From fb3408806343c58c2e5bbb0e00570a2b3e697ab0 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Tue, 23 Jul 2019 13:14:05 -0400 Subject: [PATCH 01/12] Moves OS dependencies into Dockerfile This change was made to make it easier to run the build and test processes as alternate users, which is sometimes necessary to make the volumes permissions line up with the Docker host. Additionally, changes paths using `/`, which was causing permissions issues when running as non-root. --- docker/drama-free-django/Dockerfile | 23 +++++++++++++++++++ docker/drama-free-django/_build.sh | 20 ++++------------ docker/drama-free-django/_test.sh | 11 ++++----- docker/drama-free-django/docker-entrypoint.sh | 7 ++++++ 4 files changed, 38 insertions(+), 23 deletions(-) create mode 100644 docker/drama-free-django/Dockerfile create mode 100755 docker/drama-free-django/docker-entrypoint.sh diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile new file mode 100644 index 00000000000..6d53557c2fb --- /dev/null +++ b/docker/drama-free-django/Dockerfile @@ -0,0 +1,23 @@ +FROM centos:7 + +ENV SCL_PYTHON_VERSION python27 + +ENV DFD_DIR /src/cfgov-refresh + +# Must be world writable since alternate uid:gid may be patched in at `docker run` time. +RUN mkdir -p ${DFD_DIR} && chmod 777 ${DFD_DIR} +WORKDIR ${DFD_DIR} + +# Install dependencies +RUN yum install -y centos-release-scl && \ + curl -sL https://rpm.nodesource.com/setup_10.x | bash - && \ + curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo && \ + yum install -y ${SCL_PYTHON_VERSION} gcc git nodejs which yarn && \ + echo "source scl_source enable ${SCL_PYTHON_VERSION}" > /etc/profile.d/scl_python.sh && \ + source /etc/profile && \ + pip install -U pip && \ + pip install -U git+https://github.com/cfpb/drama-free-django.git + +COPY _build.sh _test.sh docker-entrypoint.sh ./ + +ENTRYPOINT [ "./docker-entrypoint.sh"] \ No newline at end of file diff --git a/docker/drama-free-django/_build.sh b/docker/drama-free-django/_build.sh index af57fa4d088..455d2f518b8 100755 --- a/docker/drama-free-django/_build.sh +++ b/docker/drama-free-django/_build.sh @@ -22,19 +22,6 @@ if [ ! -d "$cfgov_refresh_volume" ]; then exit 1 fi -# Install build requirements. -yum install -y centos-release-scl -yum install -y gcc git python27 - -source /opt/rh/python27/enable - -pip install -U pip -pip install -U git+https://github.com/cfpb/drama-free-django.git - -curl -sL https://rpm.nodesource.com/setup_10.x | bash - -curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo -yum install -y nodejs yarn - # Run the frontend build. pushd "$cfgov_refresh_volume" ./frontend.sh production @@ -62,13 +49,14 @@ no-drama build "${build_args[@]}" echo "{}" > ./dfd_env.json # This is used by DFD to set Django's settings.STATIC_ROOT. -echo '{"static_out": "../../../static"}' > ./dfd_paths.json +# Q: Why do we need to override the default? +# echo '{"static_out": "../static"}' > ./dfd_paths.json no-drama release \ "./$build_artifact" \ ./dfd_env.json \ - "$artifact_release" \ - --paths ./dfd_paths.json + "$artifact_release" #\ + #--paths ./dfd_paths.json # Copy release artifact to source directory. cp "$release_artifact" "$cfgov_refresh_volume" diff --git a/docker/drama-free-django/_test.sh b/docker/drama-free-django/_test.sh index 133d8e817f5..139bbf7f057 100755 --- a/docker/drama-free-django/_test.sh +++ b/docker/drama-free-django/_test.sh @@ -8,6 +8,7 @@ set -x artifact_filename=cfgov_current_build.zip artifact_volume=/cfgov +dfd_test_dir=/tmp/dfd-test/release # Verify that the artifact volume has been mapped. if [ ! -d "$artifact_volume" ]; then @@ -16,15 +17,11 @@ if [ ! -d "$artifact_volume" ]; then exit 1 fi -# Install runtime requirements. -yum install -y centos-release-scl -yum install -y python27 - -source /opt/rh/python27/enable # Extract the artifact in /tmp. -cp "$artifact_volume/$artifact_filename" /tmp -cd /tmp +mkdir -p $dfd_test_dir +cp "$artifact_volume/$artifact_filename" $dfd_test_dir +cd $dfd_test_dir python "./$artifact_filename" cd current diff --git a/docker/drama-free-django/docker-entrypoint.sh b/docker/drama-free-django/docker-entrypoint.sh new file mode 100755 index 00000000000..d81332ae48d --- /dev/null +++ b/docker/drama-free-django/docker-entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/bash --login +# This