From b6b0b7c27b9c1e12f321dc16b89acbf90c00af19 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 2 Feb 2024 05:10:50 -0500 Subject: [PATCH 01/30] Use the full identifier for source Docker images This helps ensure that when a Docker image is built the expacted source image is used regardless of what repository is configured as the default on the host system. It also makes our Dockerfiles more seamlessly convertible to using the GitHub Container Registry or any other Open Container Initiative (OCI) compatible registry. --- Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index fc7b5c2..e4a610d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,8 @@ ARG VERSION=unspecified -FROM python:3.12.0-alpine +# Official Docker images are in the form library/ while non-official +# images are in the form /. +FROM docker.io/library/python:3.12.0-alpine ARG VERSION From 3b7a9ccdf02878c1d68c2fa8a26db02df0ba3b8c Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:02:56 -0500 Subject: [PATCH 02/30] Install cisagov/skeleton-python-library directly Instead of downloading the source archive, extracting it, and then installing it with pip we instead just let pip directly install the package. --- Dockerfile | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/Dockerfile b/Dockerfile index 9c939b7..7492a54 100644 --- a/Dockerfile +++ b/Dockerfile @@ -79,12 +79,7 @@ WORKDIR ${CISA_HOME} # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN wget --output-document sourcecode.tgz \ - https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz \ - && tar --extract --gzip --file sourcecode.tgz --strip-components=1 \ - && pip3 install --no-cache-dir --requirement requirements.txt \ - && ln -snf /run/secrets/quote.txt src/example/data/secret.txt \ - && rm sourcecode.tgz +RUN pip3 install --no-cache-dir https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz ### # Prepare to run From db1970697171c6e530b8328f79071b022c14c848 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 13 Feb 2024 05:05:50 -0500 Subject: [PATCH 03/30] Use a specific version of Alpine Linux Use the full tag that includes the Alpine Linux version to ensure the pulled image is always the same. --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index e4a610d..9c939b7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG VERSION=unspecified # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.0-alpine +FROM docker.io/library/python:3.12.0-alpine3.18 ARG VERSION From 9e6eef290a6dc61f0cb95357383770c635dec4c3 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:05:26 -0500 Subject: [PATCH 04/30] Remove unused OS package dependencies Since we are now installing cisagov/skeleton-python-library directly with pip we no longer need these OS packages. --- Dockerfile | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7492a54..ce1aa88 100644 --- a/Dockerfile +++ b/Dockerfile @@ -45,19 +45,6 @@ RUN apk --update --no-cache --quiet upgrade RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} -### -# Dependencies -# -# Note that we use apk --no-cache to avoid writing to a local cache. -# This results in a smaller final image, at the cost of slightly -# longer install times. -### -ENV DEPS \ - ca-certificates \ - openssl \ - py-pip -RUN apk --no-cache --quiet add ${DEPS} - ### # Make sure pip, setuptools, and wheel are the latest versions # From c516e44a361bdb3ddf285203bfe487e2c9f94ef6 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 20 Feb 2024 13:16:14 -0500 Subject: [PATCH 05/30] Remove package upgrading We should not blindly upgrade all pre-installed packages. This can create inconsistent build results due to changes in installed versions. --- Dockerfile | 9 --------- 1 file changed, 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index ce1aa88..296d03d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,15 +30,6 @@ ARG CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/${CISA_USER}" -### -# Upgrade the system -# -# Note that we use apk --no-cache to avoid writing to a local cache. -# This results in a smaller final image, at the cost of slightly -# longer install times. -### -RUN apk --update --no-cache --quiet upgrade - ### # Create unprivileged user ### From 460eeec5f3861847966f525d6388adbfed8fc49d Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 20 Feb 2024 10:11:44 -0500 Subject: [PATCH 06/30] Change the secret message being checks in tests Now that we are not overwriting the internal Python package file the text we look for must match what is output by default. The Docker Compose secret configuration is left in place to continue to serve as an example and to be leveraged for a future update to cisagov/skeleton-python-library that can provide similar functionality to what was removed in this project. --- tests/container_test.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/container_test.py b/tests/container_test.py index cf18333..6451766 100644 --- a/tests/container_test.py +++ b/tests/container_test.py @@ -10,9 +10,7 @@ ENV_VAR = "ECHO_MESSAGE" ENV_VAR_VAL = "Hello World from docker compose!" READY_MESSAGE = "This is a debug message" -SECRET_QUOTE = ( - "There are no secrets better kept than the secrets everybody guesses." # nosec -) +SECRET_QUOTE = "Three may keep a secret, if two of them are dead." # nosec RELEASE_TAG = os.getenv("RELEASE_TAG") VERSION_FILE = "src/version.txt" From 001e85e96753b00cfc4909e691ee29930b834787 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 20 Feb 2024 13:21:51 -0500 Subject: [PATCH 07/30] Pin Python packages directly installed Pin the versions of the pip, setuptools, and wheel packages that are installed. --- Dockerfile | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 296d03d..7ba2012 100644 --- a/Dockerfile +++ b/Dockerfile @@ -30,6 +30,11 @@ ARG CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/${CISA_USER}" +# Versions