christianlight/tutor
7
0
Fork 0
mirror of https://github.com/ChristianLight/tutor.git synced 2024-05-31 13:20:48 +00:00
Code Issues Releases Activity
3ba5365537
tutor/tutor/templates/build/openedx/Dockerfile

268 lines
11 KiB
Docker
Raw Normal View History

Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Minimal image with base system requirements for most stages
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
FROM docker.io/ubuntu:20.04 as minimal
improvement: use LABEL instead of MAINTAINER in Dockerfile see https://docs.docker.com/engine/reference/builder/#maintainer-deprecated
2022-01-18 13:08:38 +00:00
LABEL maintainer="Overhang.io <contact@overhang.io>"
:sunrise:
2017-07-03 10:39:19 +00:00
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
ENV DEBIAN_FRONTEND=noninteractive
Working stack: still some bugs to fix
2017-12-26 00:16:35 +00:00
RUN apt update && \
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
apt install -y build-essential curl git language-pack-en
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV LC_ALL en_US.UTF-8
dockerfile patch added in the minimal section
2022-03-11 14:24:32 +00:00
{{ patch("openedx-dockerfile-minimal") }}
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv
FROM minimal as python
# https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites
run apt update before installing deps
2020-10-16 21:22:02 +00:00
RUN apt update && \
apt install -y libssl-dev zlib1g-dev libbz2-dev \
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
xz-utils tk-dev libffi-dev liblzma-dev python-openssl git
feat: upgrade to Maple - A shared cookie domain between lms and cms is no longer recommended: https://github.com/edx/edx-platform/blob/master/docs/guides/studio_oauth.rst - refactor: clean mounted data folder in lms/cms. In Lilac, the bind-mounted lms/data and cms/data folders are a mess because new folders are created there for every new course organisation. These folders are empty. As far as we know they are useless... With this change we move these folders to a dedicated "modulestore" subdirectory; which corresponds better to the initial intent of the fs_root setting. - fix: frontend failure during login to the lms. See: https://github.com/openedx/build-test-release-wg/issues/104 - feat: move all forum-related code to a dedicated plugin. Forum is an optional feature, and as such it deserves its own plugin. Starting from Maple, users will be able to install the forum from https://github.com/overhangio/tutor-forum/ - migrate from DCS_* session cookie settings to SESSION_*. That's because edx-platform no longer depends on django-cookies-samesite. Close https://github.com/openedx/build-test-release-wg/issues/110 - get rid of tons of deprecation warnings in the lms/cms - feat: make it possible to point to themed assets. Cherry-picking this change makes it possible to point to themed assets with a theme-agnostic url, notably from MFEs. - Install all official plugins as part of the `tutor[full]` package. - Don't print error messages about loading plugins during autocompletion. - Prompt for image building when upgrading from one release to the next. - Add `tutor local start --skip-build` option to skip building Docker images. Close #450. Close #545.
2021-10-18 09:43:40 +00:00
ARG PYTHON_VERSION=3.8.12
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV PYENV_ROOT /opt/pyenv
feat: upgrade to Maple - A shared cookie domain between lms and cms is no longer recommended: https://github.com/edx/edx-platform/blob/master/docs/guides/studio_oauth.rst - refactor: clean mounted data folder in lms/cms. In Lilac, the bind-mounted lms/data and cms/data folders are a mess because new folders are created there for every new course organisation. These folders are empty. As far as we know they are useless... With this change we move these folders to a dedicated "modulestore" subdirectory; which corresponds better to the initial intent of the fs_root setting. - fix: frontend failure during login to the lms. See: https://github.com/openedx/build-test-release-wg/issues/104 - feat: move all forum-related code to a dedicated plugin. Forum is an optional feature, and as such it deserves its own plugin. Starting from Maple, users will be able to install the forum from https://github.com/overhangio/tutor-forum/ - migrate from DCS_* session cookie settings to SESSION_*. That's because edx-platform no longer depends on django-cookies-samesite. Close https://github.com/openedx/build-test-release-wg/issues/110 - get rid of tons of deprecation warnings in the lms/cms - feat: make it possible to point to themed assets. Cherry-picking this change makes it possible to point to themed assets with a theme-agnostic url, notably from MFEs. - Install all official plugins as part of the `tutor[full]` package. - Don't print error messages about loading plugins during autocompletion. - Prompt for image building when upgrading from one release to the next. - Add `tutor local start --skip-build` option to skip building Docker images. Close #450. Close #545.
