forked from immuni-app/immuni-backend-common
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
174 lines (141 loc) · 4.22 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
FROM python:3.8-buster AS build
WORKDIR /app
ENV VIRTUAL_ENV /app/.venv
ENV POETRY_HOME /app/.poetry
ENV PATH $POETRY_HOME/bin:$VIRTUAL_ENV/bin:$PATH
# Prometheus requires this envar name for multiprocess, and it has to be an absolute path.
ENV prometheus_multiproc_dir /app/.prometheus/multiproc
COPY entrypoint.sh entrypoint.sh
RUN mkdir -p $prometheus_multiproc_dir \
&& python3 -m venv $VIRTUAL_ENV
# CI requirement to run poetry install.
ARG HTTP_PROXY
ARG HTTPS_PROXY
# Pinned to poetry:1.0.5.
RUN curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/754dbf80dc022b89974288cff10b40ab2f1c2697/get-poetry.py | python \
&& poetry config virtualenvs.in-project true
COPY poetry.lock pyproject.toml ./
# The common submodule.
COPY common common
# The microservice to build.
ARG SERVICE_DIR
COPY $SERVICE_DIR $SERVICE_DIR
# NOTE: to perform security scans, generate requirements.txt.
RUN poetry install \
--no-dev \
--no-root \
&& poetry export -f requirements.txt > requirements.txt
################################
# Api
################################
FROM python:3.8-slim-buster AS api
WORKDIR /app
ENV PYTHONPATH /app
ENV VIRTUAL_ENV /app/.venv
ENV POETRY_HOME /app/.poetry
ENV PATH $POETRY_HOME/bin:$VIRTUAL_ENV/bin:$PATH
# Prometheus requires this envar name for multiprocess, and it has to be an absolute path.
ENV prometheus_multiproc_dir /app/.prometheus/multiproc
COPY --from=build /app /app
# Openshift requires the user group to be root.
RUN useradd \
--no-log-init \
--home /app \
--shell /bin/bash \
immuni \
&& chown \
--recursive \
immuni:root \
/app \
&& chmod -R g+rwx /app
USER immuni
ARG API_PORT
ENV API_PORT $API_PORT
EXPOSE $API_PORT/tcp
# Build info for monitoring purposes, exposed to the running application.
ARG GIT_BRANCH
ARG GIT_SHA
ARG GIT_TAG
ARG BUILD_DATE
ENV GIT_BRANCH $GIT_BRANCH
ENV GIT_SHA $GIT_SHA
ENV GIT_TAG $GIT_TAG
ENV BUILD_DATE $BUILD_DATE
ENTRYPOINT ["./entrypoint.sh", "api"]
CMD []
################################
# Worker
################################
FROM python:3.8-slim-buster AS worker
WORKDIR /app
ENV PYTHONPATH /app
ENV VIRTUAL_ENV /app/.venv
ENV POETRY_HOME /app/.poetry
ENV PATH $POETRY_HOME/bin:$VIRTUAL_ENV/bin:$PATH
# Prometheus requires this envar name for multiprocess, and it has to be an absolute path.
ENV prometheus_multiproc_dir /app/.prometheus/multiproc
COPY --from=build /app /app
# Openshift requires the user group to be root.
RUN useradd \
--no-log-init \
--home /app \
--shell /bin/bash \
immuni \
&& chown \
--recursive \
immuni:root \
/app \
&& chmod -R g+rwx /app
USER immuni
# Build info for monitoring purposes, exposed to the running application.
ARG GIT_BRANCH
ARG GIT_SHA
ARG GIT_TAG
ARG BUILD_DATE
ENV GIT_BRANCH $GIT_BRANCH
ENV GIT_SHA $GIT_SHA
ENV GIT_TAG $GIT_TAG
ENV BUILD_DATE $BUILD_DATE
ENTRYPOINT ["./entrypoint.sh", "worker"]
CMD []
################################
# Beat
################################
FROM python:3.8-slim-buster AS beat
ENV PYTHONPATH /app
ENV VIRTUAL_ENV /app/.venv
ENV POETRY_HOME /app/.poetry
ENV PATH $POETRY_HOME/bin:$VIRTUAL_ENV/bin:$PATH
# Prometheus requires this envar name for multiprocess, and it has to be an absolute path.
ENV prometheus_multiproc_dir /app/.prometheus/multiproc
WORKDIR /app
COPY --from=build /app /app
# Running after the copy to avoid caching of this layer in case of code changes.
# The proxy is a CI requirement to run apt.
# procps is needed to perform the healthcheck on the beat container.
RUN echo "Acquire::http::Proxy \"$HTTP_PROXY\";" > /etc/apt/apt.conf.d/proxy.conf \
&& apt-get update \
&& apt-get install -y procps
# Openshift requires the user group to be root.
RUN useradd \
--no-log-init \
--home /app \
--shell /bin/bash \
immuni \
&& chown \
--recursive \
immuni:root \
/app \
&& chmod -R g+rwx /app
USER immuni
# Build info for monitoring purposes, exposed to the running application.
ARG GIT_BRANCH
ARG GIT_SHA
ARG GIT_TAG
ARG BUILD_DATE
ENV GIT_BRANCH $GIT_BRANCH
ENV GIT_SHA $GIT_SHA
ENV GIT_TAG $GIT_TAG
ENV BUILD_DATE $BUILD_DATE
ENTRYPOINT ["./entrypoint.sh", "beat"]
CMD []