of the Python packages installed directly +ENV PYTHON_PIP_VERSION=24.0 +ENV PYTHON_SETUPTOOLS_VERSION=69.1.0 +ENV PYTHON_WHEEL_VERSION=0.42.0 + ### # Create unprivileged user ### @@ -37,16 +42,16 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} ### -# Make sure pip, setuptools, and wheel are the latest versions +# Make sure the specified versions of pip, setuptools, and wheel are installed # # Note that we use pip3 --no-cache-dir to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### RUN pip3 install --no-cache-dir --upgrade \ - pip \ - setuptools \ - wheel + pip==${PYTHON_PIP_VERSION} \ + setuptools==${PYTHON_SETUPTOOLS_VERSION} \ + wheel==${PYTHON_WHEEL_VERSION} WORKDIR ${CISA_HOME} From 48fa1a5c61a0ef05db5bc352b68bd3d8cdcd2c94 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:02:05 -0500 Subject: [PATCH 08/30] Prefer calling pip as a module Instead of relying on `pip3` being on the PATH we instead call the module through the Python executable. This ensures that the `pip` being used is in the same environment as the `python3` being used. --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca97b41..b07e712 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,11 +44,11 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ ### # Make sure the specified versions of pip, setuptools, and wheel are installed # -# Note that we use pip3 --no-cache-dir to avoid writing to a local +# Note that we use the --no-cache-dir flag to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN pip3 install --no-cache-dir --upgrade \ +RUN python3 -m pip install --no-cache-dir --upgrade \ pip==${PYTHON_PIP_VERSION} \ setuptools==${PYTHON_SETUPTOOLS_VERSION} \ wheel==${PYTHON_WHEEL_VERSION} @@ -56,11 +56,11 @@ RUN pip3 install --no-cache-dir --upgrade \ ### # Install Python dependencies # -# Note that we use pip3 --no-cache-dir to avoid writing to a local +# Note that we use the --no-cache-dir flag to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN pip3 install --no-cache-dir https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz +RUN python3 -m pip install --no-cache-dir https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz ### # Prepare to run From e6f5798b9bdbe140aab760f0cedee7ee01324907 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 23 Feb 2024 13:14:34 -0500 Subject: [PATCH 09/30] Move WORKDIR instruction We can move this instruction to the end of the Dockerfile now that we are no longer working with files in the Docker container when building. --- Dockerfile | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7ba2012..ca97b41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -53,8 +53,6 @@ RUN pip3 install --no-cache-dir --upgrade \ setuptools==${PYTHON_SETUPTOOLS_VERSION} \ wheel==${PYTHON_WHEEL_VERSION} -WORKDIR ${CISA_HOME} - ### # Install Python dependencies # @@ -68,6 +66,7 @@ RUN pip3 install --no-cache-dir https://github.com/cisagov/skeleton-python-libra # Prepare to run ### ENV ECHO_MESSAGE="Hello World from Dockerfile" +WORKDIR ${CISA_HOME} USER ${CISA_USER}:${CISA_GROUP} EXPOSE 8080/TCP VOLUME ["/var/log"] From 95d4a7a6f49a61216547f9f49c363f847bf99107 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 26 Feb 2024 17:13:30 -0500 Subject: [PATCH 10/30] Use a Python virtual environment in the Docker image Using a virtual environment is a Python best practice. We also consolidate all of the Python dependency installation steps into a single RUN instruction. This ensures that Python setup is cached in one layer and mirrors the logical organization of this being a single step. --- Dockerfile | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/Dockerfile b/Dockerfile index b07e712..7416591 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,6 +29,7 @@ ARG CISA_GID=${CISA_UID} ARG CISA_USER="cisa" ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/${CISA_USER}" +ENV VIRTUAL_ENV="${CISA_HOME}/.venv" # Versions of the Python packages installed directly ENV PYTHON_PIP_VERSION=24.0 @@ -42,25 +43,32 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} ### -# Make sure the specified versions of pip, setuptools, and wheel are installed +# Set up a Python virtual environment (venv); install the specified versions of pip, +# setuptools, and wheel into it; and then install the Python dependencies for +# the application. # # Note that we use the --no-cache-dir flag to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN python3 -m pip install --no-cache-dir --upgrade \ - pip==${PYTHON_PIP_VERSION} \ - setuptools==${PYTHON_SETUPTOOLS_VERSION} \ - wheel==${PYTHON_WHEEL_VERSION} +RUN python3 -m venv ${VIRTUAL_ENV} \ + && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ + pip==${PYTHON_PIP_VERSION} \ + setuptools==${PYTHON_SETUPTOOLS_VERSION} \ + wheel==${PYTHON_WHEEL_VERSION} \ + && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ + https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz ### -# Install Python dependencies +# Sym-link the Python binary in the venv to the system-wide Python and add the venv to +# the PATH. # -# Note that we use the --no-cache-dir flag to avoid writing to a local -# cache. This results in a smaller final image, at the cost of -# slightly longer install times. +# Note that we sym-link the Python binary in the venv to the system-wide Python so that +# any calls to `python3` will use our virtual environment. We are using short flags +# because the ln binary in Alpine Linux does not support long flags. ### -RUN python3 -m pip install --no-cache-dir https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz +RUN ln -sf "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3 +ENV PATH="${VIRTUAL_ENV}/bin:$PATH" ### # Prepare to run From 79a4adf8a55a81c8360b1a49c55ea5fd91ebdc49 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 