diff --git a/Dockerfile b/Dockerfile index 64447f8b..d2e9faeb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,23 @@ # Copyright (c) nexB Inc. and others. All rights reserved. # SPDX-License-Identifier: Apache-2.0 -FROM --platform=linux/amd64 python:3.11 +FROM --platform=linux/amd64 python:3.12-slim -WORKDIR /app +LABEL org.opencontainers.image.source="https://github.com/nexB/purldb" +LABEL org.opencontainers.image.description="PurlDB" +LABEL org.opencontainers.image.licenses="Apache-2.0" -# Python settings: Force unbuffered stdout and stderr (i.e. they are flushed to terminal immediately) +ENV APP_NAME purldb +ENV APP_USER app +ENV APP_DIR /opt/$APP_NAME +ENV VENV_LOCATION /opt/$APP_NAME/venv + +# Force Python unbuffered stdout and stderr (they are flushed to terminal immediately) ENV PYTHONUNBUFFERED 1 -# Python settings: do not write pyc files +# Do not write Python .pyc files ENV PYTHONDONTWRITEBYTECODE 1 +# Add the app dir in the Python path for entry points availability +ENV PYTHONPATH $PYTHONPATH:$APP_DIR # OS requirements as per # https://scancode-toolkit.readthedocs.io/en/latest/getting-started/install.html @@ -33,9 +42,31 @@ RUN apt-get update \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* +# Create the APP_USER group and user +RUN addgroup --system $APP_USER \ + && adduser --system --group --home=$APP_DIR $APP_USER \ + && chown $APP_USER:$APP_USER $APP_DIR + +# Create the /var/APP_NAME directory with proper permission for APP_USER +RUN mkdir -p /var/$APP_NAME \ + && chown $APP_USER:$APP_USER /var/$APP_NAME + +# Setup the work directory and the user as APP_USER for the remaining stages +WORKDIR $APP_DIR +USER $APP_USER + +# Create the virtualenv +RUN python -m venv $VENV_LOCATION +# Enable the virtualenv, similar effect as "source activate" +ENV PATH $VENV_LOCATION/bin:$PATH + +# Create static/ and workspace/ directories +RUN mkdir -p /var/$APP_NAME/static/ \ + && mkdir -p /var/$APP_NAME/workspace/ + # Install the dependencies before the codebase COPY for proper Docker layer caching -COPY setup.cfg setup.py requirements.txt /app/ -RUN pip install --no-cache-dir -c requirements.txt . +COPY --chown=$APP_USER:$APP_USER setup.cfg setup.py $APP_DIR/ +RUN pip install --no-cache-dir . -# Copy the codebase -COPY . /app +# Copy the codebase and set the proper permissions for the APP_USER +COPY --chown=$APP_USER:$APP_USER . $APP_DIR diff --git a/docker-compose.common.yml b/docker-compose.common.yml index a887a6f6..a0256022 100644 --- a/docker-compose.common.yml +++ b/docker-compose.common.yml @@ -5,6 +5,8 @@ services: - docker_purldb.env volumes: - db_data:/var/lib/postgresql/data/ + shm_size: "1gb" + restart: always redis: image: redis @@ -15,7 +17,7 @@ services: web: build: . - command: sh -c " + command: wait-for-it --strict --timeout=60 db:5432 -- sh -c " python manage_purldb.py migrate && python manage_purldb.py collectstatic --no-input --verbosity 0 --clear && gunicorn purldb_project.wsgi:application --bind :8000 --timeout 600 --workers 8" @@ -24,9 +26,10 @@ services: expose: - 8000 volumes: + - .env:/opt/purldb/.env - /etc/purldb/:/etc/purldb/ - - static:/var/purldb/static/ - temp_data:/tmp/minecode/ + - static:/var/purldb/static/ depends_on: - db @@ -36,6 +39,7 @@ services: env_file: - docker_purldb.env volumes: + - .env:/opt/purldb/.env - /etc/purldb/:/etc/purldb/ profiles: - priority_queue @@ -49,6 +53,7 @@ services: env_file: - docker_purldb.env volumes: + - .env:/opt/purldb/.env - /etc/purldb/:/etc/purldb/ depends_on: - redis @@ -61,6 +66,7 @@ services: env_file: - docker_purldb.env volumes: + - .env:/opt/purldb/.env - /etc/purldb/:/etc/purldb/ - temp_data:/tmp/minecode/ depends_on: diff --git a/docker-compose.yml b/docker-compose.yml index 01bfbed3..58066d55 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -12,9 +12,11 @@ services: - "traefik.http.routers.web.entrypoints=web" volumes: - ./etc/nginx/conf.d/:/etc/nginx/conf.d/ + - /var/www/html:/var/www/html - static:/var/purldb/static/ depends_on: - web + restart: always traefik: image: "traefik:v2.10"