From 2031c749a5fb29002048d4e1e1ee26e88c3deb41 Mon Sep 17 00:00:00 2001 From: Alexander VanTol Date: Fri, 1 Nov 2024 14:29:13 -0500 Subject: [PATCH] feat(docker): update to use new base image --- Dockerfile | 87 +++++++++----------------------- deployment/fence.conf | 19 ------- deployment/nginx/nginx.conf | 44 ---------------- deployment/wsgi/gunicorn.conf.py | 2 +- dockerrunshib.bash | 24 --------- keys/key/README.md | 1 - 6 files changed, 26 insertions(+), 151 deletions(-) delete mode 100644 deployment/fence.conf delete mode 100644 deployment/nginx/nginx.conf delete mode 100755 dockerrunshib.bash delete mode 100644 keys/key/README.md diff --git a/Dockerfile b/Dockerfile index 49c248112..a2762ecce 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,86 +1,49 @@ -ARG AZLINUX_BASE_VERSION=master +# To build: docker build -t fence:latest . +# To run interactive: +# docker run -v ~/.gen3/fence/fence-config.yaml:/var/www/fence/fence-config.yaml -v ./keys/:/fence/keys/ fence:latest +# To check running container do: docker exec -it CONTAINER bash -# Base stage with python-build-base -FROM quay.io/cdis/python-build-base:${AZLINUX_BASE_VERSION} AS base +ARG AZLINUX_BASE_VERSION=feat_python-nginx + +# ------ Base stage ------ +FROM quay.io/cdis/python-nginx-al:${AZLINUX_BASE_VERSION} AS base # Comment this in, and comment out the line above, if quay is down -# FROM 707767160287.dkr.ecr.us-east-1.amazonaws.com/gen3/python-build-base:${AZLINUX_BASE_VERSION} as base +# FROM 707767160287.dkr.ecr.us-east-1.amazonaws.com/gen3/python-nginx-al:${AZLINUX_BASE_VERSION} as base ENV appname=fence -ENV POETRY_NO_INTERACTION=1 \ - POETRY_VIRTUALENVS_IN_PROJECT=1 \ - POETRY_VIRTUALENVS_CREATE=1 WORKDIR /${appname} -# create gen3 user -# Create a group 'gen3' with GID 1000 and a user 'gen3' with UID 1000 -RUN groupadd -g 1000 gen3 && \ - useradd -m -s /bin/bash -u 1000 -g gen3 gen3 && \ - chown -R gen3:gen3 /$appname && \ - mkdir -p /var/www/$appname && \ - chown -R gen3:gen3 /var/www/$appname && \ - chown -R gen3:gen3 /venv - +RUN chown -R gen3:gen3 /${appname} -# Builder stage +# ------ Builder stage ------ FROM base AS builder -USER gen3 - - -RUN python -m venv /venv - - +# Install just the deps without the code as it's own step to avoid redoing this on code changes COPY poetry.lock pyproject.toml /${appname}/ +RUN poetry install -vv --only main --no-interaction -RUN pip install poetry && \ - poetry install -vv --only main --no-interaction - +# Move app files into working directory COPY --chown=gen3:gen3 . /$appname COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /$appname/wsgi.py -# Run poetry again so this app itself gets installed too -RUN poetry install --without dev --no-interaction +# Do the install again incase the app itself needs install +RUN poetry install -vv --only main --no-interaction + +ENV PATH="$(poetry env info --path)/bin:$PATH" +# Setup version info RUN git config --global --add safe.directory /${appname} && COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" > /$appname/version_data.py \ && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >> /$appname/version_data.py -# Final stage -FROM base - -COPY --from=builder /venv /venv -COPY --from=builder /$appname /$appname - # install tar -RUN yum install tar -y +# RUN yum install tar -y +# do we need to untar jwt-keys? -# install nginx -RUN yum install nginx -y - -RUN setcap 'cap_net_bind_service=+ep' /usr/sbin/nginx - -# chown nginx directories -RUN chown -R gen3:gen3 /var/log/nginx - -# pipe nginx logs to stdout and stderr -RUN ln -sf /dev/stdout /var/log/nginx/access.log && ln -sf /dev/stderr /var/log/nginx/error.log - -# create /var/lib/nginx/tmp/client_body to allow nginx to write to fence -RUN mkdir -p /var/lib/nginx/tmp/client_body -RUN chown -R gen3:gen3 /var/lib/nginx/ - -# copy nginx config -COPY ./deployment/nginx/nginx.conf /etc/nginx/nginx.conf - - -# Switch to non-root user 