entrypoint is used primarily as means of setting up a consistent +# shell environment no matter which user the process runs as. By using +# --login, it guarantees /etc/profile is always sourced, unlike the +# non-login, non-interactive shell you get by default with `docker run`. + +exec "$@" \ No newline at end of file From 8478002c154e60a9063d88cb34a4b47f541d5e6f Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Thu, 25 Jul 2019 18:13:31 -0400 Subject: [PATCH 02/12] Converts dfd scripts to use docker build, then run --- docker/drama-free-django/build.sh | 10 +++++++++- docker/drama-free-django/test.sh | 10 +++++++++- 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/docker/drama-free-django/build.sh b/docker/drama-free-django/build.sh index be981bd9f8b..cce3640eda7 100755 --- a/docker/drama-free-django/build.sh +++ b/docker/drama-free-django/build.sh @@ -1,3 +1,11 @@ #!/usr/bin/env bash -docker run -v `pwd`:/cfgov centos:6 /cfgov/docker/drama-free-django/_build.sh +set -e + +docker build -t cfgov-dfd-builder docker/drama-free-django + +docker run \ + --rm \ + -u $(id -u):$(id -g) \ + -v $(pwd):/cfgov \ + cfgov-dfd-builder ./_build.sh diff --git a/docker/drama-free-django/test.sh b/docker/drama-free-django/test.sh index 4f4c8a22595..1f3e7372387 100755 --- a/docker/drama-free-django/test.sh +++ b/docker/drama-free-django/test.sh @@ -1,3 +1,11 @@ #!/usr/bin/env bash -docker run -v `pwd`:/cfgov centos:6 /cfgov/docker/drama-free-django/_test.sh +set -e + +docker build -t cfgov-dfd-builder docker/drama-free-django + +docker run \ + --rm \ + -u $(id -u):$(id -g) \ + -v $(pwd):/cfgov:cached \ + cfgov-dfd-builder ./_test.sh From 270e1a62691d21d28cd86be281a6abab2a5641ca Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 12:47:29 -0400 Subject: [PATCH 03/12] Revert back to centos:6 Docker image --- docker/drama-free-django/Dockerfile | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile index 6d53557c2fb..7311be7eed2 100644 --- a/docker/drama-free-django/Dockerfile +++ b/docker/drama-free-django/Dockerfile @@ -1,6 +1,7 @@ -FROM centos:7 +FROM centos:6 ENV SCL_PYTHON_VERSION python27 +ENV PIP_NO_CACHE_DIR true ENV DFD_DIR /src/cfgov-refresh @@ -20,4 +21,4 @@ RUN yum install -y centos-release-scl && \ COPY _build.sh _test.sh docker-entrypoint.sh ./ -ENTRYPOINT [ "./docker-entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["./docker-entrypoint.sh"] \ No newline at end of file From a9a63bbb4537dd340107d65672cc59ca6b969920 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 12:47:50 -0400 Subject: [PATCH 04/12] Revert to original `static_out` path --- docker/drama-free-django/_build.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/drama-free-django/_build.sh b/docker/drama-free-django/_build.sh index 455d2f518b8..83e7873bd22 100755 --- a/docker/drama-free-django/_build.sh +++ b/docker/drama-free-django/_build.sh @@ -50,13 +50,13 @@ echo "{}" > ./dfd_env.json # This is used by DFD to set Django's settings.STATIC_ROOT. # Q: Why do we need to override the default? -# echo '{"static_out": "../static"}' > ./dfd_paths.json +echo '{"static_out": "../../../static"}' > ./dfd_paths.json no-drama release \ "./$build_artifact" \ ./dfd_env.json \ - "$artifact_release" #\ - #--paths ./dfd_paths.json + "$artifact_release" \ + --paths ./dfd_paths.json # Copy release artifact to source directory. cp "$release_artifact" "$cfgov_refresh_volume" From a6e09f583373c452f87924c027cab1257b6666b6 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 17:20:09 -0400 Subject: [PATCH 05/12] Override PIP_NO_CACHE_DIR on pip upgrade The version of pip that comes with SCL python27 has a bug that fails to process PIP_NO_CACHE_DIR correctly. Adding --no-cache-dir overrides the envvar, preventing the error. --- docker/drama-free-django/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile index 7311be7eed2..2c8dbce1d94 100644 --- a/docker/drama-free-django/Dockerfile +++ b/docker/drama-free-django/Dockerfile @@ -1,6 +1,8 @@ FROM centos:6 ENV SCL_PYTHON_VERSION python27 + +# Disables pip cache, which reduces build time, and suppresses warnings when run a non-root. ENV PIP_NO_CACHE_DIR true ENV DFD_DIR /src/cfgov-refresh @@ -10,13 +12,15 @@ RUN mkdir -p ${DFD_DIR} && chmod 777 ${DFD_DIR} WORKDIR ${DFD_DIR} # Install dependencies +# NOTE: You MUST upgrade pip before