Upgrade from Alpine 3.14 to 3.19

Dockerfile

@@ -4,19 +4,11 @@ ARG NGINX_LISTEN_OPTS
 # DESCRIPTION:      Image with seed platform and dependencies running in development mode
 # TO_BUILD_AND_RUN: docker compose build && docker compose up
 
-FROM node:20-alpine3.16 AS node
-
-FROM alpine:3.14
+FROM node:22-alpine3.19
 
 ARG NGINX_LISTEN_OPTS
 
-COPY --from=node /usr/lib /usr/lib
-COPY --from=node /usr/local/lib /usr/local/lib
-COPY --from=node /usr/local/include /usr/local/include
-COPY --from=node /usr/local/bin /usr/local/bin
-
 RUN apk add --no-cache \
-        python3-dev \
         postgresql-dev \
         coreutils \
         alpine-sdk \
@@ -33,44 +25,63 @@ RUN apk add --no-cache \
         openssl-dev \
         geos-dev \
         gdal \
+        gdal-dev \
         gcc \
         musl-dev \
         cargo \
-        tzdata && \
-    ln -sf /usr/bin/python3 /usr/bin/python && \
-    python -m ensurepip && \
-    rm -r /usr/lib/python*/ensurepip && \
-    ln -sf /usr/bin/pip3 /usr/bin/pip && \
-    pip install --upgrade pip setuptools && \
-    pip install supervisor==4.2.5 && \
+        tzdata \
+        bzip2-dev \
+        readline-dev \
+        sqlite-dev \
+        ncurses-dev \
+        xz-dev \
+        zlib-dev \
+        libxml2-dev && \
     mkdir -p /var/log/supervisord && \
-    rm -r /root/.cache && \
-    addgroup -g 1000 uwsgi && \
-    adduser -G uwsgi -H -u 1000 -S uwsgi && \
     mkdir -p /run/nginx
 
 ## Note on some of the commands above:
-##   - create the uwsgi user and group to have id of 1000
-##   - copy over python3 as python
-##   - pip install --upgrade pip overwrites the pip so it is no longer a symlink
 ##   - coreutils is required due to an issue with our wait-for-it.sch script:
 ##     https://github.com/vishnubob/wait-for-it/issues/71
 
+# Install pyenv and Python globally
+ENV PYTHON_VERSION=3.9.22
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+RUN git clone https://github.com/pyenv/pyenv.git $PYENV_ROOT && \
+    $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION && \
+    $PYENV_ROOT/bin/pyenv global $PYTHON_VERSION && \
+    ln -sf $PYENV_ROOT/shims/python /usr/local/bin/python && \
+    ln -sf $PYENV_ROOT/shims/python3 /usr/local/bin/python3 && \
+    ln -sf $PYENV_ROOT/shims/pip /usr/local/bin/pip && \
+    ln -sf $PYENV_ROOT/shims/pip3 /usr/local/bin/pip3
+
+# Make sure non-root users inherit pyenv paths
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+# Install pip
+RUN bash -c "python3 -m ensurepip --upgrade && python3 -m pip install --upgrade pip setuptools && \
+    pip install supervisor==4.2.5"
+
 ### Install python requirements
 WORKDIR /seed
 COPY ./requirements.txt /seed/requirements.txt
 COPY ./requirements/*.txt /seed/requirements/
 RUN pip uninstall -y enum34
 RUN pip install -r requirements/aws.txt
 
-### Install JavaScript requirements - do this first because they take awhile
+### Install JavaScript requirements - do this first because they take a while
 ### and the dependencies will probably change slower than python packages.
 ### README.md stops the no readme warning
 COPY ./package.json /seed/package.json
+COPY ./package-lock.json /seed/package-lock.json
 COPY ./vendors/package.json /seed/vendors/package.json
+COPY ./vendors/package-lock.json /seed/vendors/package-lock.json
 COPY ./README.md /seed/README.md
 # unsafe-perm allows the package.json postinstall script to run with the elevated permissions
-RUN npm install --unsafe-perm
+RUN npm install --omit=dev --unsafe-perm
 
 ### Copy over the remaining part of the SEED application and some helpers
 WORKDIR /seed
@@ -106,4 +117,4 @@ ENTRYPOINT ["seed-entrypoint"]
 
 EXPOSE 80
 
-CMD ["supervisord"]
+CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

Dockerfile-dev

@@ -1,14 +1,6 @@
-FROM node:20-alpine3.16 AS node
-
-FROM alpine:3.14
-
-COPY --from=node /usr/lib /usr/lib
-COPY --from=node /usr/local/lib /usr/local/lib
-COPY --from=node /usr/local/include /usr/local/include
-COPY --from=node /usr/local/bin /usr/local/bin
+FROM node:22-alpine3.19
 
