feat(al2): Updated dockerfile to use new al2 base image (#59)

### Improvements - Update to use new Amazon Linux base image and use the same structure as our other python services. - Utilizing "gen3" user instead of "root" for more secure containers - Moving to Poetry to manage our virtual environments - Multi-stage Docker builds for smaller images - Move to Gunicorn --------- Co-authored-by: Edward Malinowski <edwardmalinowski@Eds-MacBook-Pro.attlocal.net> Co-authored-by: EliseCastle23 <109446148+EliseCastle23@users.noreply.github.com> Co-authored-by: Maribelle Hannah Gomez <maribellehgomez@gmail.com>
uc-cdis · Nov 18, 2024 · 105b710 · 105b710
1 parent ebbb2ec
commit 105b710
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,39 @@
-FROM quay.io/cdis/python:python3.9-buster-2.0.0 AS base
+ARG AZLINUX_BASE_VERSION=master
 
+FROM quay.io/cdis/python-nginx-al:feat_python-nginx AS base
+
+ENV appname=requestor
+
+WORKDIR /${appname}
+
+RUN chown -R gen3:gen3 /${appname}
+
+# Builder stage
 FROM base AS builder
-RUN pip install --upgrade pip poetry
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    build-essential gcc make musl-dev libffi-dev libssl-dev git curl
 
-COPY . /src/
-WORKDIR /src
-RUN python -m venv /env && . /env/bin/activate && pip install --upgrade pip && poetry install --no-dev --no-interaction
+USER gen3
+
+COPY poetry.lock pyproject.toml alembic.ini README.md /${appname}/
+
+RUN poetry install -vv --without dev --no-interaction
 
+COPY --chown=gen3:gen3 ./src /${appname}
+COPY --chown=gen3:gen3 ./migrations /${appname}/migrations
+COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /${appname}/deployment/wsgi/wsgi.py
+COPY --chown=gen3:gen3 ./deployment/wsgi/gunicorn.conf.py /${appname}/deployment/wsgi/gunicorn.conf.py
+COPY --chown=gen3:gen3 ./dockerrun.bash /${appname}/dockerrun.bash
+
+# Run poetry again so this app itself gets installed too
+RUN poetry install --no-interaction --without dev
+
+# Final stage
 FROM base
-COPY --from=builder /env /env
-COPY --from=builder /src /src
-WORKDIR /src
-CMD ["/env/bin/gunicorn", "requestor.asgi:app", "-b", "0.0.0.0:80", "-k", "uvicorn.workers.UvicornWorker"]
+
+COPY --from=builder /${appname} /${appname}
+
+# Switch to non-root user 'gen3' for the serving process
+USER gen3
+
+WORKDIR /${appname}
+
+CMD ["/bin/bash", "-c", "/requestor/dockerrun.bash"]
diff --git a/deployment/wsgi/gunicorn.conf.py b/deployment/wsgi/gunicorn.conf.py
@@ -0,0 +1,7 @@
+wsgi_app = "deployment.wsgi.wsgi:application"
+bind = "0.0.0.0:8000"
+workers = 1
+user = "gen3"
+group = "gen3"
+timeout = 300
+worker_class = "uvicorn.workers.UvicornWorker"
diff --git a/deployment/wsgi/wsgi.py b/deployment/wsgi/wsgi.py
@@ -0,0 +1,3 @@
+from requestor.app import app_init
+
+application = app_init()
diff --git a/dockerrun.bash b/dockerrun.bash
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nginx
+poetry run gunicorn -c "/requestor/deployment/wsgi/gunicorn.conf.py" requestor.asgi:app