Making changes to the audit service to use the new base image.

Dockerfile

@@ -1,17 +1,38 @@
-FROM quay.io/cdis/python:python3.9-buster-2.0.0 as base
+ARG AZLINUX_BASE_VERSION=master
 
-FROM base as builder
-RUN pip install --upgrade pip poetry
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    build-essential gcc make musl-dev libffi-dev libssl-dev git curl
-COPY . /src/
-WORKDIR /src
-RUN python -m venv /env && . /env/bin/activate && poetry install -vv --no-interaction
+# Base stage with python-build-base
+FROM quay.io/cdis/python-nginx-al:${AZLINUX_BASE_VERSION} AS base
 
+ENV appname=audit
+
+COPY --chown=gen3:gen3 /src/${appname} /${appname}
+
+WORKDIR /${appname}
+
+# Builder stage
+FROM base AS builder
+
+USER gen3
+
+COPY poetry.lock pyproject.toml /${appname}/
+
+RUN poetry install -vv --no-interaction --without dev
+
+COPY --chown=gen3:gen3 . /${appname}
+COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /${appname}/wsgi.py
+
+# Run poetry again so this app itself gets installed too
+RUN poetry install -vv --no-interaction --without dev
+
+ENV  PATH="$(poetry env info --path)/bin:$PATH"
+
+# Final stage
 FROM base
-RUN apt-get install curl
-COPY --from=builder /env /env
-COPY --from=builder /src /src
-WORKDIR /src
-CMD ["/env/bin/gunicorn", "audit.asgi:app", "-b", "0.0.0.0:80", "-k", "uvicorn.workers.UvicornWorker"]
+
+COPY --from=builder /${appname} /${appname}
+
+# Switch to non-root user 'gen3' for the serving process
+
+USER gen3
+
+CMD ["/bin/bash", "-c", "/${appname}/dockerrun.bash"]

deployment/wsgi/gunicorn.conf.py

@@ -0,0 +1,7 @@
+wsgi_app = "deployment.wsgi.wsgi:app"
+bind = "0.0.0.0:8000"
+workers = 1
+user = "gen3"
+group = "gen3"
+timeout = 300
+worker_class = "uvicorn.workers.UvicornWorker"

deployment/wsgi/wsgi.py

@@ -0,0 +1,3 @@
+from audit.app import app_init
+
+app = app_init()

dockerrun.bash

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nginx
+poetry run gunicorn -c "/audit/deployment/wsgi/gunicorn.conf.py" audit.asgi:app