 RUN apk add --no-cache \
-        python3-dev \
         postgresql-dev \
         coreutils \
         alpine-sdk \
@@ -20,25 +12,51 @@ RUN apk add --no-cache \
         bash \
         bash-completion \
         nginx \
+        brotli \
+        nginx-mod-http-brotli \
         openssl-dev \
         geos-dev \
         gdal \
+        gdal-dev \
         gcc \
         musl-dev \
         cargo \
-        tzdata && \
-    ln -sf /usr/bin/python3 /usr/bin/python && \
-    python -m ensurepip && \
-    rm -r /usr/lib/python*/ensurepip && \
-    ln -sf /usr/bin/pip3 /usr/bin/pip && \
-    pip install --upgrade pip setuptools && \
-    pip install supervisor==4.2.5 && \
+        tzdata \
+        bzip2-dev \
+        readline-dev \
+        sqlite-dev \
+        ncurses-dev \
+        xz-dev \
+        zlib-dev \
+        libxml2-dev && \
     mkdir -p /var/log/supervisord && \
-    rm -r /root/.cache && \
-    addgroup -g 1000 uwsgi && \
-    adduser -G uwsgi -H -u 1000 -S uwsgi && \
     mkdir -p /run/nginx
 
+## Note on some of the commands above:
+##   - coreutils is required due to an issue with our wait-for-it.sch script:
+##     https://github.com/vishnubob/wait-for-it/issues/71
+
+# Install pyenv and Python globally
+ENV PYTHON_VERSION=3.9.22
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+RUN git clone https://github.com/pyenv/pyenv.git $PYENV_ROOT && \
+    $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION && \
+    $PYENV_ROOT/bin/pyenv global $PYTHON_VERSION && \
+    ln -sf $PYENV_ROOT/shims/python /usr/local/bin/python && \
+    ln -sf $PYENV_ROOT/shims/python3 /usr/local/bin/python3 && \
+    ln -sf $PYENV_ROOT/shims/pip /usr/local/bin/pip && \
+    ln -sf $PYENV_ROOT/shims/pip3 /usr/local/bin/pip3
+
+# Make sure non-root users inherit pyenv paths
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+# Install pip
+RUN bash -c "python3 -m ensurepip --upgrade && python3 -m pip install --upgrade pip setuptools && \
+    pip install supervisor==4.2.5"
+
 ### Install python requirements
 WORKDIR /seed
 COPY ./requirements.txt /seed/requirements.txt
@@ -54,7 +72,9 @@ RUN pip install watchdog[watchmedo]
 ### and the dependencies will probably change slower than python packages.
 ### README.md stops the no readme warning
 COPY ./package.json /seed/package.json
+COPY ./package-lock.json /seed/package-lock.json
 COPY ./vendors/package.json /seed/vendors/package.json
+COPY ./vendors/package-lock.json /seed/vendors/package-lock.json
 COPY ./README.md /seed/README.md
 # unsafe-perm allows the package.json postinstall script to run with the elevated permissions
 RUN npm install --unsafe-perm

Dockerfile.ecs

@@ -4,29 +4,17 @@ ARG NGINX_LISTEN_OPTS
 # DESCRIPTION:      Image with seed platform and dependencies running in development mode
 # TO_BUILD_AND_RUN: docker compose build && docker compose up
 
-FROM node:20-alpine3.16 AS node
+FROM node:22-alpine3.19
 
 # Install necessary dependencies (curl and ca-certificates)
 RUN apk add --no-cache curl ca-certificates && \
 curl -fsSLk -o /usr/local/share/ca-certificates/nrel_root.crt https://raw.github.nrel.gov/TADA/nrel-certs/v20180329/certs/nrel_root.pem && \
 curl -fsSLk -o /usr/local/share/ca-certificates/nrel_xca1.crt https://raw.github.nrel.gov/TADA/nrel-certs/v20180329/certs/nrel_xca1.pem && \
 update-ca-certificates
 
