-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #56 from cisagov/improvement/project_updates
Update Docker image configuration
- Loading branch information
Showing
7 changed files
with
360 additions
and
205 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,64 +1,96 @@ | ||
ARG PY_VERSION=3.10.5 | ||
|
||
FROM python:${PY_VERSION}-bullseye AS compile-stage | ||
# We use an Alpine base image in the compile-stage because of the build | ||
# requirements for some of the Python requirements. When the python3-dev | ||
# package is installed it will also install the python3 package which leaves us | ||
# with two Python installations if we use a Python Docker image. Instead we use | ||
# Alpine's python3 package here to create the virtual environment we will use | ||
# in the Python Docker image we use for the build-stage. The tag of the Python | ||
# Docker image matches the version of the python3 package available on Alpine | ||
# for consistency. | ||
FROM alpine:3.17 AS compile-stage | ||
|
||
# For a list of pre-defined annotation keys and value types see: | ||
# https://github.com/opencontainers/image-spec/blob/master/annotations.md | ||
# Note: Additional labels are added by the build workflow. | ||
LABEL org.opencontainers.image.authors="[email protected]" | ||
LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" | ||
|
||
RUN apt-get update \ | ||
&& apt-get install -y --allow-downgrades --no-install-recommends \ | ||
libxml2-dev=2.9.10+dfsg-6.7+deb11u2 \ | ||
libxslt1-dev=1.1.34-4 | ||
# Unprivileged user information necessary for the Python virtual environment | ||
ARG CISA_USER="cisa" | ||
ENV CISA_HOME="/home/${CISA_USER}" | ||
ENV VIRTUAL_ENV="${CISA_HOME}/.venv" | ||
|
||
ENV PY_VENV=/.venv | ||
# Versions of the Python packages installed directly | ||
ENV PYTHON_PIP_VERSION=23.0.1 | ||
ENV PYTHON_PIPENV_VERSION=2023.2.18 | ||
ENV PYTHON_SETUPTOOLS_VERSION=67.4.0 | ||
ENV PYTHON_WHEEL_VERSION=0.38.4 | ||
|
||
# Manually set up the virtual environment | ||
RUN python -m venv --system-site-packages ${PY_VENV} | ||
ENV PATH="${PY_VENV}/bin:$PATH" | ||
RUN apk --no-cache add \ | ||
gcc=12.2.1_git20220924-r4 \ | ||
libc-dev=0.7.2-r3 \ | ||
libxml2-dev=2.10.3-r1 \ | ||
libxslt-dev=1.1.37-r1 \ | ||
py3-pip=22.3.1-r1 \ | ||
py3-setuptools=65.6.0-r0 \ | ||
py3-wheel=0.38.4-r0 \ | ||
python3-dev=3.10.10-r0 \ | ||
python3=3.10.10-r0 | ||
|
||
# Install core Python dependencies | ||
RUN python -m pip install --no-cache-dir \ | ||
pip==22.1.2 \ | ||
pipenv==2022.6.7 \ | ||
setuptools==62.4.0 \ | ||
wheel==0.37.1 | ||
# Install pipenv to manage installing the Python dependencies into a created | ||
# Python virtual environment. This is done separately from the virtual | ||
# environment so that pipenv and its dependencies are not installed in the | ||
# Python virtual environment used in the final image. | ||
RUN python3 -m pip install --no-cache-dir --upgrade pipenv==${PYTHON_PIPENV_VERSION} \ | ||
# Manually create Python virtual environment for the final image | ||
&& python3 -m venv ${VIRTUAL_ENV} \ | ||
# Ensure the core Python packages are installed in the virtual environment | ||
&& ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ | ||
