test(4.6.0-non-alpine): image for testing

.dockerignore

@@ -0,0 +1 @@
+Dockerfile

Dockerfile

@@ -1,14 +1,167 @@
 # To run: docker run -d -v /path/to/fence-config.yaml:/var/www/fence/fence-config.yaml --name=fence -p 80:80 fence
 # To check running container: docker exec -it fence /bin/bash
 
-FROM quay.io/cdis/python-nginx:pybase3-1.0.0
+FROM python:3.6-stretch
+
+ENV NGINX_VERSION 1.15.8-1~stretch
+ENV NJS_VERSION   1.15.8.0.2.7-1~stretch
+
+RUN set -x \
+	&& apt-get update \
+	&& apt-get install --no-install-recommends --no-install-suggests -y gnupg1 apt-transport-https ca-certificates \
+	&& \
+	NGINX_GPGKEY=573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62; \
+	found=''; \
+	for server in \
+		ha.pool.sks-keyservers.net \
+		hkp://keyserver.ubuntu.com:80 \
+		hkp://p80.pool.sks-keyservers.net:80 \
+		pgp.mit.edu \
+	; do \
+		echo "Fetching GPG key $NGINX_GPGKEY from $server"; \
+		apt-key adv --no-tty --keyserver "$server" --keyserver-options timeout=10 --recv-keys "$NGINX_GPGKEY" && found=yes && break; \
+	done; \
+	test -z "$found" && echo >&2 "error: failed to fetch GPG key $NGINX_GPGKEY" && exit 1; \
+	apt-get remove --purge --auto-remove -y gnupg1 && rm -rf /var/lib/apt/lists/* \
+	&& dpkgArch="$(dpkg --print-architecture)" \
+	&& nginxPackages=" \
+		nginx=${NGINX_VERSION} \
+		nginx-module-xslt=${NGINX_VERSION} \
+		nginx-module-geoip=${NGINX_VERSION} \
+		nginx-module-image-filter=${NGINX_VERSION} \
+		nginx-module-njs=${NJS_VERSION} \
+	" \
+	&& case "$dpkgArch" in \
+		amd64|i386) \
+# arches officialy built by upstream
+			echo "deb https://nginx.org/packages/mainline/debian/ stretch nginx" >> /etc/apt/sources.list.d/nginx.list \
+			&& apt-get update \
+			;; \
+		*) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from the published source packages
+			echo "deb-src https://nginx.org/packages/mainline/debian/ stretch nginx" >> /etc/apt/sources.list.d/nginx.list \
+			\
+# new directory for storing sources and .deb files
+			&& tempDir="$(mktemp -d)" \
+			&& chmod 777 "$tempDir" \
+# (777 to ensure APT's "_apt" user can access it too)
+			\
+# save list of currently-installed packages so build dependencies can be cleanly removed later
+			&& savedAptMark="$(apt-mark showmanual)" \
+			\
+# build .deb files from upstream's source packages (which are verified by apt-get)
+			&& apt-get update \
+			&& apt-get build-dep -y $nginxPackages \
+			&& ( \
+				cd "$tempDir" \
+				&& DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
+					apt-get source --compile $nginxPackages \
+			) \
+# we don't remove APT lists here because they get re-downloaded and removed later
+			\
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+			&& apt-mark showmanual | xargs apt-mark auto > /dev/null \
+			&& { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark; } \
+			\
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+			&& ls -lAFh "$tempDir" \
+			&& ( cd "$tempDir" && dpkg-scanpackages . > Packages ) \
+			&& grep '^Package: ' "$tempDir/Packages" \
+			&& echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+#   Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+#   ...
+#   E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages  Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+			&& apt-get -o Acquire::GzipIndexes=false update \
+			;; \
+	esac \
+	\
+	&& apt-get install --no-install-recommends --no-install-suggests -y \
+						$nginxPackages \
+						gettext-base \
+	&& rm -rf /var/lib/apt/lists/* /etc/apt/sources.list.d/nginx.list \
+	\
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+	&& if [ -n "$tempDir" ]; then \
+		apt-get purge -y --auto-remove \
+		&& rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+	fi
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY uwsgi.conf /etc/nginx/sites-available/
+
+# Standard set up Nginx finished
+# forward request and error logs to docker log collector
+RUN ln -sf /dev/stdout /var/log/nginx/access.log \
+	&& ln -sf /dev/stderr /var/log/nginx/error.log
+EXPOSE 80
+
+
+# # Expose 443, in case of LTS / HTTPS
+EXPOSE 443
+
+# Install uWSGI
+# RUN pip install uwsgi
+RUN apt-get update \
+    && apt-get -y install uwsgi uwsgi-plugin-python3
+
+# Copy the base uWSGI ini file to enable default dynamic uwsgi process number
+COPY uwsgi.ini /etc/uwsgi/
+RUN ln -s /etc/nginx/sites-available/uwsgi.conf /etc/nginx/conf.d/uwsgi.conf
+
+# Install Supervisord
+RUN apt-get update && apt-get install -y supervisor \
+&& rm -rf /var/lib/apt/lists/*
+# Custom Supervisord config
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+# Which uWSGI .ini file should be used, to make it customizable
+ENV UWSGI_INI /app/uwsgi.ini
+
+# By default, run 2 processes
+ENV UWSGI_CHEAPER 2
+
+# By default, when on demand, run up to 16 processes
+ENV UWSGI_PROCESSES 16
+
+# By default, allow unlimited file sizes, modify it to limit the file sizes
+# To have a maximum of 1 MB (Nginx's default) change the line to:
+ENV NGINX_MAX_UPLOAD 1m
+ENV NGINX_MAX_UPLOAD 0
+
+# By default, Nginx will run a single worker process, setting it to auto
+# will create a worker for each CPU core
+ENV NGINX_WORKER_PROCESSES 1
+
+# By default, Nginx listens on port 80.
+# To modify this, change LISTEN_PORT environment variable.
+# (in a Dockerfile or with an option for `docker run`)
+ENV LISTEN_PORT 80
+
+# Copy the entrypoint that will generate Nginx additional configs
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+COPY dockerrun.sh /dockerrun.sh
+RUN chmod +x /dockerrun.sh
+
+ENTRYPOINT ["sh", "/entrypoint.sh"]
+
+# Add demo app
+COPY ./app /app
+WORKDIR /app
+
+# CMD ["/usr/bin/supervisord"]
+
 