using it further. The version packaged with SCL has issues +# with both setuptools and the PIP_NO_CACHE_DIR envvar (hence the --no-cache-dir override). RUN yum install -y centos-release-scl && \ curl -sL https://rpm.nodesource.com/setup_10.x | bash - && \ curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo && \ yum install -y ${SCL_PYTHON_VERSION} gcc git nodejs which yarn && \ echo "source scl_source enable ${SCL_PYTHON_VERSION}" > /etc/profile.d/scl_python.sh && \ source /etc/profile && \ - pip install -U pip && \ + pip install --no-cache-dir -U pip && \ pip install -U git+https://github.com/cfpb/drama-free-django.git COPY _build.sh _test.sh docker-entrypoint.sh ./ From 7431fba8d7a301857e471b7e9fecdd5c6b8b50a2 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 17:31:03 -0400 Subject: [PATCH 06/12] Removes Mac-specific `cached` volume attribute --- docker/drama-free-django/test.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/drama-free-django/test.sh b/docker/drama-free-django/test.sh index 1f3e7372387..1ccf54bb4c4 100755 --- a/docker/drama-free-django/test.sh +++ b/docker/drama-free-django/test.sh @@ -7,5 +7,5 @@ docker build -t cfgov-dfd-builder docker/drama-free-django docker run \ --rm \ -u $(id -u):$(id -g) \ - -v $(pwd):/cfgov:cached \ + -v $(pwd):/cfgov \ cfgov-dfd-builder ./_test.sh From 3cd92f023a53bfc05cbdbe85520673edd615564d Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 17:41:13 -0400 Subject: [PATCH 07/12] Removes unneeded `which` package --- docker/drama-free-django/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile index 2c8dbce1d94..c3ae4b661ad 100644 --- a/docker/drama-free-django/Dockerfile +++ b/docker/drama-free-django/Dockerfile @@ -17,7 +17,7 @@ WORKDIR ${DFD_DIR} RUN yum install -y centos-release-scl && \ curl -sL https://rpm.nodesource.com/setup_10.x | bash - && \ curl -sL https://dl.yarnpkg.com/rpm/yarn.repo | tee /etc/yum.repos.d/yarn.repo && \ - yum install -y ${SCL_PYTHON_VERSION} gcc git nodejs which yarn && \ + yum install -y ${SCL_PYTHON_VERSION} gcc git nodejs yarn && \ echo "source scl_source enable ${SCL_PYTHON_VERSION}" > /etc/profile.d/scl_python.sh && \ source /etc/profile && \ pip install --no-cache-dir -U pip && \ From e936ae70256109e2bb0a4ad0bc465853903afbf8 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 17:48:27 -0400 Subject: [PATCH 08/12] Removes unneeded question comment --- docker/drama-free-django/_build.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/docker/drama-free-django/_build.sh b/docker/drama-free-django/_build.sh index 83e7873bd22..f23305565bc 100755 --- a/docker/drama-free-django/_build.sh +++ b/docker/drama-free-django/_build.sh @@ -49,7 +49,6 @@ no-drama build "${build_args[@]}" echo "{}" > ./dfd_env.json # This is used by DFD to set Django's settings.STATIC_ROOT. -# Q: Why do we need to override the default? echo '{"static_out": "../../../static"}' > ./dfd_paths.json no-drama release \ From 44336338ccce5f62538e614498e5e82cc323b619 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 18:31:37 -0400 Subject: [PATCH 09/12] Add headings and "Notes" section to DFD README.md --- docker/drama-free-django/README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/docker/drama-free-django/README.md b/docker/drama-free-django/README.md index b17dc002cdc..b504c632e54 100644 --- a/docker/drama-free-django/README.md +++ b/docker/drama-free-django/README.md @@ -1,3 +1,7 @@ +# Docker-based drama-free-django build and test tools + +## Build + Run the `build.sh` script from the project root: ```sh @@ -6,6 +10,8 @@ docker/drama-free-django/build.sh This will run a CentOS 6 container to generate a [drama-free-django](https://github.com/cfpb/drama-free-django) release artifact in the project root named `cfgov_current_build.zip`. +## Test + To run a basic test of the artifact: ```sh @@ -14,3 +20,13 @@ docker/drama-free-django/test.sh This will run a CentOS 6 container to validate the built artifact by extracting it and running Django [`collectstatic`](https://docs.djangoproject.com/en/1.11/ref/contrib/staticfiles/#collectstatic). + +## Notes + +1. When running the container as a user that exists on the host, but not in the container, you may notice a warning similar to: + + ``` + /usr/bin/id: cannot find name for user ID 502 + ``` + + This is not anything to worry about. It simply means the uid/gid don't match any users/groups setup in the container. From 44fef319a6bebea3dc7f033327a988c9b2825657 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Fri, 26 Jul 2019 18:40:31 -0400 Subject: [PATCH 10/12] Add yarn cache warning to DFD Docker README --- docker/drama-free-django/README.