Update dockerfile/compose

And entrypoint

Author: pythoninthegrass

Dockerfile

@@ -1,12 +1,12 @@
 # SOURCES
-# https://github.com/alexdmoss/distroless-python
-# https://gitlab.com/n.ragav/python-images/-/tree/master/distroless
+# https://denisbrogg.hashnode.dev/efficient-python-docker-image-from-any-poetry-project
+# https://binx.io/2022/06/13/poetry-docker/
+# https://github.com/python-poetry/poetry/discussions/1879#discussioncomment-216865
 
 # full semver just for python base image
-ARG PYTHON_VERSION=3.10.8
+ARG PYTHON_VERSION=3.10.9
 
-# several optimisations in python-slim images already, benefit from these
-FROM python:${PYTHON_VERSION}-slim-bullseye AS builder-image
+FROM python:${PYTHON_VERSION}-slim-bullseye AS builder
 
 # avoid stuck build due to user prompt
 ARG DEBIAN_FRONTEND=noninteractive
@@ -15,155 +15,85 @@ ARG DEBIAN_FRONTEND=noninteractive
 RUN apt -qq update \
     && apt -qq install \
     --no-install-recommends -y \
-    autoconf \
-    automake \
-    build-essential \
-    ca-certificates \
     curl \
     gcc \
-    libbz2-dev \
-    libffi7 \
-    libffi-dev \
-    liblzma-dev \
-    libncurses-dev \
     libpq-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libtool \
-    libxslt-dev \
-    libyaml-dev \
-    locales \
-    lzma \
-    sqlite3 \
-    unixodbc-dev \
-    zlib1g \
+    python3-dev \
     && rm -rf /var/lib/apt/lists/*
 
-# Set locale
-RUN locale-gen en_US.UTF-8
-ENV LANG=en_US.UTF-8
-ENV LANGUAGE=en_US:en
-ENV LC_ALL=en_US.UTF-8
+# pip env vars
+ENV PIP_NO_CACHE_DIR=off
+ENV PIP_DISABLE_PIP_VERSION_CHECK=on
+ENV PIP_DEFAULT_TIMEOUT=100
 
-# TODO: debug heroku var interpolation (intermediate containers per ENV??)
-# setup standard non-root user for use downstream
-ENV USERNAME=appuser
-ENV USER_GROUP=${USERNAME}
-ENV HOME=/home/${USERNAME}
-
-RUN groupadd ${USERNAME}
-RUN useradd -m ${USERNAME} -g ${USERNAME}
-
-# setup user environment
-ENV PATH="$HOME/.local/bin:$PATH"
-
-WORKDIR /home/${USERNAME}
-USER ${USERNAME}
+# poetry env vars
+ENV POETRY_HOME="/opt/poetry"
+ENV POETRY_VERSION=1.3.2
+ENV POETRY_VIRTUALENVS_IN_PROJECT=true
+ENV POETRY_NO_INTERACTION=1
 
-# poetry for use elsewhere as builder image
-RUN pip install --user --upgrade pip \
-    && pip install --user --no-cache-dir --upgrade virtualenv poetry
+# path
+ENV VENV="/opt/venv"
+ENV PATH="$POETRY_HOME/bin:$VENV/bin:$PATH"
 
-COPY --chown=${USERNAME} pyproject.toml poetry.lock ./
-RUN poetry config virtualenvs.in-project true \
-    && poetry config virtualenvs.options.always-copy true \
-    && poetry install
+WORKDIR /app
+COPY . .
 