2021-10-18 09:43:40 +00:00
RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.2.2 --depth 1
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
RUN $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
RUN $PYENV_ROOT/versions/$PYTHON_VERSION/bin/python -m venv /openedx/venv
:sunrise:
2017-07-03 10:39:19 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install Dockerize to wait for mysql DB availability
FROM minimal as dockerize
fix: dockerize on arm64 The version of dockerize that shipped with the "openedx" image was not compatible with arm64. The original project is unmaintained, but there is a fork that provides a version that is compatible with arm64. This was tested on arm64 with buildx: docker buildx build --tag=openedx --platform=linux/arm64 ~/.local/share/tutor/env/build/openedx Close #591
2022-03-10 14:57:19 +00:00
# https://github.com/powerman/dockerize/releases
ARG DOCKERIZE_VERSION=v0.16.0
RUN dockerize_url="https://github.com/powerman/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-$(uname -m | sed 's@aarch@arm@')" \
&& echo "Downloading dockerize from $dockerize_url" \
&& curl --fail --location --output /usr/local/bin/dockerize $dockerize_url \
&& chmod a+x /usr/local/bin/dockerize
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Checkout edx-platform code
FROM minimal as code
feat: Make the platform repository and NPM registry configurable from config.yml Previously, the only way for Tutor users to use a fork of edx-platform or a custom NPM registry was to use build args during the image build. This is suboptimal in the case of automatically building images from CI pipelines, which may want to auto-detect when an image needs to be rebuilt based on config.yml changes. In addition, the EDX_PLATFORM_VERSION build argument can already be set via a corresponding config.yml parameter (OPENEDX_COMMON_VERSION), so it's reasonable to follow that precedent and also introduce config.yml parameters to correspond with the EDX_PLATFORM_REPOSITORY and NPM_REGISTRY build arguments. Thus, introduce two new configuration parameters: - EDX_PLATFORM_REPOSITORY - NPM_REGISTRY These parameters can now optionally be used instead of the aforementioned build args.
2022-03-25 08:04:26 +00:00
ARG EDX_PLATFORM_REPOSITORY={{ EDX_PLATFORM_REPOSITORY }}
fix: Correct EDX_PLATFORM_VERSION default for local edx-platform forks PR #619 set the EDX_PLATFORM_VERSION build arg's default to OPENEDX_COMMON_VERSION. While this works fine for setting a non-default branch to run edx code from (say, "master"), it may break if the user sets OPENEDX_COMMON_VERSION to a branch or tag name that does not exist upstream in repositories *other than* EDX_PLATFORM_REPOSITORY. Thus, introduce a separate configuration parameter, EDX_PLATFORM_VERSION, to match the build arg of the same name. Set its default to OPENEDX_COMMON_VERSION. This way, the user can deploy an arbitrarily-named fork of edx-platform, while retaining the default OPENEDX_COMMON_VERSION (like, for example "open-release/maple.3") for everything else.
2022-04-13 09:15:35 +00:00
ARG EDX_PLATFORM_VERSION={{ EDX_PLATFORM_VERSION }}
Migrate openedx-docker project to Tutor :woman_teacher: The project gets a new name and some proper documentation. Build/Deploy are now properly separated.
2018-12-03 18:59:09 +00:00
RUN mkdir -p /openedx/edx-platform && \
git clone $EDX_PLATFORM_REPOSITORY --branch $EDX_PLATFORM_VERSION --depth 1 /openedx/edx-platform
WORKDIR /openedx/edx-platform
:sunrise:
2017-07-03 10:39:19 +00:00
improvement: use `git am` instead of `cherry-pick`
2022-06-16 12:51:12 +00:00
# Identify tutor user to apply patches using git
feat: cleaner git tree in openedx Docker image With "git patch", the resulting source tree was dirty, showing uncommitted changes. Here, we replace "git patch" with "git cherry-pick". We avoid pulling the entire remote repo by fetching individual commits. To do that, we need to assign an identity to the git user.