27 Feb 2024 18:12:50 -0500 Subject: [PATCH 11/30] Add a pipenv configuration This configuration includes a Pipfile configuration file and the generated Pipfile.lock file that pins to specific versions for the Python dependencies for this project. This will help us ensure repeatable builds. The pipenv package is added as a developmental requirement to support these files. --- requirements-dev.txt | 1 + src/Pipfile | 13 +++++++++++++ src/Pipfile.lock | 38 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 src/Pipfile create mode 100644 src/Pipfile.lock diff --git a/requirements-dev.txt b/requirements-dev.txt index de5eb3b..d7a04ed 100644 --- a/requirements-dev.txt +++ b/requirements-dev.txt @@ -1,3 +1,4 @@ --requirement requirements-test.txt ipython +pipenv semver>=3 diff --git a/src/Pipfile b/src/Pipfile new file mode 100644 index 0000000..56f2fc9 --- /dev/null +++ b/src/Pipfile @@ -0,0 +1,13 @@ +[[source]] +url = "https://pypi.org/simple" +verify_ssl = true +name = "pypi" + +# List any Python dependencies for the image here +[packages] +# This should match the version of the image +example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.0.1.tar.gz"} + +# This version should match the version of Python in the image +[requires] +python_full_version = "3.12.0" diff --git a/src/Pipfile.lock b/src/Pipfile.lock new file mode 100644 index 0000000..d39d053 --- /dev/null +++ b/src/Pipfile.lock @@ -0,0 +1,38 @@ +{ + "_meta": { + "hash": { + "sha256": "654452851fea1eb2c8811649e5efe8873c8ff51f5c14dd27a4a8ebb5b15a27c4" + }, + "pipfile-spec": 6, + "requires": { + "python_full_version": "3.12.0" + }, + "sources": [ + { + "name": "pypi", + "url": "https://pypi.org/simple", + "verify_ssl": true + } + ] + }, + "default": { + "docopt": { + "hashes": [ + "sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491" + ], + "version": "==0.6.2" + }, + "example": { + "file": "https://github.com/cisagov/skeleton-python-library/archive/v0.0.1.tar.gz" + }, + "setuptools": { + "hashes": [ + "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56", + "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8" + ], + "markers": "python_version >= '3.8'", + "version": "==69.1.1" + } + }, + "develop": {} +} From d3895efb85ba686d8d4bfac0bbf6f0a674aeb145 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 26 Feb 2024 22:16:54 -0500 Subject: [PATCH 12/30] Explain `ln` options being used Since we cannot use long options on Alpine Linux we should explain what the short options we are using do. I also changed the order of options so that they are in alphabetical order. Co-authored-by: Shane Frasier --- Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 7416591..1aae8db 100644 --- a/Dockerfile +++ b/Dockerfile @@ -65,9 +65,10 @@ RUN python3 -m venv ${VIRTUAL_ENV} \ # # Note that we sym-link the Python binary in the venv to the system-wide Python so that # any calls to `python3` will use our virtual environment. We are using short flags -# because the ln binary in Alpine Linux does not support long flags. +# because the ln binary in Alpine Linux does not support long flags. The -f instructs +# ln to remove the existing file and the -s instructs ln to create a symbolic link. ### -RUN ln -sf "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3 +RUN ln -fs "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3 ENV PATH="${VIRTUAL_ENV}/bin:$PATH" ### From 6b869bb2ee9ec0423008973746a498305787d23a Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 27 Feb 2024 19:01:45 -0500 Subject: [PATCH 13/30] Install Python dependencies using pipenv Now that we have a pipenv configuration we will use it to install the Python dependencies for the image. The `build` workflow is updated to no longer pass the VERSION build argument in line with this change. --- .github/workflows/build.yml | 4 ---- Dockerfile | 34 +++++++++++++++++++++++----------- README.md | 2 -- 3 files changed, 23 insertions(+), 17 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index f643b86..612806d 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -348,8 +348,6 @@ jobs: id: docker_build uses: docker/build-push-action@v6 with: - build-args: | - VERSION=${{ needs.prepare.outputs.source_version }} cache-from: type=local,src=${{ env.BUILDX_CACHE_DIR }} cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }} context: . @@ -516,8 +514,6 @@ jobs: id: docker_build uses: docker/build-push-action@v6 with: - build-args: | - VERSION=${{ needs.prepare.outputs.source_version }} cache-from: type=local,src=${{ env.BUILDX_CACHE_DIR }} cache-to: type=local,dest=${{ env.BUILDX_CACHE_DIR }} context: . diff --git a/Dockerfile b/Dockerfile index 1aae8db..c36ae46 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,7 @@ -ARG VERSION=unspecified - # Official Docker images are in the form library/ while non-official # images are in the form /. FROM docker.io/library/python:3.12.0-alpine3.18 -ARG VERSION - ### # For a list of pre-defined annotation keys and value types see: # https://github.com/opencontainers/image-spec/blob/master/annotations.md @@ -33,6 +29,7 @@ ENV VIRTUAL_ENV="${CISA_HOME}/.venv" # Versions of the Python packages installed directly ENV PYTHON_PIP_VERSION=24.0 +ENV PYTHON_PIPENV_VERSION=2023.12.1 ENV PYTHON_SETUPTOOLS_VERSION=69.1.0 ENV PYTHON_WHEEL_VERSION=0.42.0 @@ -43,21 +40,36 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} ### -# Set up a Python virtual environment (venv); install the specified versions of pip, -# setuptools, and wheel into it; and then install the Python dependencies for -# the application. +# Install the specified version of pipenv; set up a Python virtual environment (venv); +# and install the specified versions of pip, setuptools, and wheel into the venv. # # Note that we use the --no-cache-dir flag to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN python3 -m venv ${VIRTUAL_ENV} \ +RUN python3 -m pip install --no-cache-dir --upgrade pipenv==${PYTHON_PIPENV_VERSION} \ + # Manueally create the virtual environment + && python3 -m venv ${VIRTUAL_ENV} \ + # Ensure the core Python packages are installed in the virtual environment && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ pip==${PYTHON_PIP_VERSION} \ setuptools==${PYTHON_SETUPTOOLS_VERSION} \ - wheel==${PYTHON_WHEEL_VERSION} \ - && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ - https://github.com/cisagov/skeleton-python-library/archive/v${VERSION}.tar.gz + wheel==${PYTHON_WHEEL_VERSION} + +### +# Check the Pipfile configuration and then install the Python dependencies into +# the virtual environment. +# +# Note that pipenv will install into a virtual environment if the VIRTUAL_ENV +# environment variable is set. We are using short flags because the rm binary +# in Alpine Linux does not support long flags. The -f instructs rm to remove +# files without prompting. +### +WORKDIR /tmp +COPY src/Pipfile src/Pipfile.lock ./ +RUN pipenv check --verbose \ + && pipenv install --clear --deploy --extra-pip-args "--no-cache-dir" --verbose \ + && rm -f Pipfile* ### # Sym-link the Python binary in the venv to the system-wide Python and add the venv to diff --git a/README.md b/README.md index 57f8c30..8d926e4 100644 --- a/README.md +++ b/README.md @@ -196,7 +196,6 @@ Build the image locally using this git repository as the [build context](https:/ ```console docker build \ - --build-arg VERSION=0.0.1 \ --tag cisagov/example:0.0.1 \ https://github.com/cisagov/example.git#develop ``` @@ -227,7 +226,6 @@ Docker: docker buildx build \ --file Dockerfile-x \ --platform linux/amd64 \ - --build-arg VERSION=0.0.1 \ --output type=docker \ --tag cisagov/example:0.0.1 . ``` From 5cbb75beff797cc24c469cb24941d2541473923b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 27 Feb 2024 19:09:29 -0500 Subject: [PATCH 14/30] Use a multi-stage Docker build Switch to using a multi-stage build in the Dockerfile. This reduces image size since pipenv and its dependencices are not needed in the final image. It also ensures that the system Python environment is unmodified. --- Dockerfile | 71 +++++++++++++++++++++++++++++++----------------------- 1 file changed, 41 insertions(+), 30 deletions(-) diff --git a/Dockerfile b/Dockerfile index c36ae46..ca0742e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,29 +1,11 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.0-alpine3.18 +FROM docker.io/library/python:3.12.0-alpine3.18 as compile-stage ### -# For a list of pre-defined annotation keys and value types see: -# https://github.com/opencontainers/image-spec/blob/master/annotations.md -# -# Note: Additional labels are added by the build workflow. -### -# github@cisa.dhs.gov is a very generic email distribution, and it is -# unlikely that anyone on that distribution is familiar with the -# particulars of your repository. It is therefore *strongly* -# suggested that you use an email address here that is specific to the -# person or group that maintains this repository; for example: -# LABEL org.opencontainers.image.authors="vm-fusion-dev-group@trio.dhs.gov" -LABEL org.opencontainers.image.authors="github@cisa.dhs.gov" -LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" - -### -# Unprivileged user setup variables +# Unprivileged user variables ### -ARG CISA_UID=421 -ARG CISA_GID=${CISA_UID} ARG CISA_USER="cisa" -ENV CISA_GROUP=${CISA_USER} ENV CISA_HOME="/home/${CISA_USER}" ENV VIRTUAL_ENV="${CISA_HOME}/.venv" @@ -33,12 +15,6 @@ ENV PYTHON_PIPENV_VERSION=2023.12.1 ENV PYTHON_SETUPTOOLS_VERSION=69.1.0 ENV PYTHON_WHEEL_VERSION=0.42.0 -### -# Create unprivileged user -### -RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ - && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} - ### # Install the specified version of pipenv; set up a Python virtual environment (venv); # and install the specified versions of pip, setuptools, and wheel into the venv. @@ -68,18 +44,53 @@ RUN python3 -m pip install --no-cache-dir --upgrade pipenv==${PYTHON_PIPENV_VERS WORKDIR /tmp COPY src/Pipfile src/Pipfile.lock ./ RUN pipenv check --verbose \ - && pipenv install --clear --deploy --extra-pip-args "--no-cache-dir" --verbose \ - && rm -f Pipfile* + && pipenv install --clear --deploy --extra-pip-args "--no-cache-dir" --verbose + +# Official Docker images are in the form library/ while non-official +# images are in the form /. +FROM docker.io/library/python:3.12.0-alpine3.18 as build-stage + +### +# For a list of pre-defined annotation keys and value types see: +# https://github.com/opencontainers/image-spec/blob/master/annotations.md +# +# Note: Additional labels are added by the build workflow. +### +# github@cisa.dhs.gov is a very generic email distribution, and it is +# unlikely that anyone on that distribution is familiar with the +# particulars of your repository. It is therefore *strongly* +# suggested that you use an email address here that is specific to the +# person or group that maintains this repository; for example: +# LABEL org.opencontainers.image.authors="vm-fusion-dev-group@trio.dhs.gov" +LABEL org.opencontainers.image.authors="github@cisa.dhs.gov" +LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency" + +### +# Unprivileged user setup variables +### +ARG CISA_UID=421 +ARG CISA_GID=${CISA_UID} +ARG CISA_USER="cisa" +ENV CISA_GROUP=${CISA_USER} +ENV CISA_HOME="/home/${CISA_USER}" +ENV VIRTUAL_ENV="${CISA_HOME}/.venv" + +### +# Create unprivileged user +### +RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ + && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} ### -# Sym-link the Python binary in the venv to the system-wide Python and add the venv to -# the PATH. +# Copy in the Python virtual environment