From e5ceae31e25587c8069bf72eb8f8f0f20c02dae6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:07:15 +0200 Subject: [PATCH 01/13] feat(Dockerfiles): switch from s2i python images to plain ubi/cs9 ones The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us. Additionally, using plain ubi makes things more explicit. --- base/ubi9-python-3.11/Dockerfile | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index e6f327a52..a44387fbf 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -1,4 +1,15 @@ -FROM registry.access.redhat.com/ubi9/python-311:latest +FROM registry.access.redhat.com/ubi9/ubi:latest + +# perform the setup that python s2i image used to do for us +# but this way it uses a lot less disk space (hundreds of megabytes less) +ENV VIRTUAL_ENV="/opt/app-root" +ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" +RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \ + --comment "Default Application User" --shell /bin/bash default && \ + dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + python3.11 -m venv "${VIRTUAL_ENV}" + +USER 1001 ARG SOURCE_CODE=base/ubi9-python-3.11 @@ -20,7 +31,7 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]" # Install Python dependencies from Pipfile.lock file COPY ${SOURCE_CODE}/Pipfile.lock ./ -RUN echo "Installing softwares and packages" && micropipenv install && rm -f ./Pipfile.lock +RUN echo "Installing software and packages" && micropipenv install && rm -f ./Pipfile.lock # OS Packages needs to be installed as root USER root From 7e638193ad08ea1f1927b49ce411625760566d3c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:12:30 +0200 Subject: [PATCH 02/13] fixup, setup venv running as 1001 --- base/ubi9-python-3.11/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index a44387fbf..00b99e55a 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -10,6 +10,7 @@ RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-ro python3.11 -m venv "${VIRTUAL_ENV}" USER 1001 +RUN python3.8 -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 From 487905c1e18d85ae61c18bddf4f341811dd2b32e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:23:59 +0200 Subject: [PATCH 03/13] fixup, mkdir home directory first --- base/ubi9-python-3.11/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 00b99e55a..7f9a3df97 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -4,7 +4,8 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # but this way it uses a lot less disk space (hundreds of megabytes less) ENV VIRTUAL_ENV="/opt/app-root" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \ +RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 ${VIRTUAL_ENV} && \ + useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ python3.11 -m venv "${VIRTUAL_ENV}" From 4f8370cb9b3487bab7af1407aa27a1934e71532a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:35:09 +0200 Subject: [PATCH 04/13] fixup, fetch fix-permissions script --- base/ubi9-python-3.11/Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 7f9a3df97..8fe7dea82 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -8,10 +8,10 @@ RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ - python3.11 -m venv "${VIRTUAL_ENV}" +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions USER 1001 -RUN python3.8 -m venv "${VIRTUAL_ENV}" +RUN python3.11 -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 From e8bc0c3abab9fa3944f80c3e1475594642c47030 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:46:53 +0200 Subject: [PATCH 05/13] fixup, set APP_ROOT env variable --- base/ubi9-python-3.11/Dockerfile | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 8fe7dea82..781a1d18b 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -2,10 +2,11 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) -ENV VIRTUAL_ENV="/opt/app-root" +ENV APP_ROOT="/opt/app-root" +ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN mkdir --parents --mode 0771 "${VIRTUAL_ENV}/src" && chown --recursive 1001:0 ${VIRTUAL_ENV} && \ - useradd --uid 1001 --gid 0 --home-dir "${VIRTUAL_ENV}/src" \ +RUN mkdir --parents --mode 0771 "${APP_ROOT}/src" && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions From e86437f822984cd58a6b1a9eb5727ce8d3f22190 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 13:59:05 +0200 Subject: [PATCH 06/13] fixup, set more s2i env variables --- base/ubi9-python-3.11/Dockerfile | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 781a1d18b..ce0f342f5 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -5,14 +5,16 @@ FROM registry.access.redhat.com/ubi9/ubi:latest ENV APP_ROOT="/opt/app-root" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" -RUN mkdir --parents --mode 0771 "${APP_ROOT}/src" && chown --recursive 1001:0 ${APP_ROOT} && \ +ENV PYTHON_VERSION=3.11 +ENV PIP_NO_CACHE_DIR=off +RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions USER 1001 -RUN python3.11 -m venv "${VIRTUAL_ENV}" +RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/ubi9-python-3.11 @@ -52,7 +54,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc rm -f /tmp/openshift-client-linux.tar.gz # Fix permissions to support pip in Openshift environments -RUN chmod -R g+w /opt/app-root/lib/python3.11/site-packages && \ +RUN chmod -R g+w /opt/app-root/lib/python${PYTHON_VERSION}/site-packages && \ fix-permissions /opt/app-root -P WORKDIR /opt/app-root/src From 0068c6481235a55c618e9e4969131fff45a79212 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:18:09 +0200 Subject: [PATCH 07/13] fixup, copy in /usr/bin/rpm-file-permissions from s2i --- base/ubi9-python-3.11/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index ce0f342f5..3a38ef59b 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && c useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ -COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/fix-permissions +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" From f7eccada239c8f5ac184f464478843f56458b92d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:30:59 +0200 Subject: [PATCH 08/13] fixup, vscode extensions get installed into HOME --- base/ubi9-python-3.11/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 3a38ef59b..4b9ed7f24 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -3,6 +3,7 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) ENV APP_ROOT="/opt/app-root" +ENV HOME="${APP_ROOT}" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" ENV PYTHON_VERSION=3.11 From 99da98b1c72bd4bc4e29b4495698ca713a6dba28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 24 Jul 2024 15:38:27 +0200 Subject: [PATCH 09/13] fixup, set the HOME env variable correctly this time --- base/ubi9-python-3.11/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index 4b9ed7f24..c375a1a56 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -3,13 +3,13 @@ FROM registry.access.redhat.com/ubi9/ubi:latest # perform the setup that python s2i image used to do for us # but this way it uses a lot less disk space (hundreds of megabytes less) ENV APP_ROOT="/opt/app-root" -ENV HOME="${APP_ROOT}" +ENV HOME="${APP_ROOT}/src" ENV VIRTUAL_ENV="${APP_ROOT}" ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" ENV PYTHON_VERSION=3.11 ENV PIP_NO_CACHE_DIR=off -RUN mkdir --parents "${APP_ROOT}/src" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ - useradd --uid 1001 --gid 0 --no-create-home --home-dir "${APP_ROOT}/src" \ +RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ From 10f72a9d2a493ff7e1865095f97eb33c38de5e33 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:31:52 +0200 Subject: [PATCH 10/13] fixups for python 3.11 when it got added --- base/c9s-python-3.11/Dockerfile | 19 ++++++++++++++++++- base/ubi9-python-3.11/Dockerfile | 2 +- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/base/c9s-python-3.11/Dockerfile b/base/c9s-python-3.11/Dockerfile index 05a9363bd..976b9fd3c 100644 --- a/base/c9s-python-3.11/Dockerfile +++ b/base/c9s-python-3.11/Dockerfile @@ -1,4 +1,21 @@ -FROM quay.io/sclorg/python-311-c9s:c9s +FROM quay.io/centos/centos:stream9 + +# perform the setup that python image used to do for us +# but this way it uses a lot less disk space (hundreds of megabytes less) +ENV APP_ROOT="/opt/app-root" +ENV HOME="${APP_ROOT}/src" +ENV VIRTUAL_ENV="${APP_ROOT}" +ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" +ENV PYTHON_VERSION=3.11 +ENV PIP_NO_CACHE_DIR=off +RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ + useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ + --comment "Default Application User" --shell /bin/bash default && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* +COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ + +USER 1001 +RUN python${PYTHON_VERSION} -m venv "${VIRTUAL_ENV}" ARG SOURCE_CODE=base/c9s-python-3.11 diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index c375a1a56..fa77c597d 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ ENV PIP_NO_CACHE_DIR=off RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ - dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* && \ COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 From 8f19ff876ba655184ad7fd2bf5008d2c8f5afd2a Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:48:31 +0200 Subject: [PATCH 11/13] fixup extra slash --- base/ubi9-python-3.11/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index fa77c597d..b02cf38f4 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -11,7 +11,7 @@ ENV PIP_NO_CACHE_DIR=off RUN mkdir --parents "${HOME}" && chmod --recursive 0771 ${APP_ROOT} && chown --recursive 1001:0 ${APP_ROOT} && \ useradd --uid 1001 --gid 0 --no-create-home --home-dir "${HOME}" \ --comment "Default Application User" --shell /bin/bash default && \ - dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* && \ + dnf install -y python${PYTHON_VERSION}-pip && dnf clean all && rm -rf /var/cache/yum/* COPY --from=quay.io/sclorg/s2i-core-c9s:latest /usr/bin/fix-permissions /usr/bin/rpm-file-permissions /usr/bin/ USER 1001 From 6386ef1ca75789ded18236c162e251008df1503d Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:58:32 +0200 Subject: [PATCH 12/13] fixup install extra packages on c9s py.11 (that we already have on py3.9) --- base/c9s-python-3.11/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/c9s-python-3.11/Dockerfile b/base/c9s-python-3.11/Dockerfile index 976b9fd3c..ead683375 100644 --- a/base/c9s-python-3.11/Dockerfile +++ b/base/c9s-python-3.11/Dockerfile @@ -41,7 +41,11 @@ COPY ${SOURCE_CODE}/Pipfile.lock ./ USER root # Install usefull OS packages -RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y \ + mesa-libGL \ + patch \ + wget \ + && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001 From db683dd927008e0d15cdf8ab2996d9c168444e12 Mon Sep 17 00:00:00 2001 From: Jiri Danek Date: Fri, 4 Oct 2024 09:59:10 +0200 Subject: [PATCH 13/13] fixup install extra packages on ubi9 py.11 (that we already have on py3.9) --- base/ubi9-python-3.11/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile index b02cf38f4..e45cf0f57 100644 --- a/base/ubi9-python-3.11/Dockerfile +++ b/base/ubi9-python-3.11/Dockerfile @@ -43,7 +43,11 @@ RUN echo "Installing software and packages" && micropipenv install && rm -f ./Pi USER root # Install usefull OS packages -RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y \ + mesa-libGL \ + patch \ + wget \ + && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001