Skip to content

Commit

Permalink
Merge pull request #56 from cisagov/improvement/project_updates
Browse files Browse the repository at this point in the history
Update Docker image configuration
  • Loading branch information
mcdonnnj authored Mar 14, 2023
2 parents e5682ce + d453f35 commit 19df96b
Show file tree
Hide file tree
Showing 7 changed files with 360 additions and 205 deletions.
2 changes: 2 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,8 @@ env:
CURL_CACHE_DIR: ~/.cache/curl
IMAGE_NAME: cisagov/vdp-scanner
PIP_CACHE_DIR: ~/.cache/pip
# These are the only three platforms that Alpine Linux 3.17 offers the chromium
# package for at this time.
PLATFORMS: "linux/amd64,linux/arm/v7,linux/arm64"
PRE_COMMIT_CACHE_DIR: ~/.cache/pre-commit
RUN_TMATE: ${{ secrets.RUN_TMATE }}
Expand Down
116 changes: 74 additions & 42 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,64 +1,96 @@
ARG PY_VERSION=3.10.5

FROM python:${PY_VERSION}-bullseye AS compile-stage
# We use an Alpine base image in the compile-stage because of the build
# requirements for some of the Python requirements. When the python3-dev
# package is installed it will also install the python3 package which leaves us
# with two Python installations if we use a Python Docker image. Instead we use
# Alpine's python3 package here to create the virtual environment we will use
# in the Python Docker image we use for the build-stage. The tag of the Python
# Docker image matches the version of the python3 package available on Alpine
# for consistency.
FROM alpine:3.17 AS compile-stage

# For a list of pre-defined annotation keys and value types see:
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
# Note: Additional labels are added by the build workflow.
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"

RUN apt-get update \
&& apt-get install -y --allow-downgrades --no-install-recommends \
libxml2-dev=2.9.10+dfsg-6.7+deb11u2 \
libxslt1-dev=1.1.34-4
# Unprivileged user information necessary for the Python virtual environment
ARG CISA_USER="cisa"
ENV CISA_HOME="/home/${CISA_USER}"
ENV VIRTUAL_ENV="${CISA_HOME}/.venv"

ENV PY_VENV=/.venv
# Versions of the Python packages installed directly
ENV PYTHON_PIP_VERSION=23.0.1
ENV PYTHON_PIPENV_VERSION=2023.2.18
ENV PYTHON_SETUPTOOLS_VERSION=67.4.0
ENV PYTHON_WHEEL_VERSION=0.38.4

# Manually set up the virtual environment
RUN python -m venv --system-site-packages ${PY_VENV}
ENV PATH="${PY_VENV}/bin:$PATH"
RUN apk --no-cache add \
gcc=12.2.1_git20220924-r4 \
libc-dev=0.7.2-r3 \
libxml2-dev=2.10.3-r1 \
libxslt-dev=1.1.37-r1 \
py3-pip=22.3.1-r1 \
py3-setuptools=65.6.0-r0 \
py3-wheel=0.38.4-r0 \
python3-dev=3.10.10-r0 \
python3=3.10.10-r0

# Install core Python dependencies
RUN python -m pip install --no-cache-dir \
pip==22.1.2 \
pipenv==2022.6.7 \
setuptools==62.4.0 \
wheel==0.37.1
# Install pipenv to manage installing the Python dependencies into a created
# Python virtual environment. This is done separately from the virtual
# environment so that pipenv and its dependencies are not installed in the
# Python virtual environment used in the final image.
RUN python3 -m pip install --no-cache-dir --upgrade pipenv==${PYTHON_PIPENV_VERSION} \
# Manually create Python virtual environment for the final image
&& python3 -m venv ${VIRTUAL_ENV} \
# Ensure the core Python packages are installed in the virtual environment
&& ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \
pip==${PYTHON_PIP_VERSION} \
setuptools==${PYTHON_SETUPTOOLS_VERSION} \
wheel==${PYTHON_WHEEL_VERSION}

# Install vdp_scanner.py requirements
COPY src/Pipfile Pipfile
COPY src/Pipfile.lock Pipfile.lock
# PIPENV_VENV_IN_PROJECT=1 directs pipenv to use the current directory for venvs
RUN PIPENV_VENV_IN_PROJECT=1 pipenv sync
WORKDIR /tmp
COPY src/Pipfile src/Pipfile.lock ./
# pipenv will install packages into the virtual environment specified in the
# VIRTUAL_ENV environment variable if it is set.
RUN pipenv sync --clear --verbose

# We only need pipenv to set up the environment, so we remove it from the venv
# as a last step.
RUN python -m pip uninstall --yes pipenv
# The version of Python used here should match the version of the Alpine
# python3 package installed in the compile-stage.
FROM python:3.10.10-alpine3.17 AS build-stage

