1###
2# This dockerfile builds the base image for the builder container. See
3# the main Dockerfile for more information about what the builder
4# container is and how code in this repo is built.
5#
6# Originally this base was built as part of the builder container's
7# bootstrap process. We discovered that minor network interruptions
8# would break these steps, and such interruptions were common on our
9# cloud CI system. We decided to separate out these steps so that any
10# one of them is much less likely to be the cause of a network-related
11# failure, i.e. a flake.
12#
13# See the comment before the build_builder_base() function in builder.sh
14# to see when and how often this base image is built and pushed.
15##
16
17########################################
18# Third-party code
19########################################
20
21FROM docker.io/frolvlad/alpine-glibc:alpine-3.17_glibc-2.34
22
23WORKDIR /buildroot
24
25ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/go/bin:/buildroot/bin
26
27# For the most-part, you should not pin specific versions in this
28# `apk` command; it will always choose the latest version being
29# shipped by pinned version of Alpine. This will automatically pull
30# in any patches, but not breaking changes.
31#
32# Because of how we cache the base image
33# (`docker/base-python.docker.gen`), it'll keep selected versions
34# around for a week. If there's a security patch that we want to pull
35# in without waiting a week for the cache to roll over, instead of
36# fussing with pinning a specific package version, simply make an
37# inconsequential change that changes the file's checksum (such as
38# bumping this comment):
39#
40# forced-bumps: 0
41#
42# The exception to this is that we pin 'python3' and 'py3-pip' because
43# the 'pip-tools' version below will also need to change if those
44# versions change. And even then, don't get more precise with the
45# version number than we need to ensure that the pip-tools version
46# agrees.
47RUN apk --no-cache add \
48 bash \
49 gcc \
50 make \
51 musl-dev \
52 curl \
53 cython \
54 docker-cli \
55 git \
56 iptables \
57 jq \
58 libcap \
59 libcap-dev \
60 libffi-dev \
61 ncurses \
62 openssl-dev \
63 py3-pip=~22.3 \
64 python3=~3.10 \
65 python3-dev \
66 rust \
67 cargo \
68 patchelf \
69 rsync \
70 sudo \
71 yaml-dev \
72 && chmod u+s $(which docker)
73
74# Consult
75# https://github.com/jazzband/pip-tools/#versions-and-compatibility to
76# select a pip-tools version that corresponds to the 'py3-pip' and
77# 'python3' versions above.
78# Pinning build version due to missing license info from pip show in newer versions
79RUN pip3 install pip-tools==6.12.1 build==0.9.0
80
81RUN curl --fail -L https://dl.google.com/go/go1.20.3.linux-amd64.tar.gz | tar -C /usr/local -xzf -
82
83# The YAML parser is... special. To get the C version, we need to install Cython and libyaml, then
84# build it locally -- just using pip won't work.
85#
86# Download, build, and install PyYAML.
87RUN mkdir /tmp/pyyaml && \
88 cd /tmp/pyyaml && \
89 curl -o pyyaml-5.4.1.1.tar.gz -L https://github.com/yaml/pyyaml/archive/refs/tags/5.4.1.1.tar.gz && \
90 tar xzf pyyaml-5.4.1.1.tar.gz && \
91 cd pyyaml-5.4.1.1 && \
92 python3 setup.py --with-libyaml install
93
94# orjson is also special. The wheels on PyPI rely on glibc, so we
95# need to use cargo/rustc/patchelf to build a musl-compatible version.
96RUN pip3 install orjson==3.6.6
View as plain text