From a03b4e0c751de0ece1de5d8676706201f29be089 Mon Sep 17 00:00:00 2001 From: Paul Fitzpatrick Date: Sun, 17 Nov 2024 19:03:07 -0500 Subject: [PATCH] use debian bookworm in docker container This returns to an upgrade first attempted in: https://github.com/gristlabs/grist-core/pull/1255 That upgrade ran into sandbox trouble, which eventually proved to be a small change in the layout of directories in bookworm relative to buster (`/lib64` became a symlink). --- Dockerfile | 17 ++++++++++------- sandbox/gvisor/run.py | 10 ++++++++-- 2 files changed, 18 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index eebd53e6c0..bd36b84ac5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ FROM scratch AS ext ## Javascript build stage ################################################################################ -FROM node:18-buster AS builder +FROM node:22-bookworm AS builder # Install all node dependencies. WORKDIR /grist @@ -46,7 +46,7 @@ RUN \ ################################################################################ # Fetch python3.11 -FROM python:3.11-slim-buster AS collector-py3 +FROM python:3.11-slim-bookworm AS collector-py3 ADD sandbox/requirements3.txt requirements3.txt RUN \ pip3 install -r requirements3.txt @@ -66,8 +66,8 @@ RUN \ apt install -y --no-install-recommends python2 python-pip python-setuptools \ build-essential libxml2-dev libxslt-dev python-dev zlib1g-dev && \ pip2 install wheel && \ - pip2 install -r requirements.txt - + pip2 install -r requirements.txt && \ + find /usr/lib -iname "libffi.so.6*" -exec cp {} /usr/local/lib \; ################################################################################ ## Sandbox collection stage @@ -76,8 +76,11 @@ RUN \ # Fetch gvisor-based sandbox. Note, to enable it to run within default # unprivileged docker, layers of protection that require privilege have # been stripped away, see https://github.com/google/gvisor/issues/4371 -# The sandbox binary is built on buster, but remains compatible with recent -# Debian. +# The standalone sandbox binary is built on buster, but remains compatible +# with recent Debian. +# If you'd like to use unmodified gvisor, you should be able to just drop +# in the standard runsc binary and run the container with any extra permissions +# it needs. FROM docker.io/gristlabs/gvisor-unprivileged:buster AS sandbox ################################################################################ @@ -85,7 +88,7 @@ FROM docker.io/gristlabs/gvisor-unprivileged:buster AS sandbox ################################################################################ # Now, start preparing final image. -FROM node:18-buster-slim +FROM node:22-bookworm-slim # Install libexpat1, libsqlite3-0 for python3 library binary dependencies. # Install pgrep for managing gvisor processes. diff --git a/sandbox/gvisor/run.py b/sandbox/gvisor/run.py index 61a6b91637..bdf18c46d4 100755 --- a/sandbox/gvisor/run.py +++ b/sandbox/gvisor/run.py @@ -132,7 +132,7 @@ ] # Helper for preparing a mount. -def preserve(*locations, short_failure=False): +def preserve(*locations, short_failure=False, skip_symlink=False): for location in locations: # Check the requested directory is visible on the host, and that there hasn't been a # muddle. For Grist, this could happen if a parent directory of a temporary import @@ -142,6 +142,12 @@ def preserve(*locations, short_failure=False): raise Exception('cannot find: ' + location) raise Exception('cannot find: ' + location + ' ' + '(if tmp path, make sure TMPDIR when running grist and GRIST_TMP line up)') + if os.path.islink(location) and skip_symlink: + # Do not attempt to include symlink directories, they are not supported + # and will cause obscure failures. In Grist's docker image, they show + # up only via pairs like /lib64 and /usr/lib64, where we actually only + # need whichever is "real". + return mounts.append({ "destination": location, "source": location, @@ -162,7 +168,7 @@ def preserve(*locations, short_failure=False): preserve("/usr/local/lib") if os.path.exists('/lib64'): - preserve("/lib64") + preserve("/lib64", skip_symlink=True) if os.path.exists('/usr/lib64'): preserve("/usr/lib64") preserve("/usr/lib")