Skip to content

Commit

Permalink
wip2
Browse files Browse the repository at this point in the history
  • Loading branch information
EliMoshkovich committed Dec 10, 2024
1 parent d84eab6 commit b853f6d
Showing 1 changed file with 73 additions and 151 deletions.
224 changes: 73 additions & 151 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,173 +1,95 @@
# OPA BUILD STAGE -----------------------------------
# Build opa from source or download precompiled binary
# ---------------------------------------------------
FROM golang:alpine AS opa_build

WORKDIR /build
RUN apk add --no-cache git curl tar

COPY custom* /custom
COPY factdb* /factdb

RUN apk add --no-cache curl
COPY custom* /custom/
COPY factdb* /factdb/

# Build or download OPA binary
RUN if [ -f /custom/custom_opa.tar.gz ]; then \
cd /custom && \
tar xzf custom_opa.tar.gz && \
CGO_ENABLED=0 go build -ldflags="-s -w -extldflags=-static" -o /opa && \
rm -rf /custom ; \
else \
case $(uname -m) in \
x86_64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ; \
;; \
aarch64) \
curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ; \
;; \
*) \
echo "Unknown architecture." ; \
exit 1 ; \
esac ; \
fi

cd /custom && \
tar xzf custom_opa.tar.gz && \
go build -ldflags="-extldflags=-static" -o /opa && \
rm -rf /custom; \
else \
ARCH=$(uname -m); \
case "$ARCH" in \
x86_64) curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_amd64_static ;; \
aarch64) curl -L -o /opa https://openpolicyagent.org/downloads/latest/opa_linux_arm64_static ;; \
*) echo "Unknown architecture." && exit 1 ;; \
esac; \
fi

# Build or handle FactDB binary
RUN if [ -f /factdb/factdb.tar.gz ]; then \
cd /factdb && \
tar xzf factdb.tar.gz && \
go build -ldflags="-extldflags=-static" -o /bin/factdb ./cmd/factstore_server && \
rm -rf /factdb ; \
else \
case $(uname -m) in \
x86_64) \
if [ -f /factdb/factstore_server-linux-amd64 ]; then \
cp /factdb/factstore_server-linux-amd64 /bin/factdb; \
else \
echo "factstore_server-linux-amd64 not found." ; \
if [ "$ALLOW_MISSING_FACTSTORE" = "false" ]; then \
echo "Missing Factstore is not allowed, exiting..."; exit 1; \
else \
echo "Missing Factstore is allowed, continuing..."; \
touch /bin/factdb ; \
fi \
fi \
;; \
aarch64) \
if [ -f /factdb/factstore_server-linux-arm64 ]; then \
cp /factdb/factstore_server-linux-arm64 /bin/factdb; \
else \
echo "factstore_server-linux-arm64 not found." ; \
if [ "$ALLOW_MISSING_FACTSTORE" = "false" ]; then \
echo "Missing Factstore is not allowed, exiting..."; exit 1; \
else \
echo "Missing Factstore is allowed, continuing..."; \
touch /bin/factdb ; \
fi \
fi \
;; \
*) \
echo "Unknown architecture." ; \
exit 1 ; \
esac ; \
fi

cd /factdb && \
tar xzf factdb.tar.gz && \
go build -ldflags="-extldflags=-static" -o /bin/factdb ./cmd/factstore_server && \
rm -rf /factdb; \
else \
ARCH=$(uname -m); \
case "$ARCH" in \
x86_64) [ -f /factdb/factstore_server-linux-amd64 ] && cp /factdb/factstore_server-linux-amd64 /bin/factdb ;; \
aarch64) [ -f /factdb/factstore_server-linux-arm64 ] && cp /factdb/factstore_server-linux-arm64 /bin/factdb ;; \
*) echo "Unknown architecture." && exit 1 ;; \
esac; \
fi

# MAIN IMAGE ----------------------------------------
FROM python:3.10-alpine3.18
# Use Python slim or alpine for final image
# ---------------------------------------------------
FROM python:3.10-slim

WORKDIR /app

# Create user and group with minimal permissions
RUN addgroup -S permit -g 1001 && \
adduser -S -s /bin/sh -u 1000 -G permit -h /home/permit permit

# Install system dependencies for Python package compilation
RUN apk add --no-cache \
bash \
build-base \
python3-dev \
linux-headers \
libffi-dev \
openssl-dev \
libffi \
libressl \
zlib \
gcompat \
# Add additional dependencies for aiokafka
musl-dev \
gcc \
python3 \
py3-pip \
librdkafka-dev \
&& rm -rf /var/cache/apk/*

# Create necessary directories with correct permissions
RUN mkdir -p /app/backup /app/bin /config && \
chmod -R 777 /app/backup && \
chown -R permit:permit /app/bin /config

# Copy binaries from build stage
COPY --from=opa_build --chmod=755 /opa /app/bin/opa
COPY --from=opa_build --chmod=755 /factdb /app/bin/factdb

# Copy only essential scripts and configs
COPY --chmod=755 scripts/start.sh scripts/wait-for-it.sh /app/
COPY scripts/gunicorn_conf.py /app/
COPY kong_routes.json /config/
COPY permit_pdp_version /app/

