-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
devxp: Base the application container images off new Ruby base image. #19633
devxp: Base the application container images off new Ruby base image. #19633
Conversation
I'm still building a "final pass" of this multiarch image locally, I'll add a link to the GHCR result later this evening / in the morning (and regardless, it'll be there before I reasonably suspect anyone will have reviewed this). EDIT: Looks like I have other Dockerfiles to go bump anyway, so marking this as a draft after all. |
|
fe38bd5
to
0c0894f
Compare
Uffizzi Ephemeral Environment
|
This "rebases" our application images off of the new Ruby base image added in #19632, and fixes numerous problems and quirks with how the images were built along the way. Notably: - Issues where layers attempted to delete files in prior layers have been resolved (this caused build failures on some Docker filesystem drivers, notably overlay2). - Bundler is no longer allowed to deviate from or modify the lockfile (`BUNDLE_FROZEN` is now `true`). - `git(1)` is no longer required to live inside the container and `.git` is no longer required to be copied into the Docker build context, as these were only used to calculate `FOREM_BUILD_SHA`, which is now passed in as a Build Argument to the container build context. - The entire source tree is no longer `chmod` in one giant swing, which ran so long on my system (as just one example) that I gave up after 15-20 minutes and issued it a `SIGTERM`. Instead, `COPY --chown` is used more heavily and ensures the `APP_USER` will have access to the requisite files. This new container image appears to build successfully for `linux/arm64`, which refs (but does not complete) #19626. Currently, such builds aren't automated , and must be built on a developer workstation. For example: ```sh docker buildx build --platform linux/amd64,linux/arm64 -f Containerfile . -t ghcr.io/forem/forem:klardotsh-test --push --build-arg VCS_REF=$(git rev-parse --short HEAD) ``` In the meantime, the existing `linux/amd64`-only BuildKite scripts have been updated to allow this PR to merge as a separate unit, and CI refactors to enable the multiarch builds of `linux/arm64,linux/amd64` can come later when more time is available. This is one of several blockers on the path to getting #19603 merged. The next step in that chronology will be rebasing that work on top of this work, which *should* be, on the containerization side, as straightforward as bumping `Containerfile.base` to reference the new upstream image, rebuilding the base container, and then bumping the reference in `Containerfile`.
0c0894f
to
39cc4c1
Compare
Codecov ReportPatch coverage has no change and project coverage change:
Additional details and impacted files@@ Coverage Diff @@
## main #19633 +/- ##
==========================================
- Coverage 88.77% 88.71% -0.07%
==========================================
Files 1215 1215
Lines 27708 27708
Branches 2159 2159
==========================================
- Hits 24598 24581 -17
- Misses 2942 2959 +17
Partials 168 168
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
TIL never occured to me chmod
can be a slow operation.
RUN bundle config --local build.sassc --disable-march-tune-native && \ | ||
bundle config --delete without && \ | ||
bundle install --deployment --jobs 4 --retry 5 && \ | ||
BUNDLE_FROZEN=true bundle install --deployment --jobs 4 --retry 5 && \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not applicable on this PR but for development, wouldn't we do the install without --deployment
option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To do things like update Gemfile.lock
, yeah, you'd want to do a one-off container like docker-compose run --rm web bundle update rails
or whatever, skipping --deployment
to force the lockfile to update. I think that's what you're asking here?
@klardotsh do you still want to lookover from @andygeorge or do you feel OK with the feedback you've received? |
This LGTM 👍! Let me know if you run into anything. |
…#19633) This "rebases" our application images off of the new Ruby base image added in #19632, and fixes numerous problems and quirks with how the images were built along the way. Notably: - Issues where layers attempted to delete files in prior layers have been resolved (this caused build failures on some Docker filesystem drivers, notably overlay2). - Bundler is no longer allowed to deviate from or modify the lockfile (`BUNDLE_FROZEN` is now `true`). - `git(1)` is no longer required to live inside the container and `.git` is no longer required to be copied into the Docker build context, as these were only used to calculate `FOREM_BUILD_SHA`, which is now passed in as a Build Argument to the container build context. - The entire source tree is no longer `chmod` in one giant swing, which ran so long on my system (as just one example) that I gave up after 15-20 minutes and issued it a `SIGTERM`. Instead, `COPY --chown` is used more heavily and ensures the `APP_USER` will have access to the requisite files. This new container image appears to build successfully for `linux/arm64`, which refs (but does not complete) #19626. Currently, such builds aren't automated , and must be built on a developer workstation. For example: ```sh docker buildx build --platform linux/amd64,linux/arm64 -f Containerfile . -t ghcr.io/forem/forem:klardotsh-test --push --build-arg VCS_REF=$(git rev-parse --short HEAD) ``` In the meantime, the existing `linux/amd64`-only BuildKite scripts have been updated to allow this PR to merge as a separate unit, and CI refactors to enable the multiarch builds of `linux/arm64,linux/amd64` can come later when more time is available. This is one of several blockers on the path to getting #19603 merged. The next step in that chronology will be rebasing that work on top of this work, which *should* be, on the containerization side, as straightforward as bumping `Containerfile.base` to reference the new upstream image, rebuilding the base container, and then bumping the reference in `Containerfile`.
…o-comment-notifications * origin/main: Standalone "admin" page for each comment (#19644) devxp: Base the application container images off new Ruby base image. (#19633) devxp: Base the application container images off new Ruby base image. (#19633) Add index to billboard placement area (#19648) Follow-ups for suggested organizations follows during onboarding (#19619) Fix bug: Unable to unfollow topics (#19637) Remove unnecessary fragment cache (#19653) [ruby] Update carrierwave 2.2.3 → 2.2.4 (patch) (#19614) devxp: Replace forem/ruby image with open-source Debian-based analogue. (#19632) Remove API dependency on fetching tweets and shift to frontend (#19641)
This strictly depends on #19632 being merged first.
This "rebases" our application images off of the new Ruby base image added in #19632, and fixes numerous problems and quirks with how the images were built along the way. Notably:
Issues where layers attempted to delete files in prior layers have been resolved (this caused build failures on some Docker filesystem drivers, notably overlay2).
Bundler is no longer allowed to deviate from or modify the lockfile (
BUNDLE_FROZEN
is nowtrue
).git(1)
is no longer required to live inside the containerand, as these were only used to calculate.git
is no longer required to be copied into the Docker build contextFOREM_BUILD_SHA
, which is now passed in as a Build Argument to the container build context..git
is still copied into the build context for both image builds, it's just not necessary for the main app container build - I've left comments in the Uffizi Dockerfile to this end with a bit more color.The entire source tree is no longer
chmod
in one giant swing, which ran so long on my system (as just one example) that I gave up after 15-20 minutes and issued it aSIGTERM
. Instead,COPY --chown
is used more heavily and ensures theAPP_USER
will have access to the requisite files.This new container image appears to build successfully for
linux/arm64
, which refs (but does not complete) #19626. Currently, such builds aren't automated , and must be built on a developer workstation. For example:In the meantime, the existing
linux/amd64
-only BuildKite scripts have been updated to allow this PR to merge as a separate unit, and CI refactors to enable the multiarch builds oflinux/arm64,linux/amd64
can come later when more time is available.This is one of several blockers on the path to getting #19603 merged. The next step in that chronology will be rebasing that work on top of this work, which should be, on the containerization side, as straightforward as bumping
Containerfile.base
to reference the new upstream image, rebuilding the base container, and then bumping the reference inContainerfile
.