-
Notifications
You must be signed in to change notification settings - Fork 71
Expand file tree
/
Copy pathDockerfile
More file actions
117 lines (111 loc) · 3.89 KB
/
Dockerfile
File metadata and controls
117 lines (111 loc) · 3.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
ARG BUILD_FROM
FROM $BUILD_FROM
ARG \
PYTHON_VERSION \
CERT_IDENTITY \
CERT_OIDC_ISSUER
# ensure local python is preferred over distribution python
ENV PATH=/usr/local/bin:$PATH
# Set shell
SHELL ["/bin/ash", "-o", "pipefail", "-c"]
RUN \
--mount=type=bind,source=./patches,target=/usr/src/patches \
set -ex \
&& export PYTHON_VERSION=${PYTHON_VERSION} \
&& apk add --no-cache --virtual .fetch-deps \
openssl \
tar \
xz \
&& apk add --no-cache --virtual .cosign cosign \
--repository="https://dl-cdn.alpinelinux.org/alpine/v$(. /etc/os-release; echo ${VERSION_ID%.*})/community" \
\
&& curl -L -o python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \
&& curl -L -o python.tar.xz.sigstore "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.sigstore" \
&& cosign verify-blob \
--new-bundle-format \
--certificate-identity "${CERT_IDENTITY}" \
--certificate-oidc-issuer "${CERT_OIDC_ISSUER}" \
--bundle python.tar.xz.sigstore \
python.tar.xz \
&& mkdir -p /usr/src/python \
&& tar -xJC /usr/src/python --strip-components=1 -f python.tar.xz \
&& rm python.tar.xz python.tar.xz.sigstore \
\
&& apk add --no-cache --virtual .build-deps \
patch \
bzip2-dev \
coreutils \
dpkg-dev dpkg \
expat-dev \
findutils \
build-base \
gdbm-dev \
libc-dev \
libffi-dev \
libnsl-dev \
openssl \
openssl-dev \
libtirpc-dev \
linux-headers \
make \
mpdecimal-dev \
ncurses-dev \
pax-utils \
readline-dev \
sqlite-dev \
tcl-dev \
tk \
tk-dev \
xz-dev \
zlib-dev \
bluez-dev \
# add build deps before removing fetch deps in case there's overlap
&& apk del .fetch-deps .cosign \
\
&& for i in /usr/src/patches/*.patch; do \
patch -d /usr/src/python -p 1 < "${i}"; done \
&& cd /usr/src/python \
&& gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
&& ./configure \
--build="$gnuArch" \
--enable-loadable-sqlite-extensions \
--enable-optimizations \
--enable-option-checking=fatal \
--enable-shared \
--with-lto \
--with-system-libmpdec \
--with-system-expat \
--without-ensurepip \
--without-static-libpython \
&& make -j "$(nproc)" \
LDFLAGS="-Wl,--strip-all" \
CFLAGS="-fno-semantic-interposition -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-free" \
# set thread stack size to 2MB so we don't segfault before we hit sys.getrecursionlimit()
# https://github.com/alpinelinux/aports/commit/2026e1259422d4e0cf92391ca2d3844356c649d0
# https://github.com/alpinelinux/aports/commit/675f1babb7ac89068d32b8f4b4e8bbfbb04c96ac
EXTRA_CFLAGS="-DTHREAD_STACK_SIZE=0x200000" \
&& make install \
\
&& find /usr/local -type f -executable -not \( -name '*tkinter*' \) -exec scanelf --needed --nobanner --format '%n#p' '{}' ';' \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
| xargs -rt apk add --no-cache --virtual .python-rundeps \
&& apk del .build-deps \
\
&& find /usr/local -depth \
\( \
-type d -a \( -name test -o -name tests \) \
\) -exec rm -rf '{}' + \
&& rm -rf /usr/src/python \
# make some useful symlinks that are expected to exist
&& cd /usr/local/bin \
&& ln -s idle3 idle \
&& ln -s pydoc3 pydoc \
&& ln -s python3 python \
&& ln -s python3-config python-config
ARG PIP_VERSION
RUN set -ex; \
python -m ensurepip --upgrade --default-pip; \
pip3 install --no-cache-dir --upgrade pip=="${PIP_VERSION}"; \
pip --version