-
Notifications
You must be signed in to change notification settings - Fork 1
/
Dockerfile.slim
202 lines (182 loc) · 9.2 KB
/
Dockerfile.slim
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
# syntax=docker/dockerfile:1
# The syntax statement above is to make use of buildkit's build mounts for caching
# NOTE:
# This Dockerfile is used to build the `slim` tags for the `phylum-ci` images. It differs
# from the primary Dockerfile in that it does not install the required tools needed for
# lockfile generation: https://docs.phylum.io/cli/lockfile_generation (with the exception
# of the `pip` tool). The image created from this Dockerfile is significantly smaller and
# will allow the integrations relying on it to complete faster. It is useful for those
# instances where *no* manifest files are present and/or *only* lockfiles are used.
##########################################################################################
# This Dockerfile makes use of BuildKit mode, which needs to be enabled client side first:
#
# $ export DOCKER_BUILDKIT=1
#
# This Dockerfile can be used to build the project's package within the image it creates.
# To do so, simply build the image WITHOUT any build args specified (e.g., `--build-arg`):
#
# $ docker build --tag phylum-ci .
#
# This Dockerfile can also be used in CI, as part of the release pipeline.
# The goal there is to ensure that the exact Python package that was built and
# released is the one that is installed while creating this image. Prerequisites are:
#
# * The package has already been built (e.g., `poetry build -vvv`)
# * There is exactly one wheel available to reference by glob expression
#
# To make use of this feature, build the image WITH build args specified:
#
# $ export PKG_SRC=dist/phylum-*.whl
# $ export PKG_NAME=phylum-*.whl
# $ docker build --tag phylum-ci --build-arg PKG_SRC --build-arg PKG_NAME .
#
# Another build arg is exposed to optionally specify the Phylum CLI version to install:
#
# $ docker build --tag phylum-ci --build-arg CLI_VER=v4.8.0 .
#
# The PHYLUM_API_URI build arg is exposed to optionally specify the URI of a Phylum API
# instance to use:
#
# $ export PHYLUM_API_URI=https://api.staging.phylum.io
# $ docker build --tag phylum-ci --build-arg PHYLUM_API_URI .
#
# Another build arg is exposed to optionally specify a GitHub Personal Access Token (PAT):
#
# $ docker build --tag phylum-ci --build-arg GITHUB_TOKEN .
#
# Providing a build argument like this (without a value) works when there is already an
# environment variable defined with the same name. Providing a GitHub PAT is useful to
# make authenticated requests and therefore increase the API rate limit.
#
# To make use of BuildKit's inline layer caching feature, add the `BUILDKIT_INLINE_CACHE`
# build argument to any instance of building an image. Then, that image can be used
# locally or remotely (if it was pushed to a repository) to warm the build cache by using
# the `--cache-from` argument:
#
# $ docker build --tag phylumio/phylum-ci:cache --build-arg BUILDKIT_INLINE_CACHE=1 .
# $ docker push phylumio/phylum-ci:cache && docker image rm phylumio/phylum-ci:cache
# $ docker build --tag phylumio/phylum-ci:faster --cache-from phylumio/phylum-ci:cache .
#
# There is no ENTRYPOINT in this Dockerfile by design. That way, it is possible to provide
# unquoted extra parameters to run arbitrary commands in the context of the container:
#
# $ docker run --rm phylumio/phylum-ci:latest ls -alh /
#
# However, there may be cases where an entrypoint is needed. One is provided and placed in
# a directory that will be included in the final layer and also known to be part of the
# $PATH. To make use of it, add the `--entrypoint` option to a docker run command,
# specifying the `entrypoint.sh` script, providing extra parameters as a *quoted* string:
#
# $ docker run --rm --entrypoint entrypoint.sh phylumio/phylum-ci:latest "ls -alh /"
#
# Images built from this Dockerfile can be tested for basic functionality:
#
# $ docker build --tag phylum-ci .
# $ scripts/docker_tests.sh --image phylum-ci --slim
##########################################################################################
FROM python:3.12-slim-bookworm AS builder
# PKG_SRC is the path to a built distribution/wheel and PKG_NAME is the name of the built
# distribution/wheel. Both can optionally be specified in glob form. When not defined,
# the values will default to the root of the package (i.e., `pyproject.toml` path).
ARG PKG_SRC
ARG PKG_NAME
ENV APP_PATH="/app"
ENV POETRY_VENV="${APP_PATH}/.venv"
ENV POETRY_PATH="${POETRY_VENV}/bin/poetry"
ENV PHYLUM_VENV="/opt/venv"
ENV PHYLUM_VENV_PIP="${PHYLUM_VENV}/bin/pip"
ENV PIP_NO_COMPILE=1
ENV PIP_DISABLE_PIP_VERSION_CHECK=1
ENV POETRY_VERSION="1.8.4"
WORKDIR ${APP_PATH}
RUN set -eux; \
python -m venv ${PHYLUM_VENV}; \
${PHYLUM_VENV_PIP} install --no-cache-dir --upgrade pip setuptools
RUN set -eux; \
python -m venv ${POETRY_VENV}; \
${POETRY_VENV}/bin/pip install --no-cache-dir --upgrade pip setuptools; \
${POETRY_VENV}/bin/pip install --no-cache-dir poetry==${POETRY_VERSION} poetry-plugin-export