'gen3' for the serving process -USER gen3 - -RUN source /venv/bin/activate - -ENV PYTHONUNBUFFERED=1 \ -PYTHONIOENCODING=UTF-8 +# ------ Final stage ------ +FROM base +COPY --chown=gen3:gen3 --from=builder /$appname /$appname -CMD ["/bin/bash", "-c", "/fence/dockerrun.bash"] +CMD ["poetry", "run", "gunicorn", "-c", "deployment/wsgi/gunicorn.conf.py"] diff --git a/deployment/fence.conf b/deployment/fence.conf deleted file mode 100644 index 03c5d6812..000000000 --- a/deployment/fence.conf +++ /dev/null @@ -1,19 +0,0 @@ - - WSGIDaemonProcess /fence processes=2 threads=4 python-path=/var/www/fence/:/fence/:/usr/bin/python - WSGIScriptAlias / /var/www/fence/wsgi.py - WSGIPassAuthorization On - - WSGIProcessGroup /fence - WSGIApplicationGroup %{GLOBAL} - Options +ExecCGI - Order deny,allow - Allow from all - - ErrorLog ${APACHE_LOG_DIR}/error.log - LogLevel info - LogFormat "%{X-Forwarded-For}i %l %{X-UserId}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" aws - LogFormat "{\"gen3log\": \"apache2\", \"date_access\": \"%t\", \"user_id\": \"%{X-UserId}i\", \"request_id\": \"%{X-ReqId}i\", \"session_id\": \"%{X-SessionId}i\", \"visitor_id\": \"%{X-VisitorId}i\", \"network_client_ip\": \"%{X-Forwarded-For}i\", \"network_bytes_write\": \"%b\", \"http_response_time\": \"%T\", \"http_status_code\": \"%>s\", \"http_request\": \"%U\", \"http_verb\": \"%m\", \"http_referer\": \"%{Referer}i\", \"http_useragent\": \"%{User-agent}i\", \"message\": \"%r\"}" json - SetEnvIf X-Forwarded-For "^..*" forwarded - #CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded - CustomLog ${APACHE_LOG_DIR}/access.log json - diff --git a/deployment/nginx/nginx.conf b/deployment/nginx/nginx.conf deleted file mode 100644 index c64485a90..000000000 --- a/deployment/nginx/nginx.conf +++ /dev/null @@ -1,44 +0,0 @@ -user gen3; -worker_processes auto; -error_log /var/log/nginx/error.log notice; -pid /var/lib/nginx/nginx.pid; - -# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. -include /usr/share/nginx/modules/*.conf; - -events { - worker_connections 1024; -} - -http { - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - - sendfile on; - tcp_nopush on; - keepalive_timeout 65; - types_hash_max_size 4096; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - # Load modular configuration files from the /etc/nginx/conf.d directory. - # See http://nginx.org/en/docs/ngx_core_module.html#include - # for more information. - include /etc/nginx/conf.d/*.conf; - - server { - - listen 80; - server_name localhost; - - location / { - proxy_pass http://127.0.0.1:8000; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - } - } -} diff --git a/deployment/wsgi/gunicorn.conf.py b/deployment/wsgi/gunicorn.conf.py index 1eaa94a1e..64092ba3d 100644 --- a/deployment/wsgi/gunicorn.conf.py +++ b/deployment/wsgi/gunicorn.conf.py @@ -1,6 +1,6 @@ wsgi_app = "deployment.wsgi.wsgi:application" bind = "0.0.0.0:8000" -workers = 4 +workers = 1 preload_app = True user = "gen3" group = "gen3" diff --git a/dockerrunshib.bash b/dockerrunshib.bash deleted file mode 100755 index 1ad35e65b..000000000 --- a/dockerrunshib.bash +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -# -# Update certificate authority index - -# environment may have mounted more authorities -# -update-ca-certificates -# -# Kubernetes may mount jwt-keys as a tar ball -# -if [ -f /fence/jwt-keys.tar ]; then - ( - cd /fence - tar xvf jwt-keys.tar - if [ -d jwt-keys ]; then - mkdir -p keys - mv jwt-keys/* keys/ - fi - ) -fi -service shibd start -sed -i "s/ServerName SERVERNAME/ServerName https:\/\/$HOSTNAME/g" /etc/apache2/sites-available/fence.conf -rm -rf /var/run/apache2/apache2.pid -/usr/sbin/apache2ctl -D FOREGROUND diff --git a/keys/key/README.md b/keys/key/README.md deleted file mode 100644 index cdfd6f26e..000000000 --- a/keys/key/README.md +++ /dev/null @@ -1 +0,0 @@ -# Need this folder for permission reasons inside the container