Don't install poetry into the built image

Author: ChrisLovering

.pre-commit-config.yaml

@@ -5,6 +5,7 @@ repos:
  - id: check-merge-conflict
  - id: check-toml
  - id: check-yaml
+ args: [--unsafe] # Needed for << lines in docker-compose.yml
  - id: end-of-file-fixer
  - id: trailing-whitespace
  args: [--markdown-linebreak-ext=md]

Dockerfile

@@ -1,54 +1,23 @@
-FROM --platform=linux/amd64 python:3.9-slim as base
+FROM --platform=linux/amd64 python:3.11-slim as base
 
-# Set pip to have no saved cache
-ENV PIP_NO_CACHE_DIR=false \
- POETRY_VIRTUALENVS_IN_PROJECT=true \
- PYTHONUNBUFFERED=1 \
- PIP_DISABLE_PIP_VERSION_CHECK=on \
- POETRY_HOME="/opt/poetry" \
- INSTALL_DIR="/opt/dependencies" \
- APP_DIR="/app" \
- POETRY_NO_INTERACTION=1
-
-ENV PATH="$POETRY_HOME/bin:$INSTALL_DIR/.venv/bin:$PATH"
+# Define Git SHA build argument for sentry
+ARG git_sha="development"
+ENV GIT_SHA=$git_sha
 
 RUN groupadd -g 61000 codejam_management \
- && useradd -g 61000 -l -r -u 61000 codejam_management
-
-FROM base as builder
-RUN apt-get update \
- && apt-get -y upgrade \
- && apt-get install --no-install-recommends -y \
- curl \
- && apt-get clean && rm -rf /var/lib/apt/lists/*
-
-RUN curl -sSL https://install.python-poetry.org | python -
-
-WORKDIR $INSTALL_DIR
-COPY "pyproject.toml" "poetry.lock" ./
-RUN poetry install --no-dev
-
+ && useradd -g 61000 -l -r -u 61000 codejam_management
 
-FROM base as development
-
-# Create the working directory
-WORKDIR $APP_DIR
-COPY --from=builder $INSTALL_DIR $INSTALL_DIR
-
-# Copy the source code in last to optimize rebuilding the image
-COPY . .
+# Install project dependencies
+WORKDIR /app
+COPY main-requirements.txt ./
+RUN pip install -r main-requirements.txt
 
+EXPOSE 8000
 USER codejam_management
-# Run a single uvicorn worker
-# Multiple workers are managed by kubernetes, rather than something like gunicorn
-CMD ["sh", "-c", "alembic upgrade head && uvicorn api.main:app --host 0.0.0.0 --port 8000 --reload"]
-
+# Pull the uvicorn_extra build arg and ave it as an env var.
+# The CMD instruction is ran at execution time, so it also needs to be an env var, so that it is available at that time.
+ARG uvicorn_extras=""
+ENV uvicorn_extras=$uvicorn_extras
 
-FROM base as production
-COPY --from=builder $INSTALL_DIR $INSTALL_DIR
-WORKDIR $APP_DIR
-COPY . .
-RUN python -m compileall api/
-
-USER codejam_management
-CMD ["sh", "-c", "alembic upgrade head && uvicorn api.main:app --host 0.0.0.0 --port 8000"]
+ENTRYPOINT ["/bin/bash", "-c"]
+CMD ["alembic upgrade head && uvicorn api.main:app --host 0.0.0.0 --port 80 $uvicorn_extras"]

docker-compose.yml

@@ -1,34 +1,50 @@
-version: "3.7"
+x-logging: &logging
+ logging:
+ driver: "json-file"
+ options:
+ max-file: "5"
+ max-size: "10m"
+
+x-restart-policy: &restart_policy
+ restart: unless-stopped
+
+x-secure-containers: &secure_containers
+ privileged: false
+ read_only: true # Prod uses a read-only fs, override this locally if it helps with debugging
+ user: "65534" # Prod uses a non-root user, override this locally if it helps with debugging
 
 services:
- postgres:
- image: postgres:13-alpine
- ports:
- - "127.0.0.1:7777:5432"
- environment:
- POSTGRES_DB: codejam_management
- POSTGRES_PASSWORD: codejam_management
- POSTGRES_USER: codejam_management
- healthcheck:
- test: [ "CMD-SHELL", "pg_isready -U codejam_management" ]
- interval: 2s
- timeout: 1s
- retries: 5
- api:
- build:
- context: .
- dockerfile: Dockerfile
- target: development
- restart: always
- volumes:
- - ./alembic/versions:/app/alembic/versions
- - .:/app:ro
- depends_on:
- postgres:
- condition: service_healthy
- read_only: true # Prod uses a read-only fs, override this locally if it helps with debugging
- user: "1000" # Prod uses a non-root user, override this locally if it helps with debugging
- environment:
- DATABASE_URL: postgresql+asyncpg://codejam_management:codejam_management@postgres:5432/codejam_management
- ports:
- - 5000:8000
+ postgres:
+ << : *logging
+ << : *restart_policy
+ image: postgres:13-alpine
+ ports:
+ - "127.0.0.1:7777:5432"
+ environment:
+ POSTGRES_DB: codejam_management
+ POSTGRES_PASSWORD: codejam_management
+ POSTGRES_USER: codejam_management
+ healthcheck:
+ test: [ "CMD-SHELL", "pg_isready -U codejam_management" ]
+ interval: 2s
+ timeout: 1s
+ retries: 5
+
+ api:
+ << : *logging
+ << : *restart_policy
+ << : *secure_containers
+ build:
+ context: .
+ args:
+ - uvicorn_extras=--reload
+ volumes:
+ - ./alembic/versions:/app/alembic/versions
+ - .:/app:ro
+ depends_on:
+ postgres:
+ condition: service_healthy
+ environment:
+ DATABASE_URL: postgresql+asyncpg://codejam_management:codejam_management@postgres:5432/codejam_management
+ ports:
+ - 5000:8000