 ENV appname=fence
 
-RUN apk update \
-    && apk add postgresql-libs postgresql-dev libffi-dev libressl-dev \
-    && apk add linux-headers musl-dev gcc \
-    && apk add curl bash git vim make
+# RUN apk update \
+#     && apk add postgresql-libs postgresql-dev libffi-dev libressl-dev \
+#     && apk add linux-headers musl-dev gcc \
+#     && apk add curl bash git vim make
 
 COPY . /$appname
 COPY ./deployment/uwsgi/uwsgi.ini /etc/uwsgi/uwsgi.ini
@@ -27,32 +180,41 @@ RUN mkdir -p /var/www/$appname \
     && chown nginx -R /var/www/.cache/Python-Eggs/ \
     && chown nginx /var/www/$appname
 
-RUN apk update && apk add openssh && apk add libmcrypt-dev
+RUN apt-get update \
+    && apt-get -y install mcrypt
+
+# RUN apk update && apk add openssh && apk add libmcrypt-dev
 
 #
 # libmhash is required by mcrypt - below - no apk package available
 #
-RUN (cd /tmp \
-  && wget -O mhash.tar.gz https://sourceforge.net/projects/mhash/files/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz/download \
-  && tar xvfz mhash.tar.gz \
-  && cd mhash-0.9.9.9 \
-  && ./configure && make && make install \
-  && /bin/rm -rf /tmp/*)
+# RUN (cd /tmp \
+#   && wget -O mhash.tar.gz https://sourceforge.net/projects/mhash/files/mhash/0.9.9.9/mhash-0.9.9.9.tar.gz/download \
+#   && tar xvfz mhash.tar.gz \
+#   && cd mhash-0.9.9.9 \
+#   && ./configure && make && make install \
+#   && /bin/rm -rf /tmp/*)
 