# Copy the bare minimum needed for specifying dependencies.
# This will enable better layer caching and faster builds when iterating locally.
# `--without-hashes` is used to ensure the `pip` cache mount is used for packages that
# would otherwise only match the sdist and therefore have to be built for every run.
# References:
# * https://pythonspeed.com/articles/pipenv-docker/
# * https://hub.docker.com/r/docker/dockerfile
COPY pyproject.toml poetry.lock ./
RUN ${POETRY_PATH} export --without-hashes --format requirements.txt --output requirements.txt
# Cache the pip installed dependencies for faster builds when iterating locally.
# NOTE: This `--mount` feature requires BUILDKIT to be used
RUN --mount=type=cache,id=pip,target=/root/.cache/pip \
set -eux; \
${PHYLUM_VENV_PIP} cache info; \
${PHYLUM_VENV_PIP} cache list; \
${PHYLUM_VENV_PIP} install -r requirements.txt
COPY "${PKG_SRC:-.}" .
RUN ${PHYLUM_VENV_PIP} install --no-cache-dir ${PKG_NAME:-.}
RUN find ${PHYLUM_VENV} -type f -name '*.pyc' -delete
# Place the ENTRYPOINT alternative script in a directory included
# in the final layer and also known to be part of the $PATH
COPY entrypoint.sh ${PHYLUM_VENV}/bin/
FROM python:3.12-slim-bookworm
# CLI_VER specifies the Phylum CLI version to install in the image.
# Values should be provided in a format acceptable to the `phylum-init` script.
# When not defined, the value will default to `latest`.
ARG CLI_VER
# PHYLUM_API_URI is an optional build argument that can be used to specify
# the URI of a Phylum API instance to use.
ARG PHYLUM_API_URI
# GITHUB_TOKEN is an optional build argument that can be used to provide a
# GitHub Personal Access Token (PAT) in order to make authenticated requests
# and therefore increase the API rate limit.
ARG GITHUB_TOKEN
LABEL maintainer="Phylum, Inc. <[email protected]>"
LABEL org.opencontainers.image.source="https://github.com/phylum-dev/phylum-ci"
ENV PHYLUM_VENV="/opt/venv"
ENV PATH=${PHYLUM_VENV}/bin:$PATH
ENV PYTHONDONTWRITEBYTECODE=1
# Some tools get installed and used based on a home directory. This can cause trouble
# when using a container started from this image with a UID:GID that does not map to
# a user/group account in the container. Examples include:
#
# * The installation directory is `/root` and the container user has no access
# * The tool relies on the existence of a $HOME directory, which may not be true
# * https://medium.com/redbubble/running-a-docker-container-as-a-non-root-user-7d2e00f8ee15
#
# The following tools are susceptible to this issue and therefore have been provided
# with explicit install/home directories that allow them to be globally accessible.
#
# Specify a common, globally accessible directory to use instead of $HOME
ENV INSTALL_DIR="/usr/local"
# Phylum, pip, and any other tool that supports the XDG spec
# Ref: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
ENV XDG_DATA_HOME="${INSTALL_DIR}/share"
ENV XDG_CONFIG_HOME="${INSTALL_DIR}/.config"
ENV XDG_STATE_HOME="${INSTALL_DIR}/state"
ENV XDG_CACHE_HOME="${INSTALL_DIR}/.cache"
# Copy only Python packages to limit the image size. This includes the
# `phylum` package with it's `phylum-ci` and `phylum-init` entry points.
COPY --from=builder ${PHYLUM_VENV} ${PHYLUM_VENV}
RUN set -eux; \
# Install prerequisites
apt-get update; \
apt-get upgrade --yes; \
apt-get install --yes --no-install-recommends git git-lfs procps binutils; \
# Make ENTRYPOINT alternative script available
chmod +x "${PHYLUM_VENV}/bin/entrypoint.sh"; \
# Install Phylum CLI
phylum-init -vvv --phylum-release "${CLI_VER:-latest}" --global-install; \
strip "$(which phylum)"; \
# Create a git config file in a location accessible for $HOME-less users
# Ref: https://git-scm.com/docs/git-config#FILES
mkdir -vp "${XDG_CONFIG_HOME}/git" && touch "${XDG_CONFIG_HOME}/git/config"; \
# Ensure the XDG directories have permissions for non-root users
mkdir -vp "${XDG_DATA_HOME}" "${XDG_CONFIG_HOME}" "${XDG_STATE_HOME}" "${XDG_CACHE_HOME}"; \
chmod -vR 777 "${XDG_DATA_HOME}" "${XDG_CONFIG_HOME}" "${XDG_STATE_HOME}" "${XDG_CACHE_HOME}"; \
# Cleanup
apt-get remove --yes --auto-remove binutils; \
apt-get purge --yes --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
rm -rf /var/lib/apt/lists/*; \
rm -rf /tmp/*; \
find / -type f -name '*.pyc' -delete;
CMD ["phylum-ci"]