diff --git a/docker/Dockerfile.common b/docker/Dockerfile.common index 32fbe031..c2c10d56 100644 --- a/docker/Dockerfile.common +++ b/docker/Dockerfile.common @@ -1,45 +1,36 @@ -ARG BASE_IMAGE=ubuntu:20.04 -FROM ${BASE_IMAGE} +FROM cgr.dev/chainguard/wolfi-base AS base -# Necessary to install tzdata. It will default to UTC. +# Non-interactive for tzdata/etc. ENV DEBIAN_FRONTEND=noninteractive # Make sure we enable all GPU if we have one ENV NVIDIA_DRIVER_CAPABILITIES=all -RUN apt-get update && \ - apt-get install -y \ +# Install needed system packages (Wolfi uses apk, not apt-get) +RUN apk update && \ + apk add --no-cache \ + bash \ wget \ apache2 \ apache2-dev \ - libapr1-dev \ apache2-utils && \ - rm -rf /var/lib/apt/lists/* - -COPY --from=tianon/gosu /gosu /usr/local/bin/ - -# Set up needed permissions and users -# - User groups: -# - trame-user: non-priviledge user for running and accessing data -# => (optional) Provide runtime env TRAME_USER_DATA=/docker/path to query which user to map trame-user to -# - docker: group to be remapped to docker host group to allow docker in docker. -# - trame-user can perform docker operaction by allowing access to /var/run/docker.sock -# - proxy-mapping: group for r/w on mapping file -# - trame-user so the launcher can update the mapping file (w) -# - www-data so that apache can read the file and handle the network routing (r) -# - www-data: apache user -# - added to proxy-mapping so it can read the mapping file for routing network -# - added to trame-user so it can serve user data -# - Magic numbers: -# - 1000: Default first user -# - 5001/5002: Large id to prevent conflict with existing host uid/gid -RUN groupadd trame-user -g 1000 && \ - groupadd proxy-mapping -g 5001 && \ - groupadd docker -g 5002 && \ - useradd -u 1000 -g trame-user -G proxy-mapping -s /sbin/nologin trame-user && \ - usermod -a -G proxy-mapping www-data && \ - usermod -a -G trame-user www-data && \ - usermod -a -G docker trame-user && \ + rm -rf /var/cache/apk/* + +# Copy gosu from Chainguard version or install it +RUN apk add --no-cache gosu + +# Set up users and groups similar to Dockerfile.common +RUN addgroup -g 1000 trame-user && \ + addgroup -g 5001 proxy-mapping && \ + addgroup -g 5002 docker && \ + adduser -D -u 1000 -G trame-user trame-user && \ + addgroup trame-user proxy-mapping && \ + addgroup -S -g 82 www-data && \ + # Create the www-data user with correct uid/gid before adding to supplementary groups + adduser -S -u 82 -G www-data www-data && \ + addgroup www-data proxy-mapping && \ + addgroup www-data trame-user && \ + addgroup trame-user docker && \ mkdir -p /opt/trame && \ chown -R trame-user:trame-user /opt/trame && \ mkdir -p /home/trame-user && \ @@ -50,26 +41,22 @@ RUN groupadd trame-user -g 1000 && \ mkdir -p /deploy && \ chown -R trame-user:trame-user /deploy -# Copy the apache configuration file into place +# Copy the apache configuration file into place (bring these files into build context or adjust path) COPY config/apache/001-trame.conf /etc/apache2/sites-available/001-trame.conf COPY config/apache/001-trame.tpl /opt/trame/apache.tpl COPY config/default-launcher.json /opt/trame/default-launcher.json -# Configure the apache web server -RUN a2enmod vhost_alias && \ - a2enmod proxy && \ - a2enmod proxy_http && \ - a2enmod proxy_wstunnel && \ - a2enmod rewrite && \ - a2enmod headers && \ - a2dissite 000-default.conf && \ - a2ensite 001-trame && \ - a2dismod autoindex -f +# Ensure /etc/apache2/ports.conf exists with default Listen directive for apache2 +RUN if [ ! -f /etc/apache2/ports.conf ]; then \ + echo "Listen 80" > /etc/apache2/ports.conf; \ + fi -# Copy the scripts into place +# Note: Wolfi/Chainguard's apache2 does not have debian-style modules, use BuildKit to customize if needed + +# Copy scripts into place COPY scripts/* /opt/trame/ -# Open port 80 to the world outside the container EXPOSE 80 ENTRYPOINT ["/opt/trame/entrypoint.sh"] + diff --git a/docker/Dockerfile.pip b/docker/Dockerfile.pip index 6dbd8f7e..a51bb1d7 100644 --- a/docker/Dockerfile.pip +++ b/docker/Dockerfile.pip @@ -1,32 +1,31 @@ ARG BASE_IMAGE=trame-common FROM ${BASE_IMAGE} -ARG PYTHON_VERSION=3.9 +ARG PYTHON_VERSION=3.13 -RUN apt-get update && \ - apt-get install -y \ - python${PYTHON_VERSION} \ - # python-distutils is required to install pip - python${PYTHON_VERSION}-distutils \ - # python-is-python3 creates a symlink for python to python3 - python-is-python3 \ - # For creating virtual environments - python${PYTHON_VERSION}-venv && \ - rm -rf /var/lib/apt/lists/* +# Install Python and required dependencies (but do NOT install the system-provided pip to avoid vulnerable versions) +RUN apk update && \ + apk add --no-cache \ + python-${PYTHON_VERSION} \ + python-${PYTHON_VERSION}-dev \ + py${PYTHON_VERSION}-virtualenv \ + py3-wheel \ + wget -# Set python3 to python3.x (otherwise, it will be python3.8) -RUN if [ "$PYTHON_VERSION" != "3" ] ; then update-alternatives --install /usr/bin/python3 python3 /usr/bin/python${PYTHON_VERSION} 1 ;fi +# Create a symlink to set python3 to the desired python version, if not default +RUN if [ "$PYTHON_VERSION" != "3" ]; then ln -sf /usr/bin/python${PYTHON_VERSION} /usr/bin/python3; fi # Never use a cache directory for pip, both here in this Dockerfile # and when we run the container. ENV PIP_NO_CACHE_DIR=1 -# Install and upgrade pip -RUN wget -q -O- https://bootstrap.pypa.io/get-pip.py | python${PYTHON_VERSION} && \ - pip install -U pip - -# Install setup dependencies -RUN pip install PyYAML wheel +# Install pip safely, pinning to >=25.2 to avoid GHSA-4xh5-x5gv-qwph +RUN python${PYTHON_VERSION} -m ensurepip --upgrade || true && \ + wget -O /tmp/get-pip.py https://bootstrap.pypa.io/get-pip.py && \ + python${PYTHON_VERSION} /tmp/get-pip.py --no-cache-dir --force-reinstall && \ + pip install --no-cache-dir --upgrade 'pip>=25.2' && \ + rm -f /tmp/get-pip.py && \ + pip install --no-cache-dir PyYAML wheel # Copy the pip scripts into place COPY scripts/pip/* /opt/trame/