FROM python:${PY_VERSION}-slim-bullseye AS build-stage
# Unprivileged user information
ARG CISA_UID=2048
ARG CISA_GID=${CISA_UID}
ARG CISA_USER="cisa"
ENV CISA_GROUP=${CISA_USER}
ENV CISA_HOME="/home/${CISA_USER}"
ENV VIRTUAL_ENV="${CISA_HOME}/.venv"

RUN apt-get update \
&& apt-get install -y --allow-downgrades --no-install-recommends \
ca-certificates=20210119 \
chromium=102.0.5005.115-1~deb11u1 \
chromium-common=102.0.5005.115-1~deb11u1 \
libxml2-dev=2.9.10+dfsg-6.7+deb11u2 \
libxslt1-dev=1.1.34-4 \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
RUN apk --no-cache add \
ca-certificates=20220614-r4 \
chromium=110.0.5481.177-r0 \
libxml2=2.10.3-r1 \
libxslt=1.1.37-r1

ENV PY_VENV=/.venv
COPY --from=compile-stage ${PY_VENV} ${PY_VENV}
ENV PATH="${PY_VENV}/bin:$PATH"
# Create unprivileged user
RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \
&& adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}

ENV TASK_HOME="/task"
# Copy in the Python venv we created in the compile stage and re-symlink
# python3 in the venv to the Python binary in this image
COPY --from=compile-stage --chown=${CISA_USER}:${CISA_GROUP} ${VIRTUAL_ENV} ${VIRTUAL_ENV}/
RUN ln -sf "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3
ENV PATH="${VIRTUAL_ENV}/bin:$PATH"

WORKDIR ${TASK_HOME}
WORKDIR ${CISA_HOME}
RUN mkdir host_mount

COPY src/version.txt version.txt
COPY src/vdp_scanner.py vdp_scanner.py
# Copy in the necessary files
COPY --chown=${CISA_USER}:${CISA_GROUP} src/version.txt src/vdp_scanner.py ./

ENTRYPOINT ["python", "vdp_scanner.py"]
# Prepare to run
USER ${CISA_USER}:${CISA_GROUP}
ENTRYPOINT ["python3", "vdp_scanner.py"]
CMD ["github"]
16 changes: 8 additions & 8 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ Python library. Then it will output CSVs with agency and domain level results.
To run the `cisagov/vdp-scanner` image via Docker:

```console
docker run cisagov/vdp-scanner:0.0.5
docker run cisagov/vdp-scanner:0.1.0
```

### Running with Docker Compose ###
Expand All @@ -36,7 +36,7 @@ docker run cisagov/vdp-scanner:0.0.5

services:
vdp-scanner:
image: 'cisagov/vdp-scanner:0.0.5'
image: 'cisagov/vdp-scanner:0.1.0'
volumes:
- .:/task/host_mount
```
Expand Down Expand Up @@ -74,7 +74,7 @@ docker run cisagov/vdp-scanner:0.0.5
1. Pull the new image:

```console
docker pull cisagov/vdp-scanner:0.0.5
docker pull cisagov/vdp-scanner:0.1.0
```

1. Recreate and run the container by following the [previous instructions](#running-with-docker).
Expand All @@ -83,12 +83,12 @@ docker run cisagov/vdp-scanner:0.0.5

The images of this container are tagged with
[semantic versions](https://semver.org). It is recommended that most users use
a version tag (e.g. `:0.0.5`).
a version tag (e.g. `:0.1.0`).

| Image:tag | Description |
|-----------|-------------|
|`cisagov/vdp-scanner:0.0.5`| An exact release version. |
|`cisagov/vdp-scanner:0.0`| The most recent release matching the major and minor version numbers. |
|`cisagov/vdp-scanner:0.1.0`| An exact release version. |
|`cisagov/vdp-scanner:0.1`| The most recent release matching the major and minor version numbers. |
|`cisagov/vdp-scanner:0`| The most recent release matching the major version number. |
|`cisagov/vdp-scanner:edge` | The most recent image built from a merge into the `develop` branch of this repository. |
|`cisagov/vdp-scanner:nightly` | A nightly build of the `develop` branch of this repository. |
Expand Down Expand Up @@ -153,7 +153,7 @@ Build the image locally using this git repository as the [build context](https:/

```console
docker build \
--tag cisagov/vdp-scanner:0.0.5 \
--tag cisagov/vdp-scanner:0.1.0 \
https://github.com/cisagov/vdp-scanner-docker.git#develop
```

Expand Down Expand Up @@ -184,7 +184,7 @@ Docker:
--file Dockerfile-x \
--platform linux/amd64 \
--output type=docker \
--tag cisagov/vdp-scanner:0.0.5 .
--tag cisagov/vdp-scanner:0.1.0 .
```

## Contributing ##
Expand Down
2 changes: 1 addition & 1 deletion src/Pipfile
Original file line number Diff line number Diff line change
Expand Up @@ -10,4 +10,4 @@ requests = "*"
urllib3 = "*"

[requires]
python_version = "3.10.5"
python_full_version = "3.10.10"
Loading

0 comments on commit 19df96b

Please sign in to comment.