2021-09-09 14:23:11 +00:00
RUN git config --global user.email "tutor@overhang.io" \
&& git config --global user.name "Tutor"
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- if patch("openedx-dockerfile-git-patches-default") %}
feat: upgrade to open-release/lilac.master One of the breaking changes of this release is the removal of the webui and android features; these are moved to dedicated plugins. This causes a breaking change: the renaming of the DOCKER_IMAGE_ANDROID config variable to ANDROID_DOCKER_IMAGE. See this TEP for reference: https://discuss.overhang.io/t/separate-webui-and-android-from-tutor-core-and-move-to-dedicated-plugins/1473
2021-04-13 20:14:43 +00:00
# Custom edx-platform patches
feat: Conditional edx-platform patching During Docker images build process, apply custom edx-platform patches when tutor patch 'openedx-dockerfile-git-patches-default' is defined or apply current release patches in other case. It avoids possible conflicts between the actually used edx-platform version and the current release patches.
2021-04-14 17:57:22 +00:00
{{ patch("openedx-dockerfile-git-patches-default") }}
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- else %}
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
# Patch edx-platform
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# Fix broken "Pages" view in Studio
# https://github.com/openedx/edx-platform/pull/30550
improvement: use `git am` instead of `cherry-pick`
2022-06-16 12:51:12 +00:00
RUN curl -fsSL https://github.com/open-craft/edx-platform/commit/3d54f284f82b61e693ad652d8d6e46a226fcb36d.patch | git am
sec: fix xblock ajax handler vulnerability
2022-10-25 16:56:40 +00:00
# Fix xblock ajax handler vulnerability
# https://github.com/overhangio/edx-platform/tree/overhangio/sec-xblock-ajax
RUN curl -fsSL https://github.com/overhangio/edx-platform/commit/3f0f9eed42.patch | git am
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- endif %}
Apply XSS certificate vulnerability patch https://github.com/edx/edx-platform/pull/20904 https://groups.google.com/forum/#!msg/openedx-ops/fi2WVlD0iNo/hFZrAnLpCAAJ
2019-07-04 22:27:28 +00:00
improvement: use `git am` instead of `cherry-pick`
2022-06-16 12:51:12 +00:00
{# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1> | git am #}
feat: add "openedx-dockerfile-post-git-checkout" patch This will be convenient for plugins which need to patch edx-platform.
2021-09-09 14:25:07 +00:00
{{ patch("openedx-dockerfile-post-git-checkout") }}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Download extra locales to /openedx/locale/contrib/locale
FROM minimal as locales
feat: upgrade i18n openedx strings to nutmeg.2 Strings could not be pulled from transifex because the file names were incorrect. This is now fixed and we are now able to pull the i18n strings from the nutmeg.2 tag.
2022-08-30 09:17:37 +00:00
ARG OPENEDX_I18N_VERSION={{ OPENEDX_COMMON_VERSION }}
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
RUN cd /tmp \
feat: upgrade all services to open-release/koa.3 We remove security patches and custom fixes which are now part of koa.3. We take the opportunity to make it possible to build the openedx Docker image without relying on a corresponding openedx-i18n repo tag: often, we want to test whether the image simply builds successfully, and we don't need up-to-date translations. For those cases, it's now possible to pass the `-a OPENEDX_I18N_VERSION=oldertag` build argument.
2021-04-07 21:47:52 +00:00
&& curl -L -o openedx-i18n.tar.gz https://github.com/openedx/openedx-i18n/archive/$OPENEDX_I18N_VERSION.tar.gz \
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
&& tar xzf /tmp/openedx-i18n.tar.gz \
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
&& mkdir -p /openedx/locale/contrib \
feat: upgrade all services to open-release/koa.3 We remove security patches and custom fixes which are now part of koa.3. We take the opportunity to make it possible to build the openedx Docker image without relying on a corresponding openedx-i18n repo tag: often, we want to test whether the image simply builds successfully, and we don't need up-to-date translations. For those cases, it's now possible to pass the `-a OPENEDX_I18N_VERSION=oldertag` build argument.