created in compile-stage, Sym-link the +# Python binary in the venv to the system-wide Python and add the venv to the PATH. # # Note that we sym-link the Python binary in the venv to the system-wide Python so that # any calls to `python3` will use our virtual environment. We are using short flags # because the ln binary in Alpine Linux does not support long flags. The -f instructs # ln to remove the existing file and the -s instructs ln to create a symbolic link. ### +COPY --from=compile-stage --chown=${CISA_USER}:${CISA_GROUP} ${VIRTUAL_ENV} ${VIRTUAL_ENV} RUN ln -fs "$(command -v python3)" "${VIRTUAL_ENV}"/bin/python3 ENV PATH="${VIRTUAL_ENV}/bin:$PATH" From 5dca6d92e268ce2cf1e75efae4e04703d9ec35b4 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Tue, 27 Feb 2024 19:13:33 -0500 Subject: [PATCH 15/30] Install core Python packages into the system Python environment Install the core Python packages (pip, setuptools, and wheel) into the system Python environment before installing pipenv. This keeps things consistent with our usual approach to Python environments. --- Dockerfile | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index ca0742e..96a5126 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,14 +16,21 @@ ENV PYTHON_SETUPTOOLS_VERSION=69.1.0 ENV PYTHON_WHEEL_VERSION=0.42.0 ### -# Install the specified version of pipenv; set up a Python virtual environment (venv); -# and install the specified versions of pip, setuptools, and wheel into the venv. +# Install the specified versions of pip, setuptools, and wheel into the system +# Python environment; install the specified version of pipenv into the system Python +# environment; set up a Python virtual environment (venv); and install the specified +# versions of pip, setuptools, and wheel into the venv. # # Note that we use the --no-cache-dir flag to avoid writing to a local # cache. This results in a smaller final image, at the cost of # slightly longer install times. ### -RUN python3 -m pip install --no-cache-dir --upgrade pipenv==${PYTHON_PIPENV_VERSION} \ +RUN python3 -m pip install --no-cache-dir --upgrade \ + pip==${PYTHON_PIP_VERSION} \ + setuptools==${PYTHON_SETUPTOOLS_VERSION} \ + wheel==${PYTHON_WHEEL_VERSION} \ + && python3 -m pip install --no-cache-dir --upgrade \ + pipenv==${PYTHON_PIPENV_VERSION} \ # Manueally create the virtual environment && python3 -m venv ${VIRTUAL_ENV} \ # Ensure the core Python packages are installed in the virtual environment From 79d8de9ae144f57326b4b6a620a55545328e8a38 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:04:09 -0500 Subject: [PATCH 16/30] Fix outdated comment in the Dockerfile The comment references a command that is no longer being run. Co-authored-by: Shane Frasier --- Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 96a5126..38cf0a4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -44,9 +44,7 @@ RUN python3 -m pip install --no-cache-dir --upgrade \ # the virtual environment. # # Note that pipenv will install into a virtual environment if the VIRTUAL_ENV -# environment variable is set. We are using short flags because the rm binary -# in Alpine Linux does not support long flags. The -f instructs rm to remove -# files without prompting. +# environment variable is set. ### WORKDIR /tmp COPY src/Pipfile src/Pipfile.lock ./ From 440ba709fe36c8a86d9880995b46a56f6741229d Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 12:04:51 -0500 Subject: [PATCH 17/30] Fix typo in Dockerfile comment Co-authored-by: dav3r --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 38cf0a4..6a00b36 100644 --- a/Dockerfile +++ b/Dockerfile @@ -31,7 +31,7 @@ RUN python3 -m pip install --no-cache-dir --upgrade \ wheel==${PYTHON_WHEEL_VERSION} \ && python3 -m pip install --no-cache-dir --upgrade \ pipenv==${PYTHON_PIPENV_VERSION} \ - # Manueally create the virtual environment + # Manually create the virtual environment && python3 -m venv ${VIRTUAL_ENV} \ # Ensure the core Python packages are installed in the virtual environment && ${VIRTUAL_ENV}/bin/python3 -m pip install --no-cache-dir --upgrade \ From 78f4f78b2047cd29c5edac51fe0fd218ceb296cb Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 29 Feb 2024 13:17:59 -0500 Subject: [PATCH 18/30] Update image tag information in the README Change the tags used in the table to match the version of the project. Previously "1.2.3" was used as an example version but there is no reason not to use the real version of the image. --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8d926e4..7ff4648 100644 --- a/README.md +++ b/README.md @@ -139,9 +139,9 @@ containerize. It is recommended that most users use a version tag (e.g. | Image:tag | Description | |-----------|-------------| -|`cisagov/example:1.2.3`| An exact release version. | -|`cisagov/example:1.2`| The most recent release matching the major and minor version numbers. | -|`cisagov/example:1`| The most recent release matching the major version number. | +|`cisagov/example:0.0.1`| An exact release version. | +|`cisagov/example:0.0`| The most recent release matching the major and minor version numbers. | +|`cisagov/example:0`| The most recent release matching the major version number. | |`cisagov/example:edge` | The most recent image built from a merge into the `develop` branch of this repository. | |`cisagov/example:nightly` | A nightly build of the `develop` branch of this repository. | |`cisagov/example:latest`| The most recent release image pushed to a container registry. Pulling an image using the `:latest` tag [should be avoided.](https://vsupalov.com/docker-latest-tag/) | From 1774267011a35e29623648a9fa631e499c3fd36f Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Thu, 29 Feb 2024 15:15:07 -0500 Subject: [PATCH 19/30] Add instructions for managing Python dependencies --- README.md | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/README.md b/README.md index 7ff4648..a74bba4 100644 --- a/README.md +++ b/README.md @@ -130,6 +130,35 @@ environment variables. See the 1. Recreate and run the container by following the [previous instructions](#running-with-docker). +## Updating Python dependencies ## + +This image uses [Pipenv] to manage Python dependencies using a [Pipfile](https://github.com/pypa/pipfile). +Both updating dependencies and changing the [Pipenv] configuration in `src/Pipfile` +will result in a modified `src/Pipfile.lock` file that should be committed to the +repository. + +> [!WARNING] +> The `src/Pipfile.lock` as generated will fail `pre-commit` checks due to JSON formatting. + +### Updating dependencies ### + +If you want to update existing dependencies you would run the following command +in the `src/` subdirectory: + +```console +pipenv lock +``` + +### Modifying dependencies ### + +If you want to add or remove dependencies you would update the `src/Pipfile` file +and then update dependencies as you would above. + +> [!NOTE] +> You should only specify packages that are explicitly needed for your Docker +> configuration. Allow [Pipenv] to manage the dependencies of the specified +> packages. + ## Image tags ## The images of this container are tagged with [semantic @@ -254,3 +283,5 @@ dedication](https://creativecommons.org/publicdomain/zero/1.0/). All contributions to this project will be released under the CC0 dedication. By submitting a pull request, you are agreeing to comply with this waiver of copyright interest. + +[Pipenv]: https://pypi.org/project/pipenv/ From af716cc3d2f9dd7bcf4181856f8666cab7188cf2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:20:07 -0500 Subject: [PATCH 20/30] Bump setuptools from 69.1.0 to 69.1.1 --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 6a00b36..4af43cc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,7 +12,7 @@ ENV VIRTUAL_ENV="${CISA_HOME}/.venv" # Versions of the Python packages installed directly ENV PYTHON_PIP_VERSION=24.0 ENV PYTHON_PIPENV_VERSION=2023.12.1 -ENV PYTHON_SETUPTOOLS_VERSION=69.1.0 +ENV PYTHON_SETUPTOOLS_VERSION=69.1.1 ENV PYTHON_WHEEL_VERSION=0.42.0 ### From a65ebdc8b38221690b006cea5b07d086c40a8539 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:21:44 -0500 Subject: [PATCH 21/30] Bump Python from 3.12.0 to 3.12.2 --- Dockerfile | 4 ++-- src/Pipfile | 2 +- src/Pipfile.lock | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4af43cc..e78325e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.0-alpine3.18 as compile-stage +FROM docker.io/library/python:3.12.2-alpine3.18 as compile-stage ### # Unprivileged user variables @@ -53,7 +53,7 @@ RUN pipenv check --verbose \ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.0-alpine3.18 as build-stage +FROM docker.io/library/python:3.12.2-alpine3.18 as build-stage ### # For a list of pre-defined annotation keys and value types see: diff --git a/src/Pipfile b/src/Pipfile index 56f2fc9..4df9a57 100644 --- a/src/Pipfile +++ b/src/Pipfile @@ -10,4 +10,4 @@ example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0 # This version should match the version of Python in the image [requires] -python_full_version = "3.12.0" +python_full_version = "3.12.2" diff --git a/src/Pipfile.lock b/src/Pipfile.lock index d39d053..95333e6 100644 --- a/src/Pipfile.lock +++ b/src/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "654452851fea1eb2c8811649e5efe8873c8ff51f5c14dd27a4a8ebb5b15a27c4" + "sha256": "18956d92f029b8a57000e268dee96409725be2949018c193cedd3d1e9744d878" }, "pipfile-spec": 6, "requires": { - "python_full_version": "3.12.0" + "python_full_version": "3.12.2" }, "sources": [ { From 5d52367dc42d929a86546f1ae52ee339c86faf43 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:22:25 -0500 Subject: [PATCH 22/30] Bump Alpine Linux from 3.18 to 3.19 --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index e78325e..836dbf7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.2-alpine3.18 as compile-stage +FROM docker.io/library/python:3.12.2-alpine3.19 as compile-stage ### # Unprivileged user variables @@ -53,7 +53,7 @@ RUN pipenv check --verbose \ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.2-alpine3.18 as build-stage +FROM docker.io/library/python:3.12.2-alpine3.19 as build-stage ### # For a list of pre-defined annotation keys and value types see: From 56afca0d991c05010d22981ba424e631fd88cb12 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 28 Feb 2024 14:27:43 -0500 Subject: [PATCH 23/30] Bump cisagov/skeleton-python-library from 0.0.1 to 0.2.0 Update the Dockerfile and testing to accommodate changes in the new version. --- Dockerfile | 2 +- src/Pipfile | 2 +- src/Pipfile.lock | 19 +++++++++++++++++-- tests/container_test.py | 2 ++ 4 files changed, 21 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 836dbf7..c40e756 100644 --- a/Dockerfile +++ b/Dockerfile @@ -108,4 +108,4 @@ USER ${CISA_USER}:${CISA_GROUP} EXPOSE 8080/TCP VOLUME ["/var/log"] ENTRYPOINT ["example"] -CMD ["--log-level", "DEBUG"] +CMD ["--log-level", "DEBUG", "8", "2"] diff --git a/src/Pipfile b/src/Pipfile index 4df9a57..6480562 100644 --- a/src/Pipfile +++ b/src/Pipfile @@ -6,7 +6,7 @@ name = "pypi" # List any Python dependencies for the image here [packages] # This should match the version of the image -example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.0.1.tar.gz"} +example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0.2.0.tar.gz"} # This version should match the version of Python in the image [requires] diff --git a/src/Pipfile.lock b/src/Pipfile.lock index 95333e6..6afbec3 100644 --- a/src/Pipfile.lock +++ b/src/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "18956d92f029b8a57000e268dee96409725be2949018c193cedd3d1e9744d878" + "sha256": "ad65a437d348bca066601e0d05a14c0ee23e38b59d8d8e71558cb17c57259f6b" }, "pipfile-spec": 