Configure Docker image for production

[thekaveman]

The current Docker image (via bin/start.sh) starts the Flask development server.

This has been fine as we've only been using the server for testing. As we move to deploy the server for Courtesy Cards, we'll want to run Flask using production best-practices.

See more at: Flask - Deploying to Production.

In general, we can follow a similar pattern as in benefits:

• nginx is the reverse proxy that accepts traffic coming into the container, and routes app traffic along
• gunicorn is the WSGI application server, receiving app traffic from nginx and forwarding to the app (Flask)
• bin/start.sh starts the production setup
• From within the devcontainer, the development setup is used

[thekaveman]

Idea for an approach to this... Thoughts @angela-tran @machikoyasuda @afeld?

Issue

We're going to end up with a Dockerfile here that has a lot of crossover with benefits, at least the commands for installing/configuring nginx and gunicorn:

FROM python:3.10

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    USER=calitp

    # create non-root $USER and home directory
RUN useradd --create-home --shell /bin/bash $USER && \
    # setup $USER permissions for nginx
    mkdir -p /var/cache/nginx && \
    chown -R $USER /var/cache/nginx && \
    mkdir -p /var/lib/nginx && \
    chown -R $USER /var/lib/nginx && \
    mkdir -p /var/log/nginx && \
    chown -R $USER /var/log/nginx && \
    touch /var/log/nginx/error.log && \
    chown $USER /var/log/nginx/error.log && \
    touch /var/run/nginx.pid && \
    chown -R $USER /var/run/nginx.pid && \
    # setup directories and permissions for app and gunicorn
    mkdir -p /home/$USER/app/config && \
    mkdir -p /home/$USER/app/run && \
    chown -R $USER /home/$USER && \
    # install server components
    apt-get update && \
    apt-get install -qq --no-install-recommends build-essential nginx

# enter app directory
WORKDIR /home/$USER/app

# switch to non-root $USER
USER $USER

# update PATH for local pip installs
ENV PATH "$PATH:/home/$USER/.local/bin"

# install python dependencies (gunicorn, etc.)
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt

# copy config files
COPY gunicorn.conf.py gunicorn.conf.py

# overwrite default nginx.conf
COPY nginx.conf /etc/nginx/nginx.conf

Proposal

Let's create another repository that builds and publishes a common base image for Python + gunicorn + nginx.

This would provide an image to reference like ghcr.io/cal-itp/<image>:<tag>. Both of eligibility-server and benefits could base their app images on this new image and simplify the common setup and configuration (and build times).

[thekaveman]

I've started working on this.

Repo here: https://github.com/cal-itp/docker-python-web

I have the eligibility_server working locally against that common image! Will push up a branch tonight/tomorrow.