use debian bookworm in docker container

This returns to an upgrade first attempted in: #1255 That upgrade ran into sandbox trouble, which eventually proved to be a small change in the layout of directories in bookworm relative to buster (`/lib64` became a symlink).
gristlabs · Nov 18, 2024 · a03b4e0 · a03b4e0
1 parent fcc1f34
commit a03b4e0
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -10,7 +10,7 @@ FROM scratch AS ext
 ## Javascript build stage
 ################################################################################
 
-FROM node:18-buster AS builder
+FROM node:22-bookworm AS builder
 
 # Install all node dependencies.
 WORKDIR /grist
@@ -46,7 +46,7 @@ RUN \
 ################################################################################
 
 # Fetch python3.11
-FROM python:3.11-slim-buster AS collector-py3
+FROM python:3.11-slim-bookworm AS collector-py3
 ADD sandbox/requirements3.txt requirements3.txt
 RUN \
   pip3 install -r requirements3.txt
@@ -66,8 +66,8 @@ RUN \
   apt install -y --no-install-recommends python2 python-pip python-setuptools \
   build-essential libxml2-dev libxslt-dev python-dev zlib1g-dev && \
   pip2 install wheel && \
-  pip2 install -r requirements.txt 
-
+  pip2 install -r requirements.txt && \
+  find /usr/lib -iname "libffi.so.6*" -exec cp {} /usr/local/lib \;
 
 ################################################################################
 ## Sandbox collection stage
@@ -76,16 +76,19 @@ RUN \
 # Fetch gvisor-based sandbox. Note, to enable it to run within default
 # unprivileged docker, layers of protection that require privilege have
 # been stripped away, see https://github.com/google/gvisor/issues/4371
-# The sandbox binary is built on buster, but remains compatible with recent
-# Debian.
+# The standalone sandbox binary is built on buster, but remains compatible
+# with recent Debian.
+# If you'd like to use unmodified gvisor, you should be able to just drop
+# in the standard runsc binary and run the container with any extra permissions
+# it needs.
 FROM docker.io/gristlabs/gvisor-unprivileged:buster AS sandbox
 
 ################################################################################
 ## Run-time stage
 ################################################################################
 
 # Now, start preparing final image.
-FROM node:18-buster-slim
+FROM node:22-bookworm-slim
 
 # Install libexpat1, libsqlite3-0 for python3 library binary dependencies.
 # Install pgrep for managing gvisor processes.

diff --git a/sandbox/gvisor/run.py b/sandbox/gvisor/run.py
@@ -132,7 +132,7 @@
   ]
 
 # Helper for preparing a mount.
-def preserve(*locations, short_failure=False):
+def preserve(*locations, short_failure=False, skip_symlink=False):
   for location in locations:
     # Check the requested directory is visible on the host, and that there hasn't been a
     # muddle.  For Grist, this could happen if a parent directory of a temporary import
@@ -142,6 +142,12 @@ def preserve(*locations, short_failure=False):
         raise Exception('cannot find: ' + location)
       raise Exception('cannot find: ' + location + ' ' +
                       '(if tmp path, make sure TMPDIR when running grist and GRIST_TMP line up)')
+    if os.path.islink(location) and skip_symlink:
+      # Do not attempt to include symlink directories, they are not supported
+      # and will cause obscure failures. In Grist's docker image, they show
+      # up only via pairs like /lib64 and /usr/lib64, where we actually only
+      # need whichever is "real".
+      return
     mounts.append({
       "destination": location,
       "source": location,
@@ -162,7 +168,7 @@ def preserve(*locations, short_failure=False):
 
 preserve("/usr/local/lib")
 if os.path.exists('/lib64'):
-  preserve("/lib64")
+  preserve("/lib64", skip_symlink=True)
 if os.path.exists('/usr/lib64'):
   preserve("/usr/lib64")
 preserve("/usr/lib")