From cc25d805e5ceb1b8f36a3e847e25c57aee069eea Mon Sep 17 00:00:00 2001 From: Chris Burr Date: Wed, 25 Oct 2023 10:25:02 +0200 Subject: [PATCH] Add server-base image --- README.md | 4 +++ server-base/Dockerfile | 32 ++++++++++++++++++++ server-base/entrypoint.sh | 12 ++++++++ server-base/environment.yml | 59 +++++++++++++++++++++++++++++++++++++ 4 files changed, 107 insertions(+) create mode 100644 server-base/Dockerfile create mode 100644 server-base/entrypoint.sh create mode 100644 server-base/environment.yml diff --git a/README.md b/README.md index b0bc009..71d31db 100644 --- a/README.md +++ b/README.md @@ -7,3 +7,7 @@ This repository contains the recipes and CI for building the base images used by ### secret-generation This image is used by the [helm chart](https://github.com/DIRACGrid/diracx-charts) to run batch jobs within the cluster that automatically generate kubernetes secrets. + +### server-base + +This image is used as the base of the diracx service image. diff --git a/server-base/Dockerfile b/server-base/Dockerfile new file mode 100644 index 0000000..a7e6e4a --- /dev/null +++ b/server-base/Dockerfile @@ -0,0 +1,32 @@ +FROM registry.cern.ch/docker.io/mambaorg/micromamba +EXPOSE 8000 + +# Create empty directory for the various volume to be mounted +# and assign them to mambauser +# This is needed for the DIRAC integration test, as docker-compose +# isn't playing well with permissions and volumes +USER root +RUN mkdir /cs_store /signing-key && chown $MAMBA_USER:$MAMBA_USER /cs_store /signing-key +USER $MAMBA_USER + +WORKDIR /code + +COPY --chown=$MAMBA_USER:$MAMBA_USER . /code/diracx + +RUN micromamba install --yes --file diracx/environment.yml --name=base && micromamba clean --all --yes --force-pkgs-dirs + +ARG MAMBA_DOCKERFILE_ACTIVATE=1 + +RUN pip install ./diracx git+https://github.com/DIRACGrid/DIRAC.git@integration +# Copying in ENTRYPOINT script +COPY --chown=$MAMBA_USER:$MAMBA_USER entrypoint.sh / +RUN chmod 755 /entrypoint.sh + +# In many clusters the container is ran as a random uid for security reasons. +# If we mark the conda directory as group 0 and give it group write permissions +# then we're still able to manage the environment from inside the container. +USER 0 +RUN chown -R $MAMBA_USER:0 /opt/conda && chmod -R g=u /opt/conda +USER $MAMBA_USER + +ENTRYPOINT [ "/entrypoint.sh" ] diff --git a/server-base/entrypoint.sh b/server-base/entrypoint.sh new file mode 100644 index 0000000..4d57850 --- /dev/null +++ b/server-base/entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -e + +# TODO: This is a workaround until this is released +# https://github.com/DaanDeMeyer/reproc/pull/103 +# or that this is merged +# https://github.com/conda-forge/reproc-feedstock/pull/10 +ulimit -n 8192 + +eval "$(micromamba shell hook --shell=posix)" +micromamba activate base +exec "$@" diff --git a/server-base/environment.yml b/server-base/environment.yml new file mode 100644 index 0000000..d9ffb97 --- /dev/null +++ b/server-base/environment.yml @@ -0,0 +1,59 @@ +name: diracx-dev +channels: + - diracgrid + - conda-forge + - nodefaults +dependencies: + - authlib + - aiohttp + - aiomysql + - aiosqlite + - azure-core + - cachetools + ######## + # Building the docker image on some system may fail + # as long as this bug is still present + # https://github.com/DaanDeMeyer/reproc/pull/103 + # or that this is merged + # https://github.com/conda-forge/reproc-feedstock/pull/10 + # If it does, we need to comment out `dirac-grid` here + # and install it via pip + - dirac-grid + - m2crypto >=0.38.0 + - python-gfal2 + - importlib_resources + ####### + - email-validator + - fastapi + - git + - gitpython + - httpx + - isodate + - mypy + - opensearch-py + - pydantic =1.10.10 + - pyjwt + - pytest + - pytest-asyncio + - pytest-cov + - pytest-httpx + - python + - python-dotenv + - python-jose + - python-multipart + - pyyaml + - requests + - rich + - sqlalchemy + - typer + - types-cachetools + - types-PyYAML + - types-requests + - uvicorn + - moto + - aiobotocore + - botocore + - git + - pip: + - types-aiobotocore[essential] + - boto3-stubs[essential]