-
-
Notifications
You must be signed in to change notification settings - Fork 34
Expand file tree
/
Copy pathDockerfile.ci
More file actions
163 lines (134 loc) Β· 6.8 KB
/
Copy pathDockerfile.ci
File metadata and controls
163 lines (134 loc) Β· 6.8 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# syntax=docker/dockerfile:1
#
# Full ("fat") GizmoSQL image β ships convenience utilities (Python, AWS CLI,
# Azure CLI, azcopy, DuckDB CLI, TLS cert generation) alongside the server.
#
# Multi-stage layout for a smaller attack surface:
# * builder stage downloads/installs the relocatable CLIs (AWS CLI v2,
# azcopy, DuckDB CLI) using throwaway download tooling (curl/unzip/tar)
# that never lands in the shipped image.
# * final stage is python:3.12-slim with only the runtime packages the
# entrypoint actually needs. No C/C++ build toolchain β the server and
# client binaries are prebuilt in CI and COPYed in.
# NOTE on the base image: the gizmosql_server / gizmosql_client binaries are
# built in a manylinux_2_28 container (scripts/build_portable_linux.sh) with a
# glibc 2.28 baseline, so any Debian 11+/Ubuntu 20.04+ base works β including
# bookworm. trixie is used simply because it is the current Debian stable for
# python:3.12-slim.
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Builder stage: fetch relocatable CLI tooling
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
FROM python:3.12-slim-trixie AS builder
ARG TARGETPLATFORM
RUN apt-get update && \
apt-get install -y --no-install-recommends \
curl \
unzip \
tar \
ca-certificates && \
rm -rf /var/lib/apt/lists/*
# AWS CLI v2 β self-contained install under /usr/local/aws-cli with symlinks
# in /usr/local/bin (relocatable; bundles its own Python runtime).
RUN case ${TARGETPLATFORM} in \
"linux/amd64") AWSCLI_FILE=https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip ;; \
"linux/arm64") AWSCLI_FILE=https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip ;; \
esac && \
curl --location "${AWSCLI_FILE}" -o "awscliv2.zip" && \
unzip -q awscliv2.zip && \
./aws/install && \
rm -rf awscliv2.zip aws
# azcopy β single static binary.
RUN case ${TARGETPLATFORM} in \
"linux/amd64") AZCOPY_FILE=https://aka.ms/downloadazcopy-v10-linux ;; \
"linux/arm64") AZCOPY_FILE=https://aka.ms/downloadazcopy-v10-linux-arm64 ;; \
esac && \
curl --location "${AZCOPY_FILE}" -o "azcopy.tar.gz" && \
tar -xf azcopy.tar.gz && \
mv azcopy_linux_*/azcopy /usr/local/bin/azcopy && \
chmod +x /usr/local/bin/azcopy && \
rm -rf azcopy_linux_* azcopy.tar.gz
# DuckDB CLI β single binary, handy for ad-hoc shell use.
ARG DUCKDB_VERSION="1.5.3"
RUN case ${TARGETPLATFORM} in \
"linux/amd64") DUCKDB_FILE=https://github.com/duckdb/duckdb/releases/download/v${DUCKDB_VERSION}/duckdb_cli-linux-amd64.zip ;; \
"linux/arm64") DUCKDB_FILE=https://github.com/duckdb/duckdb/releases/download/v${DUCKDB_VERSION}/duckdb_cli-linux-arm64.zip ;; \
esac && \
curl --location "${DUCKDB_FILE}" -o /tmp/duckdb.zip && \
unzip -q /tmp/duckdb.zip -d /usr/local/bin && \
rm /tmp/duckdb.zip
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# Final stage: runtime image
# ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
FROM python:3.12-slim-trixie
ARG TARGETPLATFORM
ARG TARGETARCH
ARG TARGETVARIANT
RUN printf "I'm building for TARGETPLATFORM=${TARGETPLATFORM}" \
&& printf ", TARGETARCH=${TARGETARCH}" \
&& printf ", TARGETVARIANT=${TARGETVARIANT} \n" \
&& printf "With uname -s : " && uname -s \
&& printf "and uname -m : " && uname -m
# Runtime packages only. dist-upgrade pulls the latest base security fixes.
# Azure CLI is installed via Microsoft's official apt repository; the repo
# tooling (gnupg/lsb-release) is purged afterwards to keep the surface small.
RUN apt-get update && \
apt-get dist-upgrade --yes && \
apt-get install -y --no-install-recommends \
ca-certificates \
curl \
openssl \
numactl \
procps \
sqlite3 \
gnupg \
lsb-release && \
curl -sL https://aka.ms/InstallAzureCLIDeb | bash && \
apt-get purge -y gnupg lsb-release && \
apt-get autoremove -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Copy the relocatable CLIs from the builder stage.
COPY --from=builder /usr/local/aws-cli /usr/local/aws-cli
COPY --from=builder /usr/local/bin/aws /usr/local/bin/aws
COPY --from=builder /usr/local/bin/aws_completer /usr/local/bin/aws_completer
COPY --from=builder /usr/local/bin/azcopy /usr/local/bin/azcopy
COPY --from=builder /usr/local/bin/duckdb /usr/local/bin/duckdb
# Create an application user
RUN useradd app_user --create-home
ARG APP_DIR=/opt/gizmosql
RUN mkdir --parents ${APP_DIR} && \
chown app_user:app_user ${APP_DIR} && \
chown --recursive app_user:app_user /usr/local
# Switch to a less privileged user...
USER app_user
WORKDIR ${APP_DIR}
ENV VIRTUAL_ENV=${APP_DIR}/.venv
RUN python3 -m venv ${VIRTUAL_ENV} && \
echo ". ${VIRTUAL_ENV}/bin/activate" >> ~/.bashrc && \
. ~/.bashrc && \
pip install --no-cache-dir --upgrade pip setuptools wheel
# Set the PATH so that the Python Virtual environment is referenced for subsequent RUN steps (hat tip: https://pythonspeed.com/articles/activate-virtualenv-dockerfile/)
ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
# Copy the scripts directory into the image (we copy directory-by-directory in order to maximize Docker caching)
COPY --chown=app_user:app_user scripts scripts
# Get the SQLite3 database file
RUN curl --location https://github.com/lovasoa/TPCH-sqlite/releases/download/v1.0/TPC-H-small.db -o data/TPC-H-small.db --create-dirs
# Install Python requirements
COPY --chown=app_user:app_user requirements.txt .
RUN pip install --no-cache-dir --requirement requirements.txt
# Create DuckDB database file
RUN python "scripts/create_duckdb_database_file.py" \
--file-name="TPC-H-small.duckdb" \
--file-path="data" \
--overwrite-file=true \
--scale-factor=0.01
COPY --chown=app_user:app_user gizmosql_server /usr/local/bin/gizmosql_server
RUN chmod +x /usr/local/bin/gizmosql_server
COPY --chown=app_user:app_user gizmosql_client /usr/local/bin/gizmosql_client
RUN chmod +x /usr/local/bin/gizmosql_client
COPY --chown=app_user:app_user tls tls
EXPOSE 31337
EXPOSE 31339
# Run a test to ensure that the server works...
RUN scripts/test_gizmosql.sh
ENTRYPOINT ["scripts/start_gizmosql.sh"]