Production ready docker (#919)

* /healthcheck endpoint usefull for monitoring, ci test also uses this
* customizable PORT with environment variable
* customizable PUID/PGID, reduce attack surface and allow better integration in rootless environments
* size optimization
* update to python 3.10
* add postgresql compatibility
* PUID/PGID default as root to not break current user environments

.dockerignore

@@ -1,2 +1,22 @@
+.dockerignore
+.env
 .git
 .github
+.gitignore
+.isort.cfg
+.readthedocs.yaml
+.travis.yml
+.venv
+.vscode
+assets
+CHANGELOG.md
+CONTRIBUTORS
+docker-compose.*
+Dockerfile
+docs
+LICENSE
+Makefile
+MANIFEST.in
+README.md
+SECURITY.md
+tox.ini

Dockerfile

@@ -1,5 +1,12 @@
-FROM python:3.7-alpine
+FROM python:3.10-alpine
 
+ENV PORT="8000" \
+    # Keeps Python from generating .pyc files in the container
+    PYTHONDONTWRITEBYTECODE=1 \
+    # Turns off buffering for easier container logging
+    PYTHONUNBUFFERED=1
+
+# ihatemoney configuration
 ENV DEBUG="False" \
     ACTIVATE_ADMIN_DASHBOARD="False" \
     ACTIVATE_DEMO_PROJECT="True" \
@@ -21,13 +28,30 @@ ENV DEBUG="False" \
     ENABLE_CAPTCHA="False" \
     LEGAL_LINK="False"
 
-RUN mkdir -p /etc/ihatemoney &&\
-    pip install --no-cache-dir gunicorn pymysql;
-
 ADD . /src
 
-RUN pip install --no-cache-dir -e /src
+RUN echo "**** install build dependencies ****" &&\
+    apk add --no-cache --virtual=build-dependencies \
+    gcc \
+    musl-dev \
+    postgresql-dev &&\
+    echo "**** install runtime packages ****" && \
+    apk add --no-cache \
+    shadow \
+    postgresql-libs && \
+    echo "**** create runtime folder ****" && \
+    mkdir -p /etc/ihatemoney &&\
+    echo "**** install pip packages ****" && \
+    pip install --no-cache-dir \
+    gunicorn && \
+    pip install --no-cache-dir -e /src[database] && \
+    echo "**** create user abc:abc ****" && \
+    useradd -u 1000 -U -d /src abc && \
+    echo "**** cleanup ****" && \
+    apk del --purge build-dependencies &&\
+    rm -rf \
+    /tmp/*
 
 VOLUME /database
-EXPOSE 8000
+EXPOSE ${PORT}
 ENTRYPOINT ["/src/conf/entrypoint.sh"]

README.md

@@ -3,7 +3,7 @@
 [![GitHub Actions Status](https://github.com/spiral-project/ihatemoney/actions/workflows/test-docs.yml/badge.svg)](https://github.com/spiral-project/ihatemoney/actions/workflows/test-docs.yml)
 [![Translation status from Weblate](https://hosted.weblate.org/widgets/i-hate-money/-/i-hate-money/svg-badge.svg)](https://hosted.weblate.org/engage/i-hate-money/?utm_source=widget)
 [![Donate](https://img.shields.io/liberapay/receives/IHateMoney.svg?logo=liberapay)](https://liberapay.com/IHateMoney/donate)
-[![Docker image](https://img.shields.io/badge/-Docker%20image-black?logo=docker)](https://hub.docker.com/r/ihatemoney/ihatemoney/general)
+[![Docker image](https://img.shields.io/badge/-Docker%20image-black?logo=docker)](https://hub.docker.com/r/ihatemoney/ihatemoney)
 
 *I hate money* is a web application made to ease shared budget
 management. It keeps track of who bought what, when, and for whom; and

conf/entrypoint.sh

@@ -3,7 +3,7 @@
 # Fail the whole script on the first failure.
 set -e
 
-cat <<EOF > /etc/ihatemoney/ihatemoney.cfg
+cat <<EOF >/etc/ihatemoney/ihatemoney.cfg
 DEBUG = $DEBUG
 ACTIVATE_ADMIN_DASHBOARD = $ACTIVATE_ADMIN_DASHBOARD
 ACTIVATE_DEMO_PROJECT = $ACTIVATE_DEMO_PROJECT
@@ -26,8 +26,24 @@ ENABLE_CAPTCHA = $ENABLE_CAPTCHA
 LEGAL_LINK = "$LEGAL_LINK"
 EOF
 
+PUID=${PUID:-0}
+PGID=${PGID:-0}
+
+echo "
+User uid: $PUID
+User gid: $PGID
+"
+
 # Start gunicorn without forking
-exec gunicorn ihatemoney.wsgi:application \
-     -b 0.0.0.0:8000 \
+cmd="exec gunicorn ihatemoney.wsgi:application \
+     -b 0.0.0.0:$PORT \
      --log-syslog \
-     "$@"
+     $@"
+
+if [ "$PGID" -ne 0 -a "$PUID" -ne 0 ]; then
+     groupmod -o -g "$PGID" abc
+     usermod -o -u "$PUID" abc
+     cmd="su - abc -c '$cmd'"
+fi
+
+eval "$cmd"

docker-compose.test.yml

@@ -4,10 +4,8 @@ version: "3.9"
 services:
   ihatemoney:
     build: .
-    ports:
-      - "8000:8000"
   sut:
     image: alpine
-    command: wget --spider ihatemoney:8000
+    command: sh -c 'wget -qO- ihatemoney:8000/healthcheck | grep "OK"'
     depends_on:
       - ihatemoney

docker-compose.yml

@@ -4,7 +4,7 @@ version: "3.9"
 
 services:
   ihatemoney:
-    build: .
+    image: ihatemoney/ihatemoney:latest
     environment:
       - DEBUG=False
       - ACTIVATE_ADMIN_DASHBOARD=False
@@ -26,5 +26,8 @@ services:
       - SQLALCHEMY_TRACK_MODIFICATIONS=False
       - ENABLE_CAPTCHA=False
       - LEGAL_LINK=
+      - PORT=8000
+      - PUID=0
+      - PGID=0
     ports:
       - "8000:8000"

ihatemoney/web.py

@@ -155,6 +155,11 @@ def pull_project(endpoint, values):
             raise Redirect303(url_for(".authenticate", project_id=project_id))
 
 
+@main.route("/healthcheck", methods=["GET"])
+def health():
+    return "OK"
+
+
 @main.route("/admin", methods=["GET", "POST"])
 def admin():
     """Admin authentication.

setup.cfg

@@ -45,6 +45,10 @@ install_requires =
     python-dateutil
 
 [options.extras_require]
+database =
+    psycopg2-binary>=2.9,<3
+    PyMySQL>=0.9,<1.1
+
 dev =
     black>=19.10b0 ; python_version >= '3.6'
     flake8>=3.7.9
@@ -53,8 +57,6 @@ dev =
     pytest>=6.2.5
     tox>=3.14.6
     zest.releaser>=6.20.1
-    psycopg2-binary>=2.9,<3
-    PyMySQL>=0.9,<1.1
 
 doc =
     Sphinx==4.3.0

tox.ini

@@ -10,7 +10,7 @@ commands =
     py.test --pyargs ihatemoney.tests
 
 deps =
-    -e.[dev]
+    -e.[database,dev]
 
 # To be sure we are importing ihatemoney pkg from pip-installed version
 changedir = /tmp