Making changes to the audit service to use the new base image. (#40)

Improvements Update to use new Amazon Linux base image and use the same structure as our other python services. Utilizing "gen3" user instead of "root" for more secure containers Moving to Poetry to manage our virtual environments Multi-stage Docker builds for smaller images Move to Gunicorn --------- Co-authored-by: Jawad Qureshi <[email protected]>
uc-cdis · Nov 18, 2024 · a42522a · a42522a
1 parent 1a506d8
commit a42522a
Show file tree

Hide file tree

Showing 4 changed files with 49 additions and 14 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,38 @@
-FROM quay.io/cdis/python:python3.9-buster-2.0.0 as base
+ARG AZLINUX_BASE_VERSION=master
 
-FROM base as builder
-RUN pip install --upgrade pip poetry
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    build-essential gcc make musl-dev libffi-dev libssl-dev git curl
-COPY . /src/
-WORKDIR /src
-RUN python -m venv /env && . /env/bin/activate && poetry install -vv --no-interaction
+# Base stage with python-build-base
+FROM quay.io/cdis/python-nginx-al:${AZLINUX_BASE_VERSION} AS base
 
+ENV appname=audit
+
+COPY --chown=gen3:gen3 /src/${appname} /${appname}
+
+WORKDIR /${appname}
+
+# Builder stage
+FROM base AS builder
+
+USER gen3
+
+COPY poetry.lock pyproject.toml /${appname}/
+
+RUN poetry install -vv --no-interaction --without dev
+
+COPY --chown=gen3:gen3 . /${appname}
+COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /${appname}/wsgi.py
+
+# Run poetry again so this app itself gets installed too
+RUN poetry install -vv --no-interaction --without dev
+
+ENV  PATH="$(poetry env info --path)/bin:$PATH"
+
+# Final stage
 FROM base
-RUN apt-get install curl
-COPY --from=builder /env /env
-COPY --from=builder /src /src
-WORKDIR /src
-CMD ["/env/bin/gunicorn", "audit.asgi:app", "-b", "0.0.0.0:80", "-k", "uvicorn.workers.UvicornWorker"]
+
+COPY --from=builder /${appname} /${appname}
+
+# Switch to non-root user 'gen3' for the serving process
+
+USER gen3
+
+CMD ["/bin/bash", "-c", "/${appname}/dockerrun.bash"]
diff --git a/deployment/wsgi/gunicorn.conf.py b/deployment/wsgi/gunicorn.conf.py
@@ -0,0 +1,7 @@
+wsgi_app = "deployment.wsgi.wsgi:app"
+bind = "0.0.0.0:8000"
+workers = 1
+user = "gen3"
+group = "gen3"
+timeout = 300
+worker_class = "uvicorn.workers.UvicornWorker"
diff --git a/deployment/wsgi/wsgi.py b/deployment/wsgi/wsgi.py
@@ -0,0 +1,3 @@
+from audit.app import app_init
+
+app = app_init()
diff --git a/dockerrun.bash b/dockerrun.bash
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nginx
+poetry run gunicorn -c "/audit/deployment/wsgi/gunicorn.conf.py" audit.asgi:app
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		from audit.app import app_init

		app = app_init()