...

Text file src/github.com/emissary-ingress/emissary/v3/docker/base-python/Dockerfile

Documentation: github.com/emissary-ingress/emissary/v3/docker/base-python

     1###
     2# This dockerfile builds the base image for the builder container. See
     3# the main Dockerfile for more information about what the builder
     4# container is and how code in this repo is built.
     5#
     6# Originally this base was built as part of the builder container's
     7# bootstrap process. We discovered that minor network interruptions
     8# would break these steps, and such interruptions were common on our
     9# cloud CI system. We decided to separate out these steps so that any
    10# one of them is much less likely to be the cause of a network-related
    11# failure, i.e. a flake.
    12#
    13# See the comment before the build_builder_base() function in builder.sh
    14# to see when and how often this base image is built and pushed.
    15##
    16
    17########################################
    18# Third-party code
    19########################################
    20
    21FROM docker.io/frolvlad/alpine-glibc:alpine-3.17_glibc-2.34
    22
    23WORKDIR /buildroot
    24
    25ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/buildroot/bin
    26
    27# For the most-part, you should not pin specific versions in this
    28# `apk` command; it will always choose the latest version being
    29# shipped by pinned version of Alpine.  This will automatically pull
    30# in any patches, but not breaking changes.
    31#
    32# Because of how we cache the base image
    33# (`docker/base-python.docker.gen`), it'll keep selected versions
    34# around for a week.  If there's a security patch that we want to pull
    35# in without waiting a week for the cache to roll over, instead of
    36# fussing with pinning a specific package version, simply make an
    37# inconsequential change that changes the file's checksum (such as
    38# bumping this comment):
    39#
    40#   forced-bumps: 0
    41#
    42# The exception to this is that we pin 'python3' and 'py3-pip' because
    43# the 'pip-tools' version below will also need to change if those
    44# versions change.  And even then, don't get more precise with the
    45# version number than we need to ensure that the pip-tools version
    46# agrees.
    47RUN apk --no-cache add \
    48  bash \
    49  gcc \
    50  make \
    51  musl-dev \
    52  curl \
    53  cython \
    54  docker-cli \
    55  git \
    56  iptables \
    57  jq \
    58  libcap \
    59  libcap-dev \
    60  libffi-dev \
    61  ncurses \
    62  openssl-dev \
    63  py3-pip=~22.3 \
    64  python3=~3.10 \
    65  python3-dev \
    66  rust \
    67  cargo \
    68  patchelf \
    69  rsync \
    70  sudo \
    71  yaml-dev \
    72  && chmod u+s $(which docker)
    73
    74# Consult
    75# https://github.com/jazzband/pip-tools/#versions-and-compatibility to
    76# select a pip-tools version that corresponds to the 'py3-pip' and
    77# 'python3' versions above.
    78# Pinning build version due to missing license info from pip show in newer versions
    79RUN pip3 install pip-tools==6.12.1 build==0.9.0
    80
    81RUN curl --fail -L https://dl.google.com/go/go1.20.3.linux-amd64.tar.gz | tar -C /usr/local -xzf -
    82
    83# The YAML parser is... special. To get the C version, we need to install Cython and libyaml, then
    84# build it locally -- just using pip won't work.
    85#
    86# Download, build, and install PyYAML.
    87RUN mkdir /tmp/pyyaml && \
    88  cd /tmp/pyyaml && \
    89  curl -o pyyaml-5.4.1.1.tar.gz -L https://github.com/yaml/pyyaml/archive/refs/tags/5.4.1.1.tar.gz && \
    90  tar xzf pyyaml-5.4.1.1.tar.gz && \
    91  cd pyyaml-5.4.1.1 && \
    92  python3 setup.py --with-libyaml install
    93
    94# orjson is also special.  The wheels on PyPI rely on glibc, so we
    95# need to use cargo/rustc/patchelf to build a musl-compatible version.
    96RUN pip3 install orjson==3.6.6

View as plain text