6, "requires": { @@ -16,6 +16,14 @@ ] }, "default": { + "contextlib2": { + "hashes": [ + "sha256:3fbdb64466afd23abaf6c977627b75b6139a5a3e8ce38405c5b413aed7a0471f", + "sha256:ab1e2bfe1d01d968e1b7e8d9023bc51ef3509bba217bb730cee3827e1ee82869" + ], + "markers": "python_version >= '3.6'", + "version": "==21.6.0" + }, "docopt": { "hashes": [ "sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491" @@ -23,7 +31,14 @@ "version": "==0.6.2" }, "example": { - "file": "https://github.com/cisagov/skeleton-python-library/archive/v0.0.1.tar.gz" + "file": "https://github.com/cisagov/skeleton-python-library/archive/v0.2.0.tar.gz" + }, + "schema": { + "hashes": [ + "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197", + "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c" + ], + "version": "==0.7.5" }, "setuptools": { "hashes": [ diff --git a/tests/container_test.py b/tests/container_test.py index 6451766..bddee4b 100644 --- a/tests/container_test.py +++ b/tests/container_test.py @@ -10,6 +10,7 @@ ENV_VAR = "ECHO_MESSAGE" ENV_VAR_VAL = "Hello World from docker compose!" READY_MESSAGE = "This is a debug message" +DIVISION_MESSAGE = "8 / 2 == 4.000000" SECRET_QUOTE = "Three may keep a secret, if two of them are dead." # nosec RELEASE_TAG = os.getenv("RELEASE_TAG") VERSION_FILE = "src/version.txt" @@ -52,6 +53,7 @@ def test_output(dockerc, main_container): # make sure container exited if running test isolated dockerc.wait(main_container.id) log_output = main_container.logs() + assert DIVISION_MESSAGE in log_output, "Division message not found in log output." assert SECRET_QUOTE in log_output, "Secret not found in log output." From ae0d4a886c28645fec794e30ee0c7c57eeffd46b Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Mon, 4 Mar 2024 16:23:04 -0500 Subject: [PATCH 24/30] Bump version from 0.0.1 to 0.2.0 --- README.md | 18 +++++++++--------- src/version.txt | 2 +- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index a74bba4..306552f 100644 --- a/README.md +++ b/README.md @@ -24,7 +24,7 @@ appropriate for Docker containers and the major languages that we use. To run the `cisagov/example` image via Docker: ```console -docker run cisagov/example:0.0.1 +docker run cisagov/example:0.2.0 ``` ### Running with Docker Compose ### @@ -37,7 +37,7 @@ docker run cisagov/example:0.0.1 services: example: - image: cisagov/example:0.0.1 + image: cisagov/example:0.2.0 volumes: - type: bind source: @@ -82,7 +82,7 @@ environment variables. See the services: example: - image: cisagov/example:0.0.1 + image: cisagov/example:0.2.0 volumes: - type: bind source: @@ -125,7 +125,7 @@ environment variables. See the 1. Pull the new image: ```console - docker pull cisagov/example:0.0.1 + docker pull cisagov/example:0.2.0 ``` 1. Recreate and run the container by following the [previous instructions](#running-with-docker). @@ -164,12 +164,12 @@ and then update dependencies as you would above. The images of this container are tagged with [semantic versions](https://semver.org) of the underlying example project that they containerize. It is recommended that most users use a version tag (e.g. -`:0.0.1`). +`:0.2.0`). | Image:tag | Description | |-----------|-------------| -|`cisagov/example:0.0.1`| An exact release version. | -|`cisagov/example:0.0`| The most recent release matching the major and minor version numbers. | +|`cisagov/example:0.2.0`| An exact release version. | +|`cisagov/example:0.2`| The most recent release matching the major and minor version numbers. | |`cisagov/example:0`| The most recent release matching the major version number. | |`cisagov/example:edge` | The most recent image built from a merge into the `develop` branch of this repository. | |`cisagov/example:nightly` | A nightly build of the `develop` branch of this repository. | @@ -225,7 +225,7 @@ Build the image locally using this git repository as the [build context](https:/ ```console docker build \ - --tag cisagov/example:0.0.1 \ + --tag cisagov/example:0.2.0 \ https://github.com/cisagov/example.git#develop ``` @@ -256,7 +256,7 @@ Docker: --file Dockerfile-x \ --platform linux/amd64 \ --output type=docker \ - --tag cisagov/example:0.0.1 . + --tag cisagov/example:0.2.0 . ``` ## New repositories from a skeleton ## diff --git a/src/version.txt b/src/version.txt index 8acdd82..0ea3a94 100644 --- a/src/version.txt +++ b/src/version.txt @@ -1 +1 @@ -0.0.1 +0.2.0 From 965da2cea1aebc7681459817c981c715449b43c0 Mon Sep 17 00:00:00 2001 From: Nick <50747025+mcdonnnj@users.noreply.github.com> Date: Wed, 13 Mar 2024 17:17:44 -0400 Subject: [PATCH 25/30] Correct usage of the term "symlink" Co-authored-by: dav3r --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index c40e756..8dc0ad5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -87,10 +87,10 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER} ### -# Copy in the Python virtual environment created in compile-stage, Sym-link the +# Copy in the Python virtual environment created in compile-stage, symlink the # Python binary in the venv to the system-wide Python and add the venv to the PATH. # -# Note that we sym-link the Python binary in the venv to the system-wide Python so that +# Note that we symlink the Python binary in the venv to the system-wide Python so that # any calls to `python3` will use our virtual environment. We are using short flags # because the ln binary in Alpine Linux does not support long flags. The -f instructs # ln to remove the existing file and the -s instructs ln to create a symbolic link. From 570b7d5538da33d5379a4220a55cb4aa84757ad2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:16:35 -0500 Subject: [PATCH 26/30] Bump python from 3.12.2-alpine3.19 to 3.13.1-alpine3.20 The version of Python listed in the Pipfile is updated to match the new