 #
 # mcrypt is required to decrypt dbgap user files - see fence/sync/sync_users.py
 #
-RUN (cd /tmp \
-  && wget -O mcrypt.tar.gz https://sourceforge.net/projects/mcrypt/files/MCrypt/Production/mcrypt-2.6.4.tar.gz/download \
-  && tar xvfz mcrypt.tar.gz \
-  && cd mcrypt-2.6.4 \
-  && ./configure && make && make install \
-  && /bin/rm -rf /tmp/*)
+# RUN (cd /tmp \
+#   && wget -O mcrypt.tar.gz https://sourceforge.net/projects/mcrypt/files/MCrypt/Production/mcrypt-2.6.4.tar.gz/download \
+#   && tar xvfz mcrypt.tar.gz \
+#   && cd mcrypt-2.6.4 \
+#   && ./configure && make && make install \
+#   && /bin/rm -rf /tmp/*)
 EXPOSE 80
 
 RUN COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" >$appname/version_data.py \
     && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >>$appname/version_data.py \
     && python setup.py develop
+
+RUN apt-get update \
+    && apt-get -y install python3-cffi
+
+RUN pip install pycrypto cffi psycopg2-binary
+# RUN pip uninstall -y cffi bcrypt && pip install cffi bcrypt pycrypto
 
 WORKDIR /var/www/$appname
 

app/main.py

@@ -0,0 +1,4 @@
+def application(env, start_response):
+    start_response('200 OK', [('Content-Type', 'text/html')])
+    return [b"Hello World from a default Nginx uWSGI Python 3.6 app in a\
+            Docker container (default)"]

app/uwsgi.ini

@@ -0,0 +1,2 @@
+[uwsgi]
+wsgi-file=/app/main.py

dockerrun.sh

@@ -0,0 +1,103 @@
+#!/bin/sh
+#
+# Note: base alpine Linux image may not include bash shell,
+#    and we probably want to move to that for service images,
+#    so just use bourn shell ...
+
+#
+# Update certificate authority index -
+# environment may have mounted more authorities
+# - ex: /usr/local/share/ca-certificates/cdis-ca.crt into system bundle       
+#
+
+GEN3_DEBUG="${GEN3_DEBUG:-False}"
+GEN3_DRYRUN="${GEN3_DRYRUN:-False}"
+GEN3_UWSGI_TIMEOUT="${GEN3_UWSGI_TIMEOUT:-45s}"
+
+run() {
+  if [ "$GEN3_DRYRUN" = True ]; then
+    echo "DRY RUN - not running: $@"
+  else
+    echo "Running $@"
+    "$@"
+  fi
+}
+
+help() {
+    cat - <<EOM
+Gen3 base (generic) launch script
+Use: 
+  dockkerrun.bash [--help] [--debug=False] [--uwsgiTimeout=45s] [--dryrun=False]
+EOM
+}
+
+
+while [ $# -gt 0 ]; do
+  arg="$1"
+  shift
+  key=""
+  value=""
+  key="$(echo "$arg" | sed -e 's/^-*//' | sed -e 's/=.*$//')"
+  value="$(echo "$arg" | sed -e 's/^.*=//')"
+
+  if [ "$value" = "$arg" ]; then # =value not given, so use default
+    value=""
+  fi
+  case "$key" in
+  debug)
+    GEN3_DEBUG="${value:-True}"
+    ;;
+  uwsgiTimeout)
+    GEN3_UWSGI_TIMEOUT="${value:-45s}"
+    ;;
+  dryrun)
+    GEN3_DRYRUN="${value:-True}"
+    ;;
+  help)
+    help
+    exit 0
+    ;;
+  *)
+    echo "ERROR: unknown argument $arg - bailing out"
+    exit 1
+    ;;
+  esac
+done
+
+cat - <<EOM
+Got configuration:
+GEN3_DEBUG=$GEN3_DEBUG
+GEN3_UWSGI_TIMEOUT=$GEN3_UWSGI_TIMEOUT
+GEN3_DRYRUN=$GEN3_DRYRUN
+EOM
+
+run update-ca-certificates
+run mkdir -p /var/run/gen3
+
+# fill in timeout in the uwsgi.conf template
+if [ -f /etc/nginx/sites-available/uwsgi.conf ]; then
+  sed -i -e "s/GEN3_UWSGI_TIMEOUT/$GEN3_UWSGI_TIMEOUT/g" /etc/nginx/sites-available/uwsgi.conf
+fi
+
+#
+# Enable debug flag based on GEN3_DEBUG environment
+#
+if [ -f ./wsgi.py ] && [ "$GEN3_DEBUG" = "True" ]; then
+  echo -e "\napplication.debug=True\n" >> ./wsgi.py
+fi
+
+(
+  # Wait for nginx to create uwsgi.sock in a sub-process
+  count=0
+  while [ ! -e /var/run/gen3/uwsgi.sock ] && [ $count -lt 10 ]; do
+    echo "... waiting for /var/run/gen3/uwsgi.sock to appear"
+    sleep 2
+    count="$(($count+1))"
+  done
+  if [ ! -e /var/run/gen3/uwsgi.sock ]; then
+    echo "WARNING: /var/run/gen3/uwsgi.sock does not exist!!!"
+  fi
+  run uwsgi --ini /etc/uwsgi/uwsgi.ini
+) &
+run nginx -g 'daemon off;'
+wait

