From 8fccb53f2350f26041fa5aa3595622f8ac52b7f2 Mon Sep 17 00:00:00 2001 From: eli Date: Thu, 12 Dec 2024 11:14:05 -0800 Subject: [PATCH] check if test flaky --- Dockerfile | 137 +++++++++++++++++++++++++++++------------------------ 1 file changed, 75 insertions(+), 62 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4691412a..edc22afb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,136 +1,148 @@ # OPA BUILD STAGE ----------------------------------- -# Build OPA from source or download precompiled binary +# build opa from source or download precompiled binary # --------------------------------------------------- FROM golang:bullseye AS opa_build COPY custom* /custom COPY factdb* /factdb -# Build OPA binary if custom_opa.tar.gz is provided RUN if [ -f /custom/custom_opa.tar.gz ]; \ then \ cd /custom && \ tar xzf custom_opa.tar.gz && \ go build -ldflags="-extldflags=-static" -o /opa && \ - rm -rf /custom; \ + rm -rf /custom ; \ else \ case $(uname -m) in \ - x86_64) curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ;; \ - aarch64) curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ;; \ - *) echo "Unknown architecture." && exit 1 ;; \ - esac; \ + x86_64) \ + curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ; \ + ;; \ + aarch64) \ + curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ; \ + ;; \ + *) \ + echo "Unknown architecture." ; \ + exit 1 ; \ + ;; \ + esac ; \ fi -# Build or copy factdb binary RUN if [ -f /factdb/factdb.tar.gz ]; \ then \ cd /factdb && \ tar xzf factdb.tar.gz && \ go build -ldflags="-extldflags=-static" -o /bin/factdb ./cmd/factstore_server && \ - rm -rf /factdb; \ + rm -rf /factdb ; \ else \ case $(uname -m) in \ x86_64) \ if [ -f /factdb/factstore_server-linux-amd64 ]; then \ cp /factdb/factstore_server-linux-amd64 /bin/factdb; \ else \ - echo "factstore_server-linux-amd64 not found."; \ + echo "factstore_server-linux-amd64 not found." ; \ if [ "$ALLOW_MISSING_FACTSTORE" = "false" ]; then \ - echo "Missing Factstore is not allowed, exiting..."; \ - exit 1; \ + echo "Missing Factstore is not allowed, exiting..."; exit 1; \ else \ echo "Missing Factstore is allowed, continuing..."; \ - touch /bin/factdb; \ - fi; \ + touch /bin/factdb ; \ + fi \ fi \ ;; \ aarch64) \ if [ -f /factdb/factstore_server-linux-arm64 ]; then \ cp /factdb/factstore_server-linux-arm64 /bin/factdb; \ else \ - echo "factstore_server-linux-arm64 not found."; \ + echo "factstore_server-linux-arm64 not found." ; \ if [ "$ALLOW_MISSING_FACTSTORE" = "false" ]; then \ - echo "Missing Factstore is not allowed, exiting..."; \ - exit 1; \ + echo "Missing Factstore is not allowed, exiting..."; exit 1; \ else \ echo "Missing Factstore is allowed, continuing..."; \ - touch /bin/factdb; \ - fi; \ + touch /bin/factdb ; \ + fi \ fi \ ;; \ *) \ - echo "Unknown architecture."; \ - exit 1; \ + echo "Unknown architecture." ; \ + exit 1 ; \ ;; \ - esac; \ + esac ; \ fi + # MAIN IMAGE ---------------------------------------- -# Main image setup (optimized) +# most of the time only this image should be built # --------------------------------------------------- FROM python:3.10-alpine WORKDIR /app -# Create necessary user and group in a single step -RUN addgroup -S permit -g 1001 && \ - adduser -S -s /bin/bash -u 1000 -G permit -h /home/permit permit +RUN addgroup -S permit -g 1001 +RUN adduser -S -s /bin/bash -u 1000 -G permit -h /home/permit permit -# Create backup directory with permissions -RUN mkdir -p /app/backup && chmod 777 /app/backup +# create backup directory +RUN mkdir -p /app/backup && chmod -R 777 /app/backup -# Install necessary libraries in a single RUN command +# install linux libraries necessary to compile some python packages RUN apk update && \ apk add --no-cache bash build-base libffi-dev libressl-dev musl-dev zlib-dev gcompat -# Copy OPA and factdb binaries from the build stage +# Copy custom opa binary +RUN mkdir /app/bin +RUN chown -R permit:permit /app/bin COPY --from=opa_build --chmod=755 /opa /app/bin/opa -COPY --from=opa_build --chmod=755 /bin/factdb /app/bin/factdb - -# Environment variables for OPA and FactDB ENV OPAL_INLINE_OPA_EXEC_PATH="/app/bin/opa" + +COPY --from=opa_build --chmod=755 /bin/factdb /app/bin/factdb ENV PDP_FACTDB_BINARY_PATH="/app/bin/factdb" -# Copy required scripts -COPY scripts /scripts +# bash is needed for ./start/sh script +COPY scripts ./ -# Set permissions and ownership for the application -RUN mkdir -p /config && chown -R permit:permit /config -RUN chmod +x /scripts/wait-for-it.sh && \ - chmod +x /scripts/start.sh +RUN mkdir -p /config +RUN chown -R permit:permit /config -# Ensure the `permit` user has the correct permissions for home directory and binaries -RUN chown -R permit:permit /home/permit /app /usr/local/bin /scripts +# copy wait-for-it (use only for development! e.g: docker compose) +COPY scripts/wait-for-it.sh /usr/wait-for-it.sh +RUN chmod +x /usr/wait-for-it.sh -# Switch to permit user +# copy startup script +COPY ./scripts/start.sh ./start.sh +RUN chmod +x ./start.sh + +RUN chown -R permit:permit /home/permit +RUN chown -R permit:permit /usr/ USER permit -# Copy Kong routes and Gunicorn config +# copy Kong route-to-resource translation table COPY kong_routes.json /config/kong_routes.json -COPY ./scripts/gunicorn_conf.py ./gunicorn_conf.py -USER root +# copy gunicorn_config +COPY ./scripts/gunicorn_conf.py ./gunicorn_conf.py -# Install python dependencies in one command to optimize layer size +# install python dependencies COPY ./requirements.txt ./requirements.txt -RUN pip install -r requirements.txt && \ - python -m pip uninstall -y pip setuptools && \ - rm -r /usr/local/lib/python3.10/ensurepip - -USER permit +RUN pip install -r requirements.txt +RUN python -m pip uninstall -y pip setuptools +RUN rm -r /usr/local/lib/python3.10/ensurepip -# Copy the application code -COPY ./horizon /app/horizon +# copy app code +COPY ./horizon ./horizon -# Version file for the application +# copy version file COPY ./permit_pdp_version /app/permit_pdp_version -# Set the PATH to ensure the local binary paths are used -ENV PATH="/app/bin:/home/permit/.local/bin:$PATH" +# Make sure scripts in .local are usable: +ENV PATH="/:/app/bin:/home/permit/.local/bin:$PATH" +# uvicorn config ------------------------------------ + +# WARNING: do not change the number of workers on the opal client! +# only one worker is currently supported for the client. -# Uvicorn configuration +# number of uvicorn workers ENV UVICORN_NUM_WORKERS=1 +# uvicorn asgi app ENV UVICORN_ASGI_APP="horizon.main:app" +# uvicorn port ENV UVICORN_PORT=7000 # opal configuration -------------------------------- @@ -153,9 +165,10 @@ ENV PDP_FACTDB_BINARY_PATH="/app/bin/factdb" # This is a default PUBLIC (not secret) key, # and it is here as a safety measure on purpose. ENV OPAL_AUTH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDe2iQ+/E01P2W5/EZwD5NpRiSQ8/r/k18pFnym+vWCSNMWpd9UVpgOUWfA9CAX4oEo5G6RfVVId/epPH/qVSL87uh5PakkLZ3E+PWVnYtbzuFPs/lHZ9HhSqNtOQ3WcPDTcY/ST2jyib2z0sURYDMInSc1jnYKqPQ6YuREdoaNdPHwaTFN1tEKhQ1GyyhL5EDK97qU1ejvcYjpGm+EeE2sjauHYn2iVXa2UA9fC+FAKUwKqNcwRTf3VBLQTE6EHGWbxVzXv1Feo8lPZgL7Yu/UPgp7ivCZhZCROGDdagAfK9sveYjkKiWCLNUSpado/E5Vb+/1EVdAYj6fCzk45AdQzA9vwZefP0sVg7EuZ8VQvlz7cU9m+XYIeWqduN4Qodu87rtBYtSEAsru/8YDCXBDWlLJfuZb0p/klbte3TayKnQNSWD+tNYSJHrtA/3ZewP+tGDmtgLeB38NLy1xEsgd31v6ISOSCTHNS8ku9yWQXttv0/xRnuITr8a3TCLuqtUrNOhCx+nKLmYF2cyjYeQjOWWpn/Z6VkZvOa35jhG1ETI8IwE+t5zXqrf2s505mh18LwA1DhC8L/wHk8ZG7bnUe56QwxEo32myUBN8nHdu7XmPCVP8MWQNLh406QRAysishWhXVs/+0PbgfBJ/FxKP8BXW9zqzeIG+7b/yk8tRHQ==" -# 7000 sidecar port -# 8181 opa port -EXPOSE 7000 8181 +# expose sidecar port +EXPOSE 7000 +# expose opa directly +EXPOSE 8181 -# Run the application using the startup script -CMD ["/scripts/start.sh"] +# run gunicorn +CMD ["/app/start.sh"] \ No newline at end of file