2021-04-07 21:47:52 +00:00
&& mv openedx-i18n-*/edx-platform/locale /openedx/locale/contrib \
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
&& rm -rf openedx-i18n*
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install python requirements in virtualenv
FROM python as python-requirements
Install python requirements in venv in docker image Installing the requirements in a virtualenv is necessary to run "pip install ..." commands in development mode, when the USERID is != 0.
2019-03-09 16:51:25 +00:00
ENV PATH /openedx/venv/bin:${PATH}
ENV VIRTUAL_ENV /openedx/venv/
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
fix: openedx image wasn't building on ARM64 due to missing libgeos-dev
2021-12-01 22:41:20 +00:00
RUN apt update && apt install -y software-properties-common libmysqlclient-dev libxmlsec1-dev libgeos-dev
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Note that this means that we need to reinstall all requirements whenever there is a
# change in edx-platform, which sucks. But there is no obvious alternative, as we need
# to install some packages from edx-platform.
COPY --from=code /openedx/edx-platform /openedx/edx-platform
WORKDIR /openedx/edx-platform
# Install the right version of pip/setuptools
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# https://pypi.org/project/setuptools/
# https://pypi.org/project/pip/
# https://pypi.org/project/wheel/
RUN pip install setuptools==62.1.0 pip==22.0.4 wheel==0.37.1
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Install base requirements
RUN pip install -r ./requirements/edx/base.txt
:sunrise:
2017-07-03 10:39:19 +00:00
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
# Install django-redis for using redis as a django cache
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# https://pypi.org/project/django-redis/
RUN pip install django-redis==5.2.0
Add scorm xblock to the openedx docker image
2020-04-25 12:20:13 +00:00
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
# Install uwsgi
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# https://pypi.org/project/uWSGI/
feat: upgrade to Maple - A shared cookie domain between lms and cms is no longer recommended: https://github.com/edx/edx-platform/blob/master/docs/guides/studio_oauth.rst - refactor: clean mounted data folder in lms/cms. In Lilac, the bind-mounted lms/data and cms/data folders are a mess because new folders are created there for every new course organisation. These folders are empty. As far as we know they are useless... With this change we move these folders to a dedicated "modulestore" subdirectory; which corresponds better to the initial intent of the fs_root setting. - fix: frontend failure during login to the lms. See: https://github.com/openedx/build-test-release-wg/issues/104 - feat: move all forum-related code to a dedicated plugin. Forum is an optional feature, and as such it deserves its own plugin. Starting from Maple, users will be able to install the forum from https://github.com/overhangio/tutor-forum/ - migrate from DCS_* session cookie settings to SESSION_*. That's because edx-platform no longer depends on django-cookies-samesite. Close https://github.com/openedx/build-test-release-wg/issues/110 - get rid of tons of deprecation warnings in the lms/cms - feat: make it possible to point to themed assets. Cherry-picking this change makes it possible to point to themed assets with a theme-agnostic url, notably from MFEs. - Install all official plugins as part of the `tutor[full]` package. - Don't print error messages about loading plugins during autocompletion. - Prompt for image building when upgrading from one release to the next. - Add `tutor local start --skip-build` option to skip building Docker images. Close #450. Close #545.
2021-10-18 09:43:40 +00:00
RUN pip install uwsgi==2.0.20
Serve static assets with whitenoise instead of nginx This drastically simplifies volume management, as it is no longer necessary to manually copy static assets from the docker image to the bind-mounted volume. This deprecates the "k8s-deployments-nginx-init-containers" patch, as we no longer need to init the nginx container. Plugins are encouraged to start using whitenoise as well for serving static assets. TODO: - test media serving: DOES NOT WORK. Whitenoise was designed to serve a fixed list of static files. Godammit. - compare performances
2020-01-21 15:30:16 +00:00
feat: openedx Dockerfile python requirements extension patch Add patches to extend python requirements installation process in openedx and openedx-dev Dockerfiles
2021-04-07 13:24:29 +00:00
{{ patch("openedx-dockerfile-post-python-requirements") }}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Install private requirements: this is useful for installing custom xblocks.