Docker image tag. --- Dockerfile | 4 ++-- src/Pipfile | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8dc0ad5..d234755 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.2-alpine3.19 as compile-stage +FROM docker.io/library/python:3.13.1-alpine3.20 as compile-stage ### # Unprivileged user variables @@ -53,7 +53,7 @@ RUN pipenv check --verbose \ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.12.2-alpine3.19 as build-stage +FROM docker.io/library/python:3.13.1-alpine3.20 as build-stage ### # For a list of pre-defined annotation keys and value types see: diff --git a/src/Pipfile b/src/Pipfile index 6480562..fdd19e6 100644 --- a/src/Pipfile +++ b/src/Pipfile @@ -10,4 +10,4 @@ example = {file = "https://github.com/cisagov/skeleton-python-library/archive/v0 # This version should match the version of Python in the image [requires] -python_full_version = "3.12.2" +python_full_version = "3.13.1" From b3c5df532bb8f7dac5119574ce9b50bf9e52f1e1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:20:40 -0500 Subject: [PATCH 27/30] Bump Python packages installed in the Dockerfile - pip from 24.0 to 24.3.1 - pipenv from 2023.12.1 to 2024.4.0 - setuptools from 69.1.1 to 75.6.0 - wheel from 0.42.0 to 0.45.1 --- Dockerfile | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index d234755..444ee90 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,10 +10,10 @@ ENV CISA_HOME="/home/${CISA_USER}" ENV VIRTUAL_ENV="${CISA_HOME}/.venv" # Versions of the Python packages installed directly -ENV PYTHON_PIP_VERSION=24.0 -ENV PYTHON_PIPENV_VERSION=2023.12.1 -ENV PYTHON_SETUPTOOLS_VERSION=69.1.1 -ENV PYTHON_WHEEL_VERSION=0.42.0 +ENV PYTHON_PIP_VERSION=24.3.1 +ENV PYTHON_PIPENV_VERSION=2024.4.0 +ENV PYTHON_SETUPTOOLS_VERSION=75.6.0 +ENV PYTHON_WHEEL_VERSION=0.45.1 ### # Install the specified versions of pip, setuptools, and wheel into the system From c09b35263a6191aea522f9c67d770f54340156c1 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 22 Nov 2024 19:25:00 -0500 Subject: [PATCH 28/30] Update Python virtual environment dependencies Update the dependencies installed in the Python virtual environment by running `pipenv lock` in the `src/` directory. --- src/Pipfile.lock | 26 +++++++++----------------- 1 file changed, 9 insertions(+), 17 deletions(-) diff --git a/src/Pipfile.lock b/src/Pipfile.lock index 6afbec3..408d508 100644 --- a/src/Pipfile.lock +++ b/src/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "ad65a437d348bca066601e0d05a14c0ee23e38b59d8d8e71558cb17c57259f6b" + "sha256": "8a376df6f25cf8583d5da89da420c5e51660f33a081c1f85236643ef31601833" }, "pipfile-spec": 6, "requires": { - "python_full_version": "3.12.2" + "python_full_version": "3.13.1" }, "sources": [ { @@ -16,14 +16,6 @@ ] }, "default": { - "contextlib2": { - "hashes": [ - "sha256:3fbdb64466afd23abaf6c977627b75b6139a5a3e8ce38405c5b413aed7a0471f", - "sha256:ab1e2bfe1d01d968e1b7e8d9023bc51ef3509bba217bb730cee3827e1ee82869" - ], - "markers": "python_version >= '3.6'", - "version": "==21.6.0" - }, "docopt": { "hashes": [ "sha256:49b3a825280bd66b3aa83585ef59c4a8c82f2c8a522dbe754a8bc8d08c85c491" @@ -35,18 +27,18 @@ }, "schema": { "hashes": [ - "sha256:f06717112c61895cabc4707752b88716e8420a8819d71404501e114f91043197", - "sha256:f3ffdeeada09ec34bf40d7d79996d9f7175db93b7a5065de0faa7f41083c1e6c" + "sha256:5d976a5b50f36e74e2157b47097b60002bd4d42e65425fcc9c9befadb4255dde", + "sha256:7da553abd2958a19dc2547c388cde53398b39196175a9be59ea1caf5ab0a1807" ], - "version": "==0.7.5" + "version": "==0.7.7" }, "setuptools": { "hashes": [ - "sha256:02fa291a0471b3a18b2b2481ed902af520c69e8ae0919c13da936542754b4c56", - "sha256:5c0806c7d9af348e6dd3777b4f4dbb42c7ad85b190104837488eab9a7c945cf8" + "sha256:8199222558df7c86216af4f84c30e9b34a61d8ba19366cc914424cdbd28252f6", + "sha256:ce74b49e8f7110f9bf04883b730f4765b774ef3ef28f722cce7c273d253aaf7d" ], - "markers": "python_version >= '3.8'", - "version": "==69.1.1" + "markers": "python_version >= '3.9'", + "version": "==75.6.0" } }, "develop": {} From a1ece8f523bb39bb0c559d67c6ce2558357adaac Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 6 Dec 2024 04:32:58 -0500 Subject: [PATCH 29/30] Add a missing Oxford comma to a comment in the Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 444ee90..b69a3f8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -88,7 +88,7 @@ RUN addgroup --system --gid ${CISA_GID} ${CISA_GROUP} \ ### # Copy in the Python virtual environment created in compile-stage, symlink the -# Python binary in the venv to the system-wide Python and add the venv to the PATH. +# Python binary in the venv to the system-wide Python, and add the venv to the PATH. # # Note that we symlink the Python binary in the venv to the system-wide Python so that # any calls to `python3` will use our virtual environment. We are using short flags From fd69f453785c6b660fd3c55b01112a9a7aa2a5b2 Mon Sep 17 00:00:00 2001 From: Nicholas McDonnell <50747025+mcdonnnj@users.noreply.github.com> Date: Fri, 6 Dec 2024 10:26:13 -0500 Subject: [PATCH 30/30] Ensure FROM/AS keywords use the same casing This resolves the following warning from Docker when building the image: FromAsCasing: 'as' and 'FROM' keywords' casing do not match Co-authored-by: Shane Frasier --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index b69a3f8..ffcae61 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.13.1-alpine3.20 as compile-stage +FROM docker.io/library/python:3.13.1-alpine3.20 AS compile-stage ### # Unprivileged user variables @@ -53,7 +53,7 @@ RUN pipenv check --verbose \ # Official Docker images are in the form library/ while non-official # images are in the form /. -FROM docker.io/library/python:3.13.1-alpine3.20 as build-stage +FROM docker.io/library/python:3.13.1-alpine3.20 AS build-stage ### # For a list of pre-defined annotation keys and value types see: