-
Notifications
You must be signed in to change notification settings - Fork 44
/
Dockerfile
83 lines (70 loc) · 3.89 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
FROM registry.access.redhat.com/ubi8/ubi-minimal
RUN curl -o /etc/yum.repos.d/postgresql.repo \
https://copr.fedorainfracloud.org/coprs/g/insights/postgresql-16/repo/epel-8/group_insights-postgresql-16-epel-8.repo
RUN microdnf module disable -y postgresql || :
RUN microdnf install -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
python312 python3.12-pip python3.12-devel libpq-devel gcc which shadow-utils diffutils systemd libicu git-core postgresql pg_repack && \
microdnf clean all
# missing pg_config, gcc, python3-devel needed for psycopg on aarch64
RUN [ "$(uname -m)" == "aarch64" ] && \
microdnf install -y --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
gcc-c++ && \
microdnf clean all || true
# for manager purposes
RUN mkdir -p /tmp/prometheus_multiproc
ENV prometheus_multiproc_dir=/tmp/prometheus_multiproc
# minimal schema required by application, used for waiting in services until DB migration is finished
ENV MINIMAL_SCHEMA=133
WORKDIR /engine
ADD pyproject.toml /engine/
ADD poetry.lock /engine/
ENV LC_ALL=C.utf8
ENV LANG=C.utf8
RUN pip3.12 install --upgrade pip && \
pip3.12 install --upgrade poetry~=2.0 poetry-plugin-export
RUN poetry export --only main -f requirements.txt --output requirements.txt && \
pip3.12 install -r requirements.txt
RUN adduser --gid 0 -d /engine --no-create-home insights
# for manager purposes
RUN chown -R insights:0 /tmp/prometheus_multiproc && \
chgrp -R 0 /tmp/prometheus_multiproc && \
chmod -R g=u /tmp/prometheus_multiproc
# Baked-in content for FedRAMP
ARG STATIC_ASSETS=0
ARG GIT_TOKEN=""
RUN if [ "${STATIC_ASSETS}" == 1 ] ; then \
curl -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.crt https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem && \
update-ca-trust extract && \
git clone https://gitlab.cee.redhat.com/vmaas/vmaas-assets.git /engine/vmaas_assets_git && \
git clone https://gitlab.cee.redhat.com/insights-rules/insights-playbooks.git /engine/insights_playbooks_git && \
git clone "https://[email protected]/RedHatInsights/insights-content-vulnerability.git" /engine/insights_content_vulnerability_git && \
# below is needed to avoid git 'detected dubious ownership' error when running as a rootless container...
git config --system --add safe.directory /engine/vmaas_assets_git && \
git config --system --add safe.directory /engine/insights_playbooks_git && \
git config --system --add safe.directory /engine/insights_content_vulnerability_git && \
echo "Cloned static assets" ; \
fi
USER insights
EXPOSE 8000
ADD entrypoint.sh /engine/
ADD develfeatureflags.json /engine/
ADD manager.healthz.spec.yaml /engine/
ADD manager.admin.spec.yaml /engine/
ADD /database/upgrade/dbupgrade.sh /engine/
ADD /database/schema/local_init_db.sh /engine/
ADD /taskomatic/*.py /engine/taskomatic/
ADD /taskomatic/jobs/*.py /engine/taskomatic/jobs/
ADD /vmaas_sync/*.py /engine/vmaas_sync/
ADD /database/*.py /engine/database/
ADD /database/upgrade/*.py /engine/database/upgrade/
ADD /database/schema/*.sql /engine/database/schema/
ADD /database/schema/upgrade_scripts/*.sql /engine/database/schema/upgrade_scripts/
ADD /evaluator/*.py /engine/evaluator/
ADD /listener/*.py /engine/listener/
ADD manager.spec.yaml /engine/
ADD /common/*.py /engine/common/
ADD /manager/*.py /engine/manager/
ADD /notificator/*.py /engine/notificator/
ADD /exploit_sync/*py /engine/exploit_sync/
ADD /grouper/*.py /engine/grouper/
ADD /cluster/*.py /engine/cluster/