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker/drama-free-django/README.md b/docker/drama-free-django/README.md index b504c632e54..bd30f4abdc1 100644 --- a/docker/drama-free-django/README.md +++ b/docker/drama-free-django/README.md @@ -23,10 +23,17 @@ This will run a CentOS 6 container to validate the built artifact by extracting ## Notes -1. When running the container as a user that exists on the host, but not in the container, you may notice a warning similar to: +1. When running the container as a user that exists on the host, but not in the container, you may notice a warnings similar to: ``` /usr/bin/id: cannot find name for user ID 502 ``` + ...and... + + ``` + warning Skipping preferred cache folder "/.cache/yarn" because it is not writable. + warning Selected the next writable cache folder in the list, will be "/tmp/.yarn-cache-501". + ``` + This is not anything to worry about. It simply means the uid/gid don't match any users/groups setup in the container. From 5b963b4476b5b1b34fb3d8da5a43248915272279 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Sat, 27 Jul 2019 00:45:40 -0400 Subject: [PATCH 11/12] Fix yarn warnings by setting $HOME in Dockerfile --- docker/drama-free-django/Dockerfile | 7 ++++++- docker/drama-free-django/README.md | 9 +-------- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile index c3ae4b661ad..e1dbf766081 100644 --- a/docker/drama-free-django/Dockerfile +++ b/docker/drama-free-django/Dockerfile @@ -11,6 +11,11 @@ ENV DFD_DIR /src/cfgov-refresh RUN mkdir -p ${DFD_DIR} && chmod 777 ${DFD_DIR} WORKDIR ${DFD_DIR} +# Sets a consistent $HOME no matter which user the container runs under. This prevents +# permissions issues caused by Docker's default `/` home directory. +ENV HOME /tmp/dfd-home +RUN mkdir -p ${HOME} && chmod 777 ${HOME} + # Install dependencies # NOTE: You MUST upgrade pip before using it further. The version packaged with SCL has issues # with both setuptools and the PIP_NO_CACHE_DIR envvar (hence the --no-cache-dir override). @@ -25,4 +30,4 @@ RUN yum install -y centos-release-scl && \ COPY _build.sh _test.sh docker-entrypoint.sh ./ -ENTRYPOINT ["./docker-entrypoint.sh"] \ No newline at end of file +ENTRYPOINT ["./docker-entrypoint.sh"] diff --git a/docker/drama-free-django/README.md b/docker/drama-free-django/README.md index bd30f4abdc1..b504c632e54 100644 --- a/docker/drama-free-django/README.md +++ b/docker/drama-free-django/README.md @@ -23,17 +23,10 @@ This will run a CentOS 6 container to validate the built artifact by extracting ## Notes -1. When running the container as a user that exists on the host, but not in the container, you may notice a warnings similar to: +1. When running the container as a user that exists on the host, but not in the container, you may notice a warning similar to: ``` /usr/bin/id: cannot find name for user ID 502 ``` - ...and... - - ``` - warning Skipping preferred cache folder "/.cache/yarn" because it is not writable. - warning Selected the next writable cache folder in the list, will be "/tmp/.yarn-cache-501". - ``` - This is not anything to worry about. It simply means the uid/gid don't match any users/groups setup in the container. From 8bf713fce727a1c2aad52267afce124388975086 Mon Sep 17 00:00:00 2001 From: Hans Keeler Date: Mon, 29 Jul 2019 11:38:47 -0400 Subject: [PATCH 12/12] Fix typo in drama-free-django/Dockerfile Co-Authored-By: Andy Chosak --- docker/drama-free-django/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/drama-free-django/Dockerfile b/docker/drama-free-django/Dockerfile index e1dbf766081..f5933749ce2 100644 --- a/docker/drama-free-django/Dockerfile +++ b/docker/drama-free-django/Dockerfile @@ -2,7 +2,7 @@ FROM centos:6 ENV SCL_PYTHON_VERSION python27 -# Disables pip cache, which reduces build time, and suppresses warnings when run a non-root. +# Disables pip cache, which reduces build time, and suppresses warnings when run as non-root. ENV PIP_NO_CACHE_DIR true ENV DFD_DIR /src/cfgov-refresh