Skip to content

Commit

Permalink
Make backend image rootless
Browse files Browse the repository at this point in the history
  • Loading branch information
thomashbrnrd committed Aug 30, 2023
1 parent 18d91b3 commit 6b20767
Show file tree
Hide file tree
Showing 7 changed files with 76 additions and 24 deletions.
34 changes: 34 additions & 0 deletions backend/.dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Include any files or directories that you don't want to be copied to your
# container here (e.g., local build artifacts, temporary files, etc.).
#
# For more help, visit the .dockerignore file reference guide at
# https://docs.docker.com/engine/reference/builder/#dockerignore-file

**/.DS_Store
**/__pycache__
**/.venv
**/.classpath
**/.dockerignore
**/.env
**/.git
**/.gitignore
**/.project
**/.settings
**/.toolstarget
**/.vs
**/.vscode
**/*.*proj.user
**/*.dbmdl
**/*.jfm
**/bin
**/charts
**/docker-compose*
**/compose*
**/Dockerfile*
**/node_modules
**/npm-debug.log
**/obj
**/secrets.dev.yaml
**/values.dev.yaml
LICENSE
README.md
47 changes: 34 additions & 13 deletions backend/Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,19 @@
FROM python:3.9-slim-buster as base
FROM python:3.9-slim as base

WORKDIR /app

# Create a non-privileged user that the app will run under.
# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
ARG UID=10001
RUN adduser \
--disabled-password \
--gecos "" \
--home "/nonexistent" \
--shell "/sbin/nologin" \
--no-create-home \
--uid "${UID}" \
appuser

# certificates config
ARG CACERT_LOCATION
COPY ./cert/. /etc/ssl/certs/
Expand All @@ -13,32 +26,40 @@ RUN apt update && apt install -y \
gcc \
&& rm -rf /var/lib/apt/lists/*

# install python libraries (except torch)
COPY requirements/ requirements/
ENV PIP_CERT=$CACERT_LOCATION
RUN pip --default-timeout=300 install --upgrade pip \
&& pip --default-timeout=300 install --no-cache-dir -r requirements/common.txt \
&& rm -r /root/.cache

# Download dependencies as a separate step to take advantage of Docker's caching.
# Leverage a cache mount to /root/.cache/pip to speed up subsequent builds.
# Leverage a bind mount to requirements.txt to avoid having to copy them into
# into this layer.
RUN --mount=type=cache,target=/root/.cache/pip \
--mount=type=bind,source=requirements.txt,target=requirements.txt \
python -m pip install -r requirements.txt

ARG VERSION
ARG MODEL="EffB7_2023-03-06_08"
ENV SSL_CERT_FILE=$CACERT_LOCATION
RUN curl -o model.pth https://storage.gra.cloud.ovh.net/v1/AUTH_df731a99a3264215b973b3dee70a57af/basegun-public/models/${MODEL}/${MODEL}.pth
COPY src/ src/
COPY . .
RUN mkdir -p src/weights \
&& mv model.pth src/weights/model.pth \
&& echo '{"app": "'${VERSION}'", "model": "'${MODEL}'"}' > versions.json

# launch website
# Copy the source code into the container.
COPY . .

# Expose the port that the application listens on.
EXPOSE 8000

# Install pytorch
FROM base as dev
RUN pip --default-timeout=300 install --no-cache-dir -r requirements/dev.txt
RUN pip install torch==1.13.0 torchvision==0.14.0 --extra-index-url https://download.pytorch.org/whl/cpu
CMD ["uvicorn", "src.main:app", "--reload", "--host", "0.0.0.0", "--port", "5000"]

FROM base as test
RUN pip install -r requirements/dev.txt && pip install requests && rm -r /root/.cache
COPY tests/ tests/
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "5000"]
RUN pip install requests torch==1.13.0 torchvision==0.14.0 --extra-index-url https://download.pytorch.org/whl/cpu
CMD ["uvicorn", "src.main:app", "--reload", "--host", "0.0.0.0", "--port", "5000"]

FROM base as prod
RUN pip install --no-cache-dir -r requirements/prod.txt
RUN pip install torch==1.13.0+cpu torchvision==0.14.0+cpu --extra-index-url https://download.pytorch.org/whl/cpu
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "5000"]
File renamed without changes.
3 changes: 0 additions & 3 deletions backend/requirements/dev.txt

This file was deleted.

3 changes: 0 additions & 3 deletions backend/requirements/prod.txt

This file was deleted.

12 changes: 7 additions & 5 deletions docker-compose-dev.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ services:
context: ./backend
target: ${BUILD_TARGET:-dev}
container_name: basegun-backend
command: uvicorn src.main:app --reload --host 0.0.0.0 --port 8000
user: appuser
environment:
- PATH_LOGS=/app/logs
- OS_USERNAME
Expand All @@ -25,11 +27,11 @@ services:
- REQUESTS_CA_BUNDLE=$CACERT_LOCATION
image: basegun-backend:${TAG:-2.0}-dev
ports:
- 5000:5000
- 8000:8000
volumes:
- $PWD/backend/src:/app/src
- $PWD/backend/tests:/app/tests
- $PWD/backend/logs:/app/logs
- ./backend/src:/app/src
- ./backend/tests:/app/tests
- ./backend/logs:/app/logs
- /app/src/weights

frontend:
Expand All @@ -48,5 +50,5 @@ services:
- 3000:5173
# - 4173:4173
volumes:
- $PWD/frontend/src:/app/src
- ./frontend/src:/app/src
- /app/node_modules
1 change: 1 addition & 0 deletions infra/kube/helm/templates/deployment-backend.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,7 @@ spec:
{{- toYaml .Values.backend.securityContext | nindent 12 }}
image: "{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.backend.image.pullPolicy }}
command: ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"]
envFrom:
- configMapRef:
name: {{ include "basegun.name" . }}-config
Expand Down

0 comments on commit 6b20767

Please sign in to comment.