-# # QA
-# CMD ["/bin/bash"]
+RUN python -m venv $VENV \
+    && . "${VENV}/bin/activate" \
+    && python -m pip install "poetry==${POETRY_VERSION}" \
+    && poetry install --no-ansi --no-root --without dev
 
-# build from distroless C or cc:debug, because lots of Python depends on C
-FROM gcr.io/distroless/cc AS distroless
-
-# arch: x86_64-linux-gnu / aarch64-linux-gnu
-ARG CHIPSET_ARCH=${CHIPSET_ARCH:-x86_64-linux-gnu}
-
-# required by lots of packages - e.g. six, numpy, asgi, wsgi, gunicorn
-# libz.so.1, libexpat.so.1, libbz2.so, libffi.so.7
-COPY --from=builder-image /etc/ld.so.cache /etc/
-
-# TODO: curl-specific libs (copying whole /lib and /usr/lib adds ~50MB to image)
-# libcurl.so.4, libnghttp2.so.14, libidn2.so.0, librtmp.so.1, libssh2.so.1, libpsl.so.5
-COPY --from=builder-image /lib/${CHIPSET_ARCH}/ /lib/${CHIPSET_ARCH}/
-COPY --from=builder-image /usr/lib/${CHIPSET_ARCH}/ /lib/${CHIPSET_ARCH}/
-
-# non-root user setup
-ARG USERNAME=appuser
-ARG PYTHON_VERSION=3.10
-ENV HOME=/home/${USERNAME}
-ENV VENV="${HOME}/.venv"
-
-# import useful bins from busybox image
-COPY --from=busybox:latest \
-    /bin/cat \
-    /bin/cut \
-    /bin/date  \
-    /bin/find \
-    /bin/ls \
-    /bin/rm \
-    /bin/sed \
-    /bin/sh \
-    /bin/uname \
-    /bin/vi \
-    /bin/which \
-    /bin/
-COPY --from=busybox:uclibc /bin/env /usr/bin/env
-COPY --from=builder-image /usr/bin/curl /bin/curl
+FROM python:${PYTHON_VERSION}-slim-bullseye AS runner
 
 # setup standard non-root user for use downstream
-ENV USERNAME=appuser
-ENV USER_GROUP=${USERNAME}
-ENV HOME=/home/${USERNAME}
-
-RUN echo "${USERNAME}:x:1000:${USERNAME}" >> /etc/group
-RUN echo "${USERNAME}:x:1001:" >> /etc/group
-RUN echo "${USERNAME}:x:1000:1001::${HOME}:" >> /etc/passwd
-
-# copy app and virtual environment
-COPY --chown=${USERNAME} . /app
-COPY --from=builder-image --chown=${USERNAME} "$VENV" "$VENV"
-COPY --from=builder-image /usr/local/lib/ /usr/local/lib/
-COPY --from=builder-image /usr/local/bin/python /usr/local/bin/python
-
-ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:/usr/share/doc:$PATH"
-
-# remove dev bins (need sh to run `startup.sh`)
-RUN rm /bin/cat /bin/find /bin/ls /bin/rm /bin/vi /bin/which
-
-# # QA
-# CMD ["/bin/sh"]
-
-FROM distroless AS runner-image
-
-ARG PYTHON_VERSION=3.10
-ARG USERNAME=appuser
-ENV HOME=/home/${USERNAME}
-ENV VENV="${HOME}/.venv"
+ENV USER_NAME=appuser
+ENV USER_GROUP=appuser
+ENV HOME="/home/${USER_NAME}"
+ENV HOSTNAME="${HOST:-localhost}"
+ENV VENV="/opt/venv"
 
-ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:/usr/share/doc:$PATH"
+ENV PATH="${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:/usr/share/doc:$PATH"
 
 # standardise on locale, don't generate .pyc, enable tracebacks on seg faults
 ENV LANG C.UTF-8
 ENV LC_ALL C.UTF-8
 ENV PYTHONDONTWRITEBYTECODE 1
 ENV PYTHONFAULTHANDLER 1
 
-# workers per core (https://github.com/tiangolo/uvicorn-gunicorn-fastapi-docker/blob/master/README.md#web_concurrency)
-ENV WEB_CONCURRENCY=1
+# workers per core
+# https://github.com/tiangolo/uvicorn-gunicorn-fastapi-docker/blob/master/README.md#web_concurrency
+ENV WEB_CONCURRENCY=2
 
-COPY --from=busybox:uclibc /bin/chown /bin/chown
-COPY --from=busybox:uclibc /bin/rm /bin/rm
+RUN groupadd ${USER_NAME} \
+    && useradd -m ${USER_NAME} -g ${USER_GROUP}
 
-RUN chown -R ${USERNAME}:${USERNAME} /app \
-    && chown -R ${USERNAME}:${USERNAME} ${VENV} \
-    && rm /bin/chown /bin/rm
+# avoid stuck build due to user prompt
+ARG DEBIAN_FRONTEND=noninteractive
+
+# install dependencies
+RUN apt -qq update \
+    && apt -qq install \
+    --no-install-recommends -y \
+    curl \
+    lsof \
+    && rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
+COPY --chown=${USER_NAME} . .
+COPY --from=builder --chown=${USER_NAME} "$VENV" "$VENV"
 
-USER ${USERNAME}
+# TODO: debug `find` calls that break on missing dirs
+# COPY ./harden /usr/sbin/harden
+# RUN /usr/sbin/harden
+
+USER ${USER_NAME}
+
+# listening port (not published)
+EXPOSE 3000
 
 # ENTRYPOINT ["python", "main.py"]
-# CMD ["gunicorn", "-c", "config/gunicorn.conf.py", "main:app"]
-# CMD ["/bin/sh", "startup.sh"]
-CMD ["/bin/sh"]
+ENTRYPOINT ["/bin/sh", "startup.sh"]
+# CMD ["5000"]
+# CMD ["gunicorn", "-c", "gunicorn.conf.py", "main:app"]
+# CMD ["/bin/bash"]

docker-compose.yml

@@ -3,15 +3,13 @@ version: "3.9"
 services:
   app:
     container_name: hello-cont
-    image: docker_python
-    tty: false               # false for `entrypoint` in Dockerfile
-    stdin_open: false        # false for `entrypoint` in Dockerfile
-    env_file:
-      - ./.env
-    volumes:
-      - .:/home/appuser/app
-    ports:
-      - 3000:3000
+    image: python:3.10.9-slim-bullseye
+    # tty: false               # false for `entrypoint` in Dockerfile
+    # stdin_open: false        # false for `entrypoint` in Dockerfile
     build:
       context: ./
       dockerfile: ./Dockerfile
+    volumes:
+    - .:/app
+    ports:
+    - ${PORT:-8000}:8000

startup.sh

@@ -1,8 +1,47 @@
 #!/usr/bin/env sh
 
-export VIRTUAL_ENV="/opt/venv"
-export PATH="${VIRTUAL_ENV}/bin:$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
+# shellcheck disable=SC1091,SC2034,SC2086,SC2153,SC2236,SC3037,SC3045,SC2046
 
-# source .venv/bin/activate
+if [ "$(uname -s)" = "Darwin" ]; then
+	export VENV=".venv"
+else
+	export VENV="/opt/venv"
+fi
+export PATH="${VENV}/bin:$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
 
-gunicorn -w 2 -k uvicorn.workers.UvicornWorker main:app -b 0.0.0.0:${PORT:-3000} --log-file -
+# . "${VENV}/bin/activate"
+
+# BASE_DIR="$(dirname "$(readlink -f "$0")")"
+# SRV_DIR="${BASE_DIR}/app/commerce"
+
+move_port() {
+	echo "Port $1 is in use, trying $PORT"
+	while [ ! -z "$(lsof -i :$PORT | grep LISTEN | awk '{print $2}')" ]; do
+		echo "Port $PORT is in use, trying $((PORT+1))"
+		PORT=$((PORT+1))
+	done
+	echo "Port $PORT is available. Using it instead of $1"
+}
+
+port_check() {
+	if [ -z "$1" ]; then
+		PORT=8000
+	elif [ "$1" -gt 0 ] 2>/dev/null; then
+		PORT="$1"
+	fi
+	[ -z "$(lsof -i :$PORT | grep LISTEN | awk '{print $2}')" ] || move_port "$PORT"
+}
+
+server() {
+	# gunicorn/uvicorn
+	gunicorn -w 2 -k uvicorn.workers.UvicornWorker main:app -b "0.0.0.0:${PORT}" --log-file -
+
+	# django
+	# python "${SRV_DIR}/manage.py" runserver
+}
+
+main() {
+	port_check "$@"
+	server
+}
+main "$@"