-
Notifications
You must be signed in to change notification settings - Fork 26
/
Dockerfile
149 lines (119 loc) · 4.78 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
# This is a multi-stage build file, which means a stage is used to build
# the backend (dependencies), the frontend stack and a final production
# stage re-using assets from the build stages. This keeps the final production
# image minimal in size.
# must be at the top to use it in FROM clauses
ARG SDK_RELEASE=latest
FROM openformulieren/open-forms-sdk:${SDK_RELEASE} as sdk-image
# Stage 1 - Backend build environment
# includes compilers and build tooling to create the environment
FROM python:3.12-slim-bookworm AS backend-build
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
pkg-config \
build-essential \
python3-dev \
libpq-dev \
shared-mime-info \
# lxml/xmlsec deps
zlib1g-dev \
libxmlsec1-openssl \
# weasyprint deps, see https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#debian-11
libpango-1.0-0 \
libpangoft2-1.0-0 \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Use uv to install dependencies
RUN pip install uv -U
COPY ./requirements /app/requirements
ARG TARGET_ENVIRONMENT=production
RUN uv pip install --system -r requirements/${TARGET_ENVIRONMENT}.txt
# Apply patches of third party libraries
COPY ./patches /tmp/patches
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
&& rm -rf /var/lib/apt/lists/* \
&& /tmp/patches/apply.sh /usr/local/lib/python3.12/site-packages
# Stage 2 - Install frontend deps and build assets
FROM node:20-bookworm-slim AS frontend-build
WORKDIR /app
# copy configuration/build files
COPY ./build /app/build/
COPY ./*.json ./*.js /app/
# install WITH dev tooling
RUN npm ci --legacy-peer-deps
# copy source code
COPY ./src /app/src
# build frontend
RUN npm run build
# Stage 3 - Build docker image suitable for production
FROM python:3.12-slim-bookworm
# Stage 3.1 - Set up the needed production dependencies
# install all the dependencies for GeoDjango
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
procps \
nano \
mime-support \
postgresql-client \
libmagic1 \
libxmlsec1 \
libxmlsec1-openssl \
gdal-bin \
gettext \
shared-mime-info \
# weasyprint deps, see https://doc.courtbouillon.org/weasyprint/stable/first_steps.html#debian-11
libpango-1.0-0 \
libpangoft2-1.0-0 \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
COPY ./bin/docker_start.sh /start.sh
COPY ./bin/celery_worker.sh /celery_worker.sh
COPY ./bin/celery_beat.sh /celery_beat.sh
COPY ./bin/celery_flower.sh /celery_flower.sh
COPY ./bin/dump_configuration.sh /dump_configuration.sh
COPY ./bin/wait_for_db.sh /wait_for_db.sh
COPY ./bin/setup_configuration.sh /setup_configuration.sh
RUN mkdir /app/bin /app/log /app/media /app/private_media /app/certifi_ca_bundle /app/tmp
COPY \
./bin/check_celery_worker_liveness.py \
./bin/report_component_problems.py \
./bin/check_temporary_uploads.py \
./bin/check_api_groups_null.py \
./bin/fix_selectboxes_component_default_values.py \
./bin/
# prevent writing to the container layer, which would degrade performance.
# This also serves as a hint for the intended volumes.
VOLUME ["/app/log", "/app/media", "/app/private_media", "/app/certifi_ca_bundle"]
# copy backend build deps
COPY --from=backend-build /usr/local/lib/python3.12 /usr/local/lib/python3.12
COPY --from=backend-build /usr/local/bin/uwsgi /usr/local/bin/uwsgi
COPY --from=backend-build /usr/local/bin/celery /usr/local/bin/celery
# copy frontend build statics
COPY --from=frontend-build /app/src/openforms/static /app/src/openforms/static
COPY --from=frontend-build /app/node_modules/@fortawesome/fontawesome-free/webfonts /app/node_modules/@fortawesome/fontawesome-free/webfonts
# Include SDK files. Collectstatic produces both the versions with and without hash
# in the STATICFILES_ROOT
COPY --from=sdk-image /sdk /app/src/openforms/static/sdk
# copy source code
COPY ./src /app/src
COPY ./.sdk-release /app/.sdk-release
RUN useradd -M -u 1000 maykin
RUN chown -R maykin /app
# drop privileges
USER maykin
ARG RELEASE ARG SDK_RELEASE=latest COMMIT_HASH
ENV GIT_SHA=${COMMIT_HASH}
ENV RELEASE=${RELEASE} SDK_RELEASE=${SDK_RELEASE}
ENV DJANGO_SETTINGS_MODULE=openforms.conf.docker
ARG EXTENSIONS=''
ENV OPEN_FORMS_EXTENSIONS=${EXTENSIONS}
ARG SECRET_KEY=dummy
LABEL org.label-schema.vcs-ref=$COMMIT_HASH \
org.label-schema.vcs-url="https://github.com/open-formulieren/open-forms" \
org.label-schema.version=$RELEASE \
org.label-schema.name="Open Forms"
# Run collectstatic and compilemessages, so the result is already included in
# the image
RUN python src/manage.py collectstatic --noinput \
&& python src/manage.py compilemessages
EXPOSE 8000
CMD ["/start.sh"]