Add Docker image build #17
Conversation
Dockerfile
Outdated
| @@ -0,0 +1,21 @@ | |||
| FROM python:3.11 | |||
There was a problem hiding this comment.
I suggest using a slim base image, it has the same glibc-based environment, but includes less irrelevant tools out-of-the-box (~160mb vs 1gb).
| FROM python:3.11 | |
| FROM python:3.11-slim |
Also, is there a reason why we don't use Python v3.12, given that the CI runs tests for it?
Dockerfile
Outdated
|
|
||
| ENV RUN_MIGRATION=false | ||
|
|
||
| RUN apt-get install |
| @@ -0,0 +1,16 @@ | |||
| cd web | |||
There was a problem hiding this comment.
This script won't abort when commands fail and with unbound (a.k.a. undefined) variables (as with the typo below). However, given that some operating systems' sh shells seem to not support set -o pipefail yes, even though it should be supported everywhere, I suggest using bash instead.
Also, add a shebang, to avoid confusion about which shell to run this file with.
| cd web | |
| #!/bin/bash | |
| set -eu -o pipefail | |
| cd web |
entrypoint.sh
Outdated
| cd web | ||
|
|
||
| # Run migration only if explicitly set via ENV | ||
| if [ "$RUN_MIGRATION" != "false" ]; then |
There was a problem hiding this comment.
If we want to make this case opt-in, why not check for "$RUN_MIGRATION" = "true"?
entrypoint.sh
Outdated
| ./manage.py migrate | ||
| fi | ||
|
|
||
| if [ "$ASSING_LOCATIONS" != "false" ]; then |
There was a problem hiding this comment.
| if [ "$ASSING_LOCATIONS" != "false" ]; then | |
| if [ "$ASSIGN_LOCATIONS" != "false" ]; then |
entrypoint.sh
Outdated
| fi | ||
|
|
||
| # don't create an admin interface per default | ||
| #./manage.py createsuperuser |
There was a problem hiding this comment.
Should we put this behind an opt-in env var as well?
Dockerfile
Outdated
|
|
||
| RUN apt-get install | ||
| RUN apt-get update && apt-get install -y \ | ||
| libpq-dev libgdal-dev libproj-dev libgeos-dev \ |
There was a problem hiding this comment.
According to apt, this installs 824mb worth of packages. Even with --no-install-recommends, it is still 641mb.
Are these dependencies build dependencies (in contrast to runtime dependencies)? Then I suggest adding a build step and copying the build output only.
| #./manage.py createsuperuser | ||
|
|
||
| # start the server | ||
| ./manage.py $@ |
There was a problem hiding this comment.
You might want to use exec here.
[…] If we call
prog1 -> prog2 -> prog3 -> prog4etc. and never go back, then make each call an exec. It saves resources (not much, admittedly, unless repeated) and makes shutdown simplier.
There was a problem hiding this comment.
After entrypoint.sh is run, the container CMD should be executed. IMHO exec would prevent this(?)
There was a problem hiding this comment.
I think we have a misunderstanding here. I referred to the exec Bash built-in. How would it prevent running the command specified in CMD?
Dockerfile
Outdated
|
|
||
| RUN apt-get install | ||
| RUN apt-get update && apt-get install -y \ | ||
| libpq-dev libgdal-dev libproj-dev libgeos-dev \ |
There was a problem hiding this comment.
| libpq-dev libgdal-dev libproj-dev libgeos-dev \ | |
| git \ | |
| libpq-dev libgdal-dev libproj-dev libgeos-dev \ |
i.e. * switch to prebuilt gdal image * multistaged docker build * allow superuser creation via flag * use bash for script execution * set -euo pipefial for entrypoint.sh
| @@ -0,0 +1,34 @@ | |||
| FROM ghcr.io/osgeo/gdal:alpine-small-3.9.2 AS builder | |||
There was a problem hiding this comment.
This is not a "floating tag", but hard-codes as specific set of libraries, which means that we won't get security patches "automatically" with a rebuild. We should make sure that there is a tool like Mend Renovate (bot) that notifies about updates to this image.
| file: Dockerfile | ||
| push: true | ||
| tags: | | ||
| ghcr.io/${{ steps.lower-repo.outputs.lowercase }}:latest,ghcr.io/${{ steps.lower-repo.outputs.lowercase }}:${{ steps.version.outputs.builddate }} |
There was a problem hiding this comment.
This will create an image named parkendd/parkapi2, where as ParkAPI v3 images are named parkendd/park-api-v3. Do we want to align the v2 naming scheme with the v3 one?
There was a problem hiding this comment.
As the CI is configured right now, the image will not have (meaningful) OCI annotations, except the (deprecated) plain maintainer label in Dockerfile.
I suggest adding helpful OCI annotations like org.opencontainers.image.source (to find the underlying Git repo) or org.opencontainers.image.licenses (to quickly find out ParkAPI2's license(s)), either
- via the
docker/metadata-action, which will do it automatically (preferred, as they will be much more thorough); or - by hard-coding some of them via
DockerfileLABELs, e.g. likepostgis-gtfs-importerdoes it; or - both of the above methods.
|
|
||
| - name: lowercase repo name | ||
| id: lower-repo | ||
| uses: ASzc/change-string-case-action@v6 |
There was a problem hiding this comment.
It seems like relying on this unpinned "random" third-party dependency is not necessary because there are various built-in utilities to lower-case a string.
| uses: ASzc/change-string-case-action@v6 | |
| run: | | |
| echo "lowercase=$(echo -n '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> $GITHUB_OUTPUT |
|
|
||
| cd web | ||
| if [ "$RUN_MIGRATION" -eq "1" ]; then | ||
| echo "RUN MIGRATION is TRUE" |
There was a problem hiding this comment.
[nitpick]
You might want to log this to stderr.
| echo "RUN MIGRATION is TRUE" | |
| >&2 echo "RUN MIGRATION is TRUE" |
| #./manage.py createsuperuser | ||
|
|
||
| # start the server | ||
| ./manage.py $@ |
There was a problem hiding this comment.
I think we have a misunderstanding here. I referred to the exec Bash built-in. How would it prevent running the command specified in CMD?
| fi | ||
|
|
||
| # start the server | ||
| ./manage.py $@ |
There was a problem hiding this comment.
Just using $@ verbatim has unintended consequences!
bash -c 'python3 -c "import sys;print(sys.argv[2:])" -- $@' -- foo 'bar baz' --hello --world
# ['foo', 'bar', 'baz', '--hello', '--world']
bash -c 'python3 -c "import sys;print(sys.argv[2:])" -- "$@"' -- foo 'bar baz' --hello --world
# ['foo', 'bar baz', '--hello', '--world']
This PR adds a Dockerfile and an action to build a docker image for the master branches.