pip==${PYTHON_PIP_VERSION} \ | ||
setuptools==${PYTHON_SETUPTOOLS_VERSION} \ | ||
wheel==${PYTHON_WHEEL_VERSION} | ||
|
||
# Install vdp_scanner.py requirements | ||
COPY src/Pipfile Pipfile | ||
COPY src/Pipfile.lock Pipfile.lock | ||
# PIPENV_VENV_IN_PROJECT=1 directs pipenv to use the current directory for venvs | ||
RUN PIPENV_VENV_IN_PROJECT=1 pipenv sync | ||
WORKDIR /tmp | ||
COPY src/Pipfile src/Pipfile.lock ./ | ||
# pipenv will install packages into the virtual environment specified in the | ||
# VIRTUAL_ENV environment variable if it is set. | ||
RUN pipenv sync --clear --verbose | ||
|
||
# We only need pipenv to set up the environment, so we remove it from the venv | ||
# as a last step. | ||
RUN python -m pip uninstall --yes pipenv | ||
# The version of Python used here should match the version of the Alpine | ||
# python3 package installed in the compile-stage. | ||
FROM python:3.10.10-alpine3.17 AS build-stage | ||
|
||
FROM python:${PY_VERSION}-slim-bullseye AS build-stage | ||
# Unprivileged user information | ||
ARG CISA_UID=2048 | ||
ARG CISA_GID=${CISA_UID} | ||
ARG CISA_USER="cisa" | ||
ENV CISA_GROUP=${CISA_USER} | ||
ENV CISA_HOME="/home/${CISA_USER}" | ||
ENV VIRTUAL_ENV="${CISA_HOME}/.venv" | ||
|
||
RUN apt-get update \ | ||
&& apt-get install -y --allow-downgrades --no-install-recommends \ | ||
ca-certificates=20210119 \ | ||
chromium=102.0.5005.115-1~deb11u1 \ | ||
chromium-common=102.0.5005.115-1~deb11u1 \ | ||
libxml2-dev=2.9.10+dfsg-6.7+deb11u2 \ | ||
libxslt1-dev=1.1.34-4 \ | ||
&& apt-get clean \ | ||
&& rm -rf /var/lib/apt/lists/* | ||
RUN apk --no-cache add \ | ||
ca-certificates=20220614-r4 \ | ||
chromium=110.0.5481.177-r0 \ | ||
libxml2=2.10.3-r1 \ | ||
libxslt=1.1.37-r1 | ||
|
||
ENV PY_VENV=/.venv | ||
COPY --from=compile-stage ${PY_VENV} ${PY_VENV} | ||
ENV PATH="${PY_VENV}/bin:$PATH" | ||
# Create unprivileged user | ||
RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ | ||
&& adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} | ||
|
||
ENV TASK_HOME="/task" | ||
# Copy in the Python venv we created in the compile stage and re-symlink | ||
# python3 in the venv to the Python binary in this image | ||
COPY --from=compile-stage --chown=${CISA_USER}:${CISA_GROUP} ${VIRTUAL_ENV} ${VIRTUAL_ENV}/ | ||
RUN ln -sf "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3 | ||
ENV PATH="${VIRTUAL_ENV}/bin:$PATH" | ||
|
||
WORKDIR ${TASK_HOME} | ||
WORKDIR ${CISA_HOME} | ||
RUN mkdir host_mount | ||
|
||
COPY src/version.txt version.txt | ||
COPY src/vdp_scanner.py vdp_scanner.py | ||
# Copy in the necessary files | ||
COPY --chown=${CISA_USER}:${CISA_GROUP} src/version.txt src/vdp_scanner.py ./ | ||
|
||
ENTRYPOINT ["python", "vdp_scanner.py"] | ||
# Prepare to run | ||
USER ${CISA_USER}:${CISA_GROUP} | ||
ENTRYPOINT ["python3", "vdp_scanner.py"] | ||
CMD ["github"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,4 +10,4 @@ requests = "*" | |
urllib3 = "*" | ||
|
||
[requires] | ||
python_version = "3.10.5" | ||
python_full_version = "3.10.10" |
Oops, something went wrong.