-FROM alpine:3.14 as build
-
 ARG NGINX_LISTEN_OPTS
 
-# Copy the installed SSL certs into this image
-COPY --from=node /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY --from=node /usr/share/ca-certificates /usr/share/ca-certificates
-COPY --from=node /usr/local/share/ca-certificates /usr/local/share/ca-certificates
-COPY --from=node /usr/lib /usr/lib
-COPY --from=node /usr/local/lib /usr/local/lib
-COPY --from=node /usr/local/include /usr/local/include
-COPY --from=node /usr/local/bin /usr/local/bin
-
 RUN apk add --no-cache \
-        python3-dev \
         postgresql-dev \
         coreutils \
         alpine-sdk \
@@ -43,29 +31,46 @@ RUN apk add --no-cache \
         openssl-dev \
         geos-dev \
         gdal \
+        gdal-dev \
         gcc \
         musl-dev \
         cargo \
-        tzdata && \
-    ln -sf /usr/bin/python3 /usr/bin/python && \
-    python -m ensurepip && \
-    rm -r /usr/lib/python*/ensurepip && \
-    ln -sf /usr/bin/pip3 /usr/bin/pip && \
-    pip install --upgrade pip setuptools && \
-    pip install supervisor==4.2.5 && \
+        tzdata \
+        bzip2-dev \
+        readline-dev \
+        sqlite-dev \
+        ncurses-dev \
+        xz-dev \
+        zlib-dev \
+        libxml2-dev && \
     mkdir -p /var/log/supervisord && \
-    rm -r /root/.cache && \
-    addgroup -g 1000 uwsgi && \
-    adduser -G uwsgi -H -u 1000 -S uwsgi && \
     mkdir -p /run/nginx
 
 ## Note on some of the commands above:
-##   - create the uwsgi user and group to have id of 1000
-##   - copy over python3 as python
-##   - pip install --upgrade pip overwrites the pip so it is no longer a symlink
 ##   - coreutils is required due to an issue with our wait-for-it.sch script:
 ##     https://github.com/vishnubob/wait-for-it/issues/71
 
+# Install pyenv and Python globally
+ENV PYTHON_VERSION=3.9.22
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+RUN git clone https://github.com/pyenv/pyenv.git $PYENV_ROOT && \
+    $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION && \
+    $PYENV_ROOT/bin/pyenv global $PYTHON_VERSION && \
+    ln -sf $PYENV_ROOT/shims/python /usr/local/bin/python && \
+    ln -sf $PYENV_ROOT/shims/python3 /usr/local/bin/python3 && \
+    ln -sf $PYENV_ROOT/shims/pip /usr/local/bin/pip && \
+    ln -sf $PYENV_ROOT/shims/pip3 /usr/local/bin/pip3
+
+# Make sure non-root users inherit pyenv paths
+ENV PYENV_ROOT="/opt/pyenv"
+ENV PATH="$PYENV_ROOT/bin:$PYENV_ROOT/shims:$PATH"
+
+# Install pip
+RUN bash -c "python3 -m ensurepip --upgrade && python3 -m pip install --upgrade pip setuptools && \
+    pip install supervisor==4.2.5"
+
 ### Install python requirements
 WORKDIR /seed
 COPY ./requirements.txt /seed/requirements.txt
@@ -77,10 +82,12 @@ RUN pip install -r requirements/aws.txt
 ### and the dependencies will probably change slower than python packages.
 ### README.md stops the no readme warning
 COPY ./package.json /seed/package.json
+COPY ./package-lock.json /seed/package-lock.json
 COPY ./vendors/package.json /seed/vendors/package.json
+COPY ./vendors/package-lock.json /seed/vendors/package-lock.json
 COPY ./README.md /seed/README.md
 # unsafe-perm allows the package.json postinstall script to run with the elevated permissions
-RUN npm install --unsafe-perm
+RUN npm install --omit=dev --unsafe-perm
 
 ### Copy over the remaining part of the SEED application and some helpers
 WORKDIR /seed
@@ -116,4 +123,4 @@ ENTRYPOINT ["seed-entrypoint"]
 
 EXPOSE 80
 
-CMD ["supervisord"]
+CMD ["supervisord", "-c", "/etc/supervisor/supervisord.conf"]

docker/seed-entrypoint.sh

@@ -8,6 +8,6 @@ mkdir -p /seed/media/uploads && chmod 777 /seed/media/uploads
 mkdir -p /seed/media/uploads/pm_imports && chmod 777 /seed/media/uploads/pm_imports
 
 # set the owner to uwsgi
-chown -R uwsgi /seed/collected_static
+chown -R 1000 /seed/collected_static
 
 exec "$@"

docker/start_uwsgi_docker.sh

@@ -34,12 +34,12 @@ rm -rf /seed/collected_static/CACHE
 ./manage.py compress --force
 
 # set the permissions in the /seed/collected_static folder
-chown -R uwsgi /seed/collected_static
+chown -R 1000 /seed/collected_static
 
 # Run any migrations before starting -- always for now
 ./manage.py migrate
 
 echo "Creating default user"
 ./manage.py create_default_user --username=$SEED_ADMIN_USER --password=$SEED_ADMIN_PASSWORD --organization=$SEED_ADMIN_ORG
 
-/usr/bin/uwsgi --ini /seed/docker/uwsgi.ini
+uwsgi --ini /seed/docker/uwsgi.ini