Dockerfile

FROM registry.access.redhat.com/ubi8/ubi-minimal

RUN curl -o /etc/yum.repos.d/postgresql.repo \
        https://copr.fedorainfracloud.org/coprs/g/insights/postgresql-16/repo/epel-8/group_insights-postgresql-16-epel-8.repo

RUN microdnf module disable -y postgresql || :
RUN microdnf install -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
    python311 python3.11-pip python3.11-devel libpq-devel gcc which shadow-utils diffutils systemd libicu git-core postgresql pg_repack && \
    microdnf clean all

# missing pg_config, gcc, python3-devel needed for psycopg on aarch64
RUN [ "$(uname -m)" == "aarch64" ] && \
    microdnf install -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
    gcc-c++ && \
    microdnf clean all || true

# for manager purposes
RUN mkdir -p /tmp/prometheus_multiproc
ENV prometheus_multiproc_dir=/tmp/prometheus_multiproc

# minimal schema required by application, used for waiting in services until DB migration is finished
ENV MINIMAL_SCHEMA=133

WORKDIR /engine

ADD pyproject.toml /engine/
ADD poetry.lock    /engine/

ENV LC_ALL=C.utf8
ENV LANG=C.utf8
RUN pip3.11 install --upgrade pip && \
    pip3.11 install --upgrade poetry~=1.5
RUN poetry export --only main -f requirements.txt --output requirements.txt && \
    pip3.11 install -r requirements.txt
RUN adduser --gid 0 -d /engine --no-create-home insights

# for manager purposes
RUN chown -R insights:0 /tmp/prometheus_multiproc && \
    chgrp -R 0 /tmp/prometheus_multiproc && \
    chmod -R g=u /tmp/prometheus_multiproc

# Baked-in content for FedRAMP
ARG STATIC_ASSETS=0
ARG GIT_TOKEN=""
RUN if [ "${STATIC_ASSETS}" == 1 ] ; then \
        curl -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.crt https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem && \
        update-ca-trust extract && \
        git clone https://gitlab.cee.redhat.com/vmaas/vmaas-assets.git /engine/vmaas_assets_git && \
        git clone https://gitlab.cee.redhat.com/insights-rules/insights-playbooks.git /engine/insights_playbooks_git && \
        git clone "https://$GIT_TOKEN@github.com/RedHatInsights/insights-content-vulnerability.git" /engine/insights_content_vulnerability_git && \
        # below is needed to avoid git 'detected dubious ownership' error when running as a rootless container...
        git config --system --add safe.directory /engine/vmaas_assets_git && \
        git config --system --add safe.directory /engine/insights_playbooks_git && \
        git config --system --add safe.directory /engine/insights_content_vulnerability_git && \
        echo "Cloned static assets" ; \
    fi

USER insights

EXPOSE 8000

ADD entrypoint.sh                          /engine/
ADD develfeatureflags.json                 /engine/
ADD manager.healthz.spec.yaml              /engine/
ADD manager.admin.spec.yaml                /engine/
ADD /database/upgrade/dbupgrade.sh         /engine/
ADD /database/schema/local_init_db.sh      /engine/
ADD /taskomatic/*.py                       /engine/taskomatic/
ADD /taskomatic/jobs/*.py                  /engine/taskomatic/jobs/
ADD /vmaas_sync/*.py                       /engine/vmaas_sync/
ADD /database/*.py                         /engine/database/
ADD /database/upgrade/*.py                 /engine/database/upgrade/
ADD /database/schema/*.sql                 /engine/database/schema/
ADD /database/schema/upgrade_scripts/*.sql /engine/database/schema/upgrade_scripts/
ADD /evaluator/*.py                        /engine/evaluator/
ADD /listener/*.py                         /engine/listener/
ADD manager.spec.yaml                      /engine/
ADD /common/*.py                           /engine/common/
ADD /manager/*.py                          /engine/manager/
ADD /notificator/*.py                      /engine/notificator/
ADD /exploit_sync/*py                      /engine/exploit_sync/
ADD /grouper/*.py                          /engine/grouper/
ADD /cluster/*.py                          /engine/cluster/