Merge pull request #1 from DIRACGrid/ci-and-server

Add server-base image and CI

.github/dependabot.yml

@@ -0,0 +1,7 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/main.yml

@@ -0,0 +1,38 @@
+name: images
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    timeout-minutes:  30
+    strategy:
+      fail-fast: false
+      matrix:
+        image-name: ["server-base", "secret-generation"]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to GitHub container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          context: ${{ matrix.image-name }}
+          push: ${{ github.event_name == 'push' && github.repository == 'DIRACGrid/container-images' && github.ref_name == 'main' }}
+          tags: ghcr.io/diracgrid/diracx/${{ matrix.image-name }}:latest
+          platforms: linux/amd64,linux/arm64

README.md

@@ -7,3 +7,7 @@ This repository contains the recipes and CI for building the base images used by
 ### secret-generation
 
 This image is used by the [helm chart](https://github.com/DIRACGrid/diracx-charts) to run batch jobs within the cluster that automatically generate kubernetes secrets.
+
+### server-base
+
+This image is used as the base of the diracx service image.

server-base/Dockerfile

@@ -0,0 +1,19 @@
+FROM registry.cern.ch/docker.io/mambaorg/micromamba
+
+# Copying in ENTRYPOINT script and environment specification
+COPY --chown=$MAMBA_USER:$MAMBA_USER environment.yml entrypoint.sh /
+RUN chmod 755 /entrypoint.sh
+
+RUN micromamba install --yes --file /environment.yml --name=base && \
+    micromamba clean --all --yes --force-pkgs-dirs
+
+ARG MAMBA_DOCKERFILE_ACTIVATE=1
+
+# In many clusters the container is ran as a random uid for security reasons.
+# If we mark the conda directory as group 0 and give it group write permissions
+# then we're still able to manage the environment from inside the container.
+USER 0
+RUN chown -R $MAMBA_USER:0 /opt/conda && chmod -R g=u /opt/conda
+USER $MAMBA_USER
+
+ENTRYPOINT [ "/entrypoint.sh" ]

server-base/entrypoint.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+set -e
+
+# TODO: This is a workaround until this is released
+# https://github.com/DaanDeMeyer/reproc/pull/103
+# or that this is merged
+# https://github.com/conda-forge/reproc-feedstock/pull/10
+ulimit -n 8192
+
+eval "$(micromamba shell hook --shell=posix)"
+micromamba activate base
+exec "$@"

server-base/environment.yml

@@ -0,0 +1,49 @@
+name: diracx
+channels:
+  - diracgrid
+  - conda-forge
+  - nodefaults
+dependencies:
+  - authlib
+  - aiohttp
+  - aiomysql
+  - aiosqlite
+  - azure-core
+  - cachetools
+  ########
+  # Building the docker image on some system may fail
+  # as long as this bug is still present
+  # https://github.com/DaanDeMeyer/reproc/pull/103
+  # or that this is merged
+  # https://github.com/conda-forge/reproc-feedstock/pull/10
+  # If it does, we need to comment out `dirac-grid` here
+  # and install it via pip
+  - dirac-grid
+  - m2crypto >=0.38.0
+  - python-gfal2
+  - importlib_resources
+  #######
+  - email-validator
+  - fastapi
+  - git
+  - gitpython
+  - httpx
+  - isodate
+  - opensearch-py
+  - pydantic =1.10.10
+  - pyjwt
+  - python
+  - coverage
+  - python-dotenv
+  - python-jose
+  - python-multipart
+  - pyyaml
+  - requests
+  - rich
+  - sqlalchemy
+  - typer
+  - uvicorn
+  - aiobotocore
+  - botocore
+  - git
+  - pip