# Install Python dependencies with comprehensive approach
COPY requirements.txt /app/
RUN pip install --upgrade pip && \
pip install --no-cache-dir \
wheel \
setuptools \
# Add kafka-python as an alternative to aiokafka if needed
kafka-python && \
# Try multiple installation strategies for aiokafka
pip install --no-cache-dir \
--use-deprecated=legacy-resolver \
--no-use-pep517 \
--no-build-isolation \
-r requirements.txt || \
VERBOSE=1 pip install --no-cache-dir \
--use-deprecated=legacy-resolver \
--no-use-pep517 \
--no-build-isolation \
-v -r requirements.txt || \
# If still failing, try to install specific dependencies first
(pip install --no-cache-dir cython && \
pip install --no-cache-dir aiokafka) && \
pip cache purge && \
find /usr/local \
\( -type d -a -name test -o -name tests \) \
-o \( -type f -a -name '*.pyc' -o -name '*.pyo' \) \
-exec rm -rf '{}' + && \
rm -f requirements.txt

# Copy application code
COPY horizon /app/horizon
# Add dependencies
RUN apt-get update && apt-get install -y --no-install-recommends \
build-essential libffi-dev libssl-dev && \
apt-get clean && rm -rf /var/lib/apt/lists/*

# Add a non-root user
RUN groupadd -g 1001 permit && \
useradd -m -u 1000 -g permit permit && \
mkdir -p /app/backup && \
chmod -R 777 /app/backup

# Copy OPA and FactDB binaries
COPY --from=opa_build /opa /app/bin/opa
COPY --from=opa_build /bin/factdb /app/bin/factdb
RUN chmod +x /app/bin/opa /app/bin/factdb

# Set environment variables
ENV PATH="/:/app/bin:/home/permit/.local/bin:$PATH" \
UVICORN_NUM_WORKERS=1 \
UVICORN_ASGI_APP="horizon.main:app" \
UVICORN_PORT=7000 \
OPAL_SERVER_URL="https://opal.permit.io" \
OPAL_LOG_DIAGNOSE="false" \
OPAL_LOG_TRACEBACK="false" \
OPAL_LOG_MODULE_EXCLUDE_LIST="[]" \
OPAL_INLINE_OPA_ENABLED="true" \
OPAL_INLINE_OPA_LOG_FORMAT="http" \
PDP_CONTROL_PLANE="https://api.permit.io" \
PDP_API_KEY="MUST BE DEFINED" \
PDP_REMOTE_CONFIG_ENDPOINT="/v2/pdps/me/config" \
PDP_REMOTE_STATE_ENDPOINT="/v2/pdps/me/state" \
PDP_VERSION_FILE_PATH="/app/permit_pdp_version" \
PDP_FACTDB_BINARY_PATH="/app/bin/factdb" \
OPAL_INLINE_OPA_EXEC_PATH="/app/bin/opa" \
OPAL_AUTH_PUBLIC_KEY="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDe2iQ+/E01P2W5/EZwD5NpRiSQ8/r/k18pFnym+vWCSNMWpd9UVpgOUWfA9CAX4oEo5G6RfVVId/epPH/qVSL87uh5PakkLZ3E+PWVnYtbzuFPs/lHZ9HhSqNtOQ3WcPDTcY/ST2jyib2z0sURYDMInSc1jnYKqPQ6YuREdoaNdPHwaTFN1tEKhQ1GyyhL5EDK97qU1ejvcYjpGm+EeE2sjauHYn2iVXa2UA9fC+FAKUwKqNcwRTf3VBLQTE6EHGWbxVzXv1Feo8lPZgL7Yu/UPgp7ivCZhZCROGDdagAfK9sveYjkKiWCLNUSpado/E5Vb+/1EVdAYj6fCzk45AdQzA9vwZefP0sVg7EuZ8VQvlz7cU9m+XYIeWqduN4Qodu87rtBYtSEAsru/8YDCXBDWlLJfuZb0p/klbte3TayKnQNSWD+tNYSJHrtA/3ZewP+tGDmtgLeB38NLy1xEsgd31v6ISOSCTHNS8ku9yWQXttv0/xRnuITr8a3TCLuqtUrNOhCx+nKLmYF2cyjYeQjOWWpn/Z6VkZvOa35jhG1ETI8IwE+t5zXqrf2s505mh18LwA1DhC8L/wHk8ZG7bnUe56QwxEo32myUBN8nHdu7XmPCVP8MWQNLh406QRAysishWhXVs/+0PbgfBJ/FxKP8BXW9zqzeIG+7b/yk8tRHQ=="
ENV OPAL_INLINE_OPA_EXEC_PATH="/app/bin/opa" \
PDP_FACTDB_BINARY_PATH="/app/bin/factdb"

# Copy scripts and make executable
COPY scripts/start.sh /app/start.sh
COPY scripts/wait-for-it.sh /usr/local/bin/wait-for-it.sh
RUN chmod +x /app/start.sh /usr/local/bin/wait-for-it.sh

# Copy remaining files
COPY kong_routes.json /config/kong_routes.json
COPY scripts/gunicorn_conf.py /app/gunicorn_conf.py
COPY requirements.txt /app/requirements.txt
COPY permit_pdp_version /app/permit_pdp_version
COPY horizon /app/horizon

# Install Python dependencies
RUN pip install --no-cache-dir -r /app/requirements.txt && \
pip uninstall -y pip setuptools && \
rm -rf /usr/local/lib/python3.10/ensurepip

# Set permissions for non-root user
RUN chown -R permit:permit /app /config /home/permit

# Switch to non-root user
USER permit

# Expose ports
EXPOSE 7000 8181

# Run startup script
# Run application
CMD ["/app/start.sh"]

0 comments on commit b853f6d

Please sign in to comment.