-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
78 lines (75 loc) · 2.84 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
# syntax=docker/dockerfile:1
ARG BUILD_IMAGE=python:3.9-alpine3.18
ARG RUN_IMAGE=python:3.9-alpine3.18
ARG VIRTUAL_ENV=/opt/venv
ARG LIBRD_VER=2.3.0
ARG CUSTOM_CRT_URL=http://pki.jlab.org/JLabCA.crt
################## Stage 0
FROM ${BUILD_IMAGE} as builder
ARG VIRTUAL_ENV
ARG LIBRD_VER
ARG CUSTOM_CRT_URL
ARG BUILD_DEPS="gcc linux-headers libc-dev bash make g++ musl-dev zlib-dev openssl zstd-dev pkgconfig libc-dev"
USER root
WORKDIR /
## Allow JLab intercepting proxy to intercept with it's legacy renegotiation and custom cert else onsite builds fail
RUN sed -i 's/providers = provider_sect/providers = provider_sect\n\
ssl_conf = ssl_sect\n\
\n\
[ssl_sect]\n\
system_default = system_default_sect\n\
\n\
[system_default_sect]\n\
Options = UnsafeLegacyRenegotiation/' /etc/ssl/openssl.cnf
RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
&& update-ca-certificates \
; fi
## Build librdkafka from source
RUN apk add $BUILD_DEPS \
&& wget https://github.com/confluentinc/librdkafka/archive/refs/tags/v${LIBRD_VER}.tar.gz \
&& tar -xvf v${LIBRD_VER}.tar.gz \
&& cd librdkafka-${LIBRD_VER} \
&& ./configure --prefix /usr \
&& make \
&& make install
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
COPY . /app
RUN cd /app \
&& python -m venv $VIRTUAL_ENV \
&& rm -rf build \
&& pip install .
## Note: when running pip install . the local build dir is re-used if it exists so we remove it first to avoid contamination
################## Stage 1
FROM ${RUN_IMAGE} as runner
ARG VIRTUAL_ENV
ARG LIBRD_VER
ARG CUSTOM_CRT_URL
ARG RUN_DEPS="shadow curl git bash zstd-libs"
## Allow JLab intercepting proxy to intercept with it's legacy renegotiation and custom cert else onsite builds fail
RUN sed -i 's/providers = provider_sect/providers = provider_sect\n\
ssl_conf = ssl_sect\n\
\n\
[ssl_sect]\n\
system_default = system_default_sect\n\
\n\
[system_default_sect]\n\
Options = UnsafeLegacyRenegotiation/' /etc/ssl/openssl.cnf
RUN if [ -z "${CUSTOM_CRT_URL}" ] ; then echo "No custom cert needed"; else \
wget -O /usr/local/share/ca-certificates/customcert.crt $CUSTOM_CRT_URL \
&& update-ca-certificates \
; fi \
&& apk add --no-cache $RUN_DEPS \
&& useradd jaws \
&& mkdir /home/jaws \
&& chown jaws:jaws /home/jaws
COPY --from=builder $VIRTUAL_ENV $VIRTUAL_ENV
COPY --from=builder /usr/lib/librdkafka.so.1 /usr/lib
ENV TZ=UTC
ENV PATH="$VIRTUAL_ENV/bin:$PATH"
ENV PS1="\W \$ "
COPY --from=builder /app/container/app/container-entrypoint.sh /container-entrypoint.sh
COPY --from=builder /app/container/app/container-healthcheck.sh /container-healthcheck.sh
ENTRYPOINT ["/container-entrypoint.sh"]
USER jaws
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --start-interval=5s --retries=5 CMD /container-healthcheck.sh