Use multistage build for gateway #1506
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,37 +1,61 @@ | ||
| ARG MICRO_IMAGE_DIR=/ubi-micro-img | ||
|
|
||
| # BASE image using UBI 9 micro where the | ||
| # application and requirements will be installed | ||
| FROM registry.access.redhat.com/ubi9-micro:9.4-15 AS BASE | ||
|
|
||
| # BUILD image using UBI 9 where the dependencies that | ||
| # require installing with a package manager will be installed | ||
| FROM registry.access.redhat.com/ubi9:9.4-1214.1726694543 AS BUILD | ||
| ARG MICRO_IMAGE_DIR | ||
|
|
||
| # Copy the BASE image into the BUILD image | ||
| RUN mkdir ${MICRO_IMAGE_DIR} | ||
| COPY --from=BASE / ${MICRO_IMAGE_DIR} | ||
|
|
||
| # Install Python inside the BASE image | ||
| # hadolint ignore=DL3041 | ||
| RUN dnf install --installroot ${MICRO_IMAGE_DIR} --nodocs -y \ | ||
| python3.11-3.11.7 \ | ||
| python3.11-devel-3.11.7 \ | ||
| libstdc++ &&\ | ||
| dnf upgrade --installroot ${MICRO_IMAGE_DIR} --nodocs -y && \ | ||
| dnf clean all --installroot ${MICRO_IMAGE_DIR} | ||
|
|
||
| # APP image from `scratch` which will be the final image | ||
| # and remaining application requirements will be installed | ||
| FROM scratch AS APP | ||
| ARG MICRO_IMAGE_DIR | ||
| # hadolint ignore=DL3045 | ||
| COPY --from=BUILD ${MICRO_IMAGE_DIR}/ . | ||
|
|
||
| # create symlinks for python | ||
| RUN ln -s /usr/bin/python3.11 /usr/bin/python | ||
|
|
||
| # Create project dir | ||
| WORKDIR /usr/src/app | ||
|
|
||
| # set environment variables | ||
| ENV PYTHONDONTWRITEBYTECODE 1 | ||
Tansito marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ENV PYTHONUNBUFFERED 1 | ||
|
|
||
| COPY gateway/requirements.txt . | ||
| # Install pip | ||
| RUN python3.11 -m ensurepip --upgrade | ||
| # Install dependencies and update then uninstall pip (not needed in final image) | ||
| RUN python3.11 -m pip install -r requirements.txt --no-cache-dir --upgrade && \ | ||
| cp -r -n /usr/local/lib64/python3.11/site-packages/symengine /usr/local/lib/python3.11/site-packages &&\ | ||
| cp -r -n /usr/local/lib/python3.11/site-packages/symengine /usr/local/lib64/python3.11/site-packages &&\ | ||
| python3.11 -m pip uninstall -y pip | ||
|
|
||
| COPY gateway . | ||
| RUN chown -R 1000:100 /usr/src/app &&\ | ||
| mkdir /usr/src/app/media && chown 1000:100 /usr/src/app/media | ||
|
|
||
|
There was a problem hiding this comment. Is the setuptools unnecessary after all or is the right version in ubi9-micro:9.4-15? There was a problem hiding this comment. I was assuming that the scratch image doesn't have setuptools so it shouldn't need to be updated. but maybe it will be? There was a problem hiding this comment. I'm not sure. Scan will tell us :-) There was a problem hiding this comment. all hail general scan 😆 |
||
| RUN sed -i 's/\r$//g' /usr/src/app/entrypoint.sh &&\ | ||
| chmod +x /usr/src/app/entrypoint.sh | ||
|
|
||
| EXPOSE 8000 | ||
| USER 1000:100 | ||
| # run entrypoint.sh | ||
| ENTRYPOINT ["/usr/src/app/entrypoint.sh"] | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder why this APP image is necessary. What is the difference between copying back the ${MICRO_IMAGE_DIR}/ into the BASE image and the APP image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The BASE image still has things like a package manager and a shell that the gateway really doesn't need, whereas scratch / APP is empty except for what we explicitly add to it. So that does two things: (a) it reduces the number of components that we have to manage for CVEs, and (b) it reduces the threat vectors for that particular container.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I may be wrong but I read
copies everything in the BASE to ${MICRO_IMAGE_DIR} directory and
copies everything in the BASE + additional pieces to the APP
So everything in the BASE is copied to APP. Where am I misunderstanding?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could be right... I'm just copying from what another team already did and didn't look too closely at what they were doing, I just assumed it worked since it had already gone through review.