
     - *docker
-    - docker build ${DOCKER_BUILD_ARGS} -t ${IMAGE}:${DOCKER_TAG} --build-arg BASE_IMAGE=guacamole/guacamole guacamole
+    - >
+      docker build \
+        ${DOCKER_BUILD_ARGS} \
+        -t ${IMAGE}:${DOCKER_TAG} \
+        --build-arg BASE_IMAGE=guacamole/guacamole \
+        guacamole
     - *push
diff --git a/docs/user/Dockerfile b/docs/user/Dockerfile
@@ -1,9 +1,11 @@
 # SPDX-FileCopyrightText: Copyright DB Netz AG and the capella-collab-manager contributors
 # SPDX-License-Identifier: Apache-2.0
 
-ARG BASE_IMAGE=python:3.10
+ARG BASE_IMAGE=python:3.11-bookworm
 FROM $BASE_IMAGE as build
 
+USER root
+
 RUN pip install -U pip && \
     pip install mkdocs-material
 

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
@@ -4,6 +4,8 @@
 ARG BASE_IMAGE=node:18
 FROM $BASE_IMAGE as build
 
+USER root
+
 ARG CONFIGURATION=production
 RUN npm install -g npm@latest