-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add python3 basecontainer for use with https://github.com/SURFscz/SBS
- Loading branch information
1 parent
7df2143
commit 8d53998
Showing
3 changed files
with
139 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,50 @@ | ||
| --- | ||
| name: Build the Python3 container | ||
|
|
||
| on: | ||
| push: | ||
| paths: | ||
| - "python3/**" | ||
| - ".github/workflows/build-python3.yaml" | ||
| schedule: | ||
| - cron: '0 7 * * *' | ||
| workflow_dispatch: | ||
|
|
||
| jobs: | ||
| build-push-python3: | ||
| runs-on: "ubuntu-22.04" | ||
| permissions: | ||
| packages: write | ||
| steps: | ||
| - name: Checkout | ||
| uses: actions/checkout@v4 | ||
|
|
||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
| with: | ||
| platforms: "linux/amd64,linux/arm64" | ||
| # The latest version will lead to segmentation fault. | ||
| image: "tonistiigi/binfmt:qemu-v7.0.0-28" | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to GitHub Container Registry | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ghcr.io | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Build and push | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: "./python3" | ||
| platforms: "linux/amd64,linux/arm64" | ||
| # only push the latest tag on the main branch | ||
| push: "${{ github.ref == 'refs/heads/main' }}" | ||
| tags: | | ||
| ghcr.io/openconext/openconext-basecontainers/python3:latest | ||
| ghcr.io/openconext/openconext-basecontainers/python3:${{ github.sha }} | ||
| cache-from: type=gha | ||
| cache-to: type=gha |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| FROM docker.io/library/python:3.11-slim-bookworm | ||
|
|
||
| # Do an initial clean up and general upgrade of the distribution | ||
| ENV DEBIAN_FRONTEND=noninteractive | ||
| RUN \ | ||
| apt-get update && \ | ||
| apt-get -y dist-upgrade && \ | ||
| apt-get -y install \ | ||
| build-essential \ | ||
| bzip2 \ | ||
| curl \ | ||
| default-libmysqlclient-dev \ | ||
| git \ | ||
| libxmlsec1-dev \ | ||
| pkgconf \ | ||
| python3-dev \ | ||
| util-linux \ | ||
| xz-utils \ | ||
| && \ | ||
| apt-get -y autoremove && \ | ||
| rm -rf /var/lib/apt/lists/* /var/cache/apt/* | ||
|
|
||
| # if specified, drop privileges to this uid and gid | ||
| ARG RUNAS_UID | ||
| ARG RUNAS_GID | ||
|
|
||
| # Copy the startup script | ||
| RUN mkdir /container-init /container-init-post | ||
| COPY --chmod=0755 ./bin/entrypoint.sh /entrypoint.sh | ||
|
|
||
| # Set the default workdir | ||
| WORKDIR /opt | ||
|
|
||
| ENTRYPOINT ["/entrypoint.sh"] | ||
| CMD ["python3"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| #!/usr/bin/env bash | ||
| set -e | ||
|
|
||
| # handle privilege dropping | ||
| if [ $UID -ne 0 ] | ||
| then | ||
| echo "This container need to run as root" | ||
| echo "Use USER/GROUP environment variables to specify the uid/gid to run as" | ||
|
|
||
| exit 1 | ||
| fi | ||
|
|
||
| # run custom scripts before dropping privileges | ||
| echo "Running custom scripts in /container-init as root" | ||
| if [ -d "/container-init" ] | ||
| then | ||
| # run all scripts using run-parts | ||
| run-parts --verbose --regex '.*' "/container-init" | ||
| fi | ||
|
|
||
| # set up privilege dropping to user and group | ||
| PRIVDROP= | ||
| if [ -n "$RUNAS_UID" ] | ||
| then | ||
| if [ -n "$RUNAS_GID" ] | ||
| then | ||
| echo "Switching to user $RUNAS_UID and group $RUNAS_GID" | ||
| groupadd -g $RUNAS_GID openconext | ||
| useradd -M -u $RUNAS_UID -g $RUNAS_GID openconext | ||
| PRIVDROP="setpriv --reuid=openconext --regid=openconext --reset-env --clear-groups" | ||
| else | ||
| echo "Switching to user $RUNAS_UID" | ||
| useradd -M -u $RUNAS_UID openconext | ||
| PRIVDROP="setpriv --reuid=openconext --reset-env --clear-groups" | ||
| fi | ||
| echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)" | ||
|
|
||
| # run custom scripts after dropping privileges | ||
| echo "Running custom scripts in /container-init-post as $RUNAS_UID" | ||
| if [ -d "/container-init-post" ] | ||
| then | ||
| # run all scripts using run-parts | ||
| ${PRIVDROP} run-parts --verbose --regex '.*' "/container-init-post" | ||
| fi | ||
| else | ||
| echo "Warning: not dropping privileges" | ||
| if [ -d "/container-init-post" ] && ! find /container-init-post/ -maxdepth 0 -empty | ||
| then | ||
| echo "Warning: not running scripts in /container-init-post as no user is specified" | ||
| fi | ||
| fi | ||
|
|
||
| # Hand off to the CMD | ||
| exec ${PRIVDROP} "$@" |