chore(dockerfile): use drycc/base image

Author: lijianguo

Makefile

@@ -66,6 +66,6 @@ test-integration:
 
 upload-coverage:
 	$(eval CI_ENV := $(shell curl -s https://codecov.io/env | bash))
-	docker run ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test codecov --required
+	docker run --rm ${CI_ENV} -v ${CURDIR}:/test -w /test/rootfs ${IMAGE}.test /test/rootfs/bin/upload-coverage
 
 .PHONY: check-kubectl check-docker build docker-build docker-build-test deploy clean commit-hook full-clean test test-style test-unit test-functional test-integration upload-coverage

rootfs/Dockerfile

@@ -1,34 +1,45 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
+RUN adduser --system \
+	--shell /bin/bash \
+	--disabled-password \
+	--home /app \
+	--group \
+	drycc
+
+ENV PYTHON_VERSION="3.10.2"
 COPY requirements.txt /app/requirements.txt
 
-RUN apk add --update --virtual .build-deps \
-    gcc \
-    rust \
-    cargo \
-    postgresql-dev \
-    libffi-dev \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='gcc libffi-dev libpq-dev rustc cargo'; \
+    install-packages $buildDeps \
+  && install-stack python $PYTHON_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .controller-rundeps \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-  && apk del .build-deps
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8}
 
 COPY . /app
 
-
-ENV PATH /app/.venv/bin:/app/bin:$PATH
+USER drycc
 WORKDIR /app
-CMD ["/app/bin/boot"]
+CMD ["PATH=/app/.venv/bin:\$PATH", "/app/bin/boot"]
 EXPOSE 8000

rootfs/Dockerfile.test

@@ -1,48 +1,52 @@
-FROM docker.io/library/python:3.9-alpine
+FROM docker.io/drycc/base:bullseye
 
 COPY requirements.txt /app/requirements.txt
 COPY dev_requirements.txt /app/dev_requirements.txt
 
-ENV PGDATA /var/lib/postgresql/12
+ENV PGDATA="/opt/drycc/postgresql/data" \
+  PYTHON_VERSION="3.10.2" \
+  REDIS_VERSION="6.2.6" \
+  RABBITMQ_VERSION="3.9.13" \
+  POSTGRES_VERSION="14.2" \
+  GOSU_VERSION="1.14"
 
-ENV PATH="/app/.venv/bin:${PATH}"
-
-RUN echo https://dl-cdn.alpinelinux.org/alpine/edge/testing >>/etc/apk/repositories \
-  && apk add --update --virtual .build-deps \
-    gcc \
-    rust \
-    cargo \
-    postgresql-dev \
-    libffi-dev \
-    musl-dev \
-    openssl-dev \
+RUN buildDeps='gcc rustc cargo  libffi-dev musl-dev openssl'; \
+  install-packages mercurial ca-certificates git $buildDeps \
+  && install-stack python $PYTHON_VERSION \
+  && install-stack redis $REDIS_VERSION \
+  && install-stack rabbitmq $RABBITMQ_VERSION \
+  && install-stack postgresql $POSTGRES_VERSION \
+  && install-stack gosu $GOSU_VERSION && . init-stack \
   && python3 -m venv /app/.venv \
   && source /app/.venv/bin/activate \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/requirements.txt \
   && pip3 install --disable-pip-version-check --no-cache-dir -r /app/dev_requirements.txt \
-  && find /app/.venv /usr/local -type f -executable ! -path '*/cryptography*' -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
-    | tr ',' '\n' \
-    | sort -u \
-    | awk 'system("[[ -e /app/.venv/lib/" $1 " || -e /usr/local/lib/" $1 " ]]") == 0 { next } { print "so:" $1 }' \
-    | xargs -rt apk add --no-cache --virtual .python-rundeps \
-  && apk add --update --virtual .controller-rundeps \
-    git \
-    mercurial \
-    ca-certificates \
-    su-exec \
-    bash \
-    shadow \
-    postgresql \
-    redis \
-    rabbitmq-server \
+  # cleanup
+  && scanelp /app/.venv/lib > runtime.txt \
+  && apt-get purge -y --auto-remove $buildDeps \
+  && install-packages $(< runtime.txt) \
+  && apt-get autoremove -y \
+  && apt-get clean -y \
+  && rm -rf \
+        /usr/share/doc \
+        /usr/share/man \
+        /usr/share/info \
+        /usr/share/locale \
+        /var/lib/apt/lists/* \
+        /var/log/* \
+        /var/cache/debconf/* \
+        /etc/systemd \
+        /lib/lsb \
+        /lib/udev \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/IBM* \
+        /usr/lib/`echo $(uname -m)`-linux-gnu/gconv/EBC* \
+  && mkdir -p /usr/share/man/man{1..8} \
   && mkdir -p /run/postgresql $PGDATA \
+  && groupadd postgres && useradd -g postgres postgres \
   && chown -R postgres:postgres /run/postgresql $PGDATA \
-  && apk del .build-deps \
-  && su-exec postgres initdb -D $PGDATA
+  && gosu postgres initdb -D $PGDATA
 
 COPY . /app
-
-ENV PATH /app/.venv/bin:/app/bin:$PATH
 WORKDIR /app
 CMD ["/app/bin/boot"]
 EXPOSE 8000

rootfs/bin/test-style

@@ -5,5 +5,6 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
-
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 flake8 --show-source

rootfs/bin/test-unit

@@ -5,6 +5,8 @@
 
 # fail hard and fast even on pipelines
 set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
 
 function start_redis() {
     cd /tmp
@@ -18,7 +20,7 @@ function start_rabbitmq() {
     cd -
 }
 
-su-exec postgres pg_ctl -D "$PGDATA" start
+gosu postgres pg_ctl -D "$PGDATA" start && ln -s /tmp/.s.PGSQL.5432 /var/run/postgresql/.s.PGSQL.5432
 start_redis
 start_rabbitmq
 python3 manage.py check

rootfs/bin/upload-coverage

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#
+# This script is designed to be run inside the container
+#
+
+# fail hard and fast even on pipelines
+set -eou pipefail
+# shellcheck disable=SC1091
+source /app/.venv/bin/activate
+
+codecov --required