entrypoint.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env sh
+set -e
+
+# Get the maximum upload file size for Nginx, default to 0: unlimited
+USE_NGINX_MAX_UPLOAD=${NGINX_MAX_UPLOAD:-0}
+# Generate Nginx config for maximum upload file size
+echo "client_max_body_size $USE_NGINX_MAX_UPLOAD;" > /etc/nginx/conf.d/upload.conf
+
+# Explicitly add installed Python packages and uWSGI Python packages to PYTHONPATH
+# Otherwise uWSGI can't import Flask
+export PYTHONPATH=$PYTHONPATH:/usr/local/lib/python3.6/site-packages:/usr/lib/python3.6/site-packages
+
+# Get the number of workers for Nginx, default to 1
+USE_NGINX_WORKER_PROCESSES=${NGINX_WORKER_PROCESSES:-1}
+# Modify the number of worker processes in Nginx config
+sed -i "/worker_processes\s/c\worker_processes ${USE_NGINX_WORKER_PROCESSES};" /etc/nginx/nginx.conf
+
+# Set the max number of connections per worker for Nginx, if requested
+# Cannot exceed worker_rlimit_nofile, see NGINX_WORKER_OPEN_FILES below
+if [ -n "$NGINX_WORKER_CONNECTIONS" ] ; then
+    sed -i "/worker_connections\s/c\    worker_connections ${NGINX_WORKER_CONNECTIONS};" /etc/nginx/nginx.conf
+fi
+
+# Set the max number of open file descriptors for Nginx workers, if requested
+if [ -n "$NGINX_WORKER_OPEN_FILES" ] ; then
+    echo "worker_rlimit_nofile ${NGINX_WORKER_OPEN_FILES};" >> /etc/nginx/nginx.conf
+fi
+
+# Get the listen port for Nginx, default to 80
+USE_LISTEN_PORT=${LISTEN_PORT:-80}
+# Modify Nignx config for listen port
+if ! grep -q "listen ${USE_LISTEN_PORT};" /etc/nginx/nginx.conf ; then
+    sed -i -e "/server {/a\    listen ${USE_LISTEN_PORT};" /etc/nginx/nginx.conf
+fi
+exec "$@"