COPY ./requirements/ /openedx/requirements
RUN cd /openedx/requirements/ \
&& touch ./private.txt \
&& pip install -r ./private.txt
feat: allow to specify extra pip packages in config Added OPENEDX_EXTRA_PIP_REQUIREMENTS setting, which allows to specify extra pip packages that should be installed. Moved "openedx-scorm-xblock" package from Dockerfile to the new setting in the config.yml.
2021-11-17 18:37:35 +00:00
{% for extra_requirements in OPENEDX_EXTRA_PIP_REQUIREMENTS %}RUN pip install '{{ extra_requirements }}'
{% endfor %}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install nodejs with nodeenv in /openedx/nodeenv
FROM python as nodejs-requirements
ENV PATH /openedx/nodeenv/bin:/openedx/venv/bin:${PATH}
# Install nodeenv with the version provided by edx-platform
feat: upgrade to open-release/lilac.master One of the breaking changes of this release is the removal of the webui and android features; these are moved to dedicated plugins. This causes a breaking change: the renaming of the DOCKER_IMAGE_ANDROID config variable to ANDROID_DOCKER_IMAGE. See this TEP for reference: https://discuss.overhang.io/t/separate-webui-and-android-from-tutor-core-and-move-to-dedicated-plugins/1473
2021-04-13 20:14:43 +00:00
RUN pip install nodeenv==1.6.0
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
RUN nodeenv /openedx/nodeenv --node=12.13.0 --prebuilt
Upgrade node to 5.5.1 in openedx image
2018-12-25 23:08:06 +00:00
Remove redundancy in dependency install Full dependency install is replaced by just nodejs dependency install, which should considerably accelerate the build step. This closes #2. Kudos to @sampaccoud for suggesting this!
2018-02-07 07:22:04 +00:00
# Install nodejs requirements
feat: Make the platform repository and NPM registry configurable from config.yml Previously, the only way for Tutor users to use a fork of edx-platform or a custom NPM registry was to use build args during the image build. This is suboptimal in the case of automatically building images from CI pipelines, which may want to auto-detect when an image needs to be rebuilt based on config.yml changes. In addition, the EDX_PLATFORM_VERSION build argument can already be set via a corresponding config.yml parameter (OPENEDX_COMMON_VERSION), so it's reasonable to follow that precedent and also introduce config.yml parameters to correspond with the EDX_PLATFORM_REPOSITORY and NPM_REGISTRY build arguments. Thus, introduce two new configuration parameters: - EDX_PLATFORM_REPOSITORY - NPM_REGISTRY These parameters can now optionally be used instead of the aforementioned build args.
2022-03-25 08:04:26 +00:00
ARG NPM_REGISTRY={{ NPM_REGISTRY }}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
COPY --from=code /openedx/edx-platform/package.json /openedx/edx-platform/package.json
feat: pinned nodejs requirements with `npm ci` Contrary to what we might expect, `npm install` does not install pinned requirements from a project's package-lock.json. That's the responsibility of `npm ci`: https://docs.npmjs.com/cli/v8/commands/npm-ci Running `npm ci` is also *much* faster than `npm install`, so that's a huge win. See this issue for reference: https://github.com/openedx/frontend-wg/issues/100
2022-05-16 14:04:02 +00:00
COPY --from=code /openedx/edx-platform/package-lock.json /openedx/edx-platform/package-lock.json
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
WORKDIR /openedx/edx-platform
feat: pinned nodejs requirements with `npm ci` Contrary to what we might expect, `npm install` does not install pinned requirements from a project's package-lock.json. That's the responsibility of `npm ci`: https://docs.npmjs.com/cli/v8/commands/npm-ci Running `npm ci` is also *much* faster than `npm install`, so that's a huge win. See this issue for reference: https://github.com/openedx/frontend-wg/issues/100
2022-05-16 14:04:02 +00:00
RUN npm clean-install --verbose --registry=$NPM_REGISTRY
:sunrise:
2017-07-03 10:39:19 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Production image with system and python requirements
FROM minimal as production
# Install system requirements
run apt update before installing deps
2020-10-16 21:22:02 +00:00
RUN apt update && \
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
apt install -y gettext gfortran graphviz graphviz-dev libffi-dev libfreetype6-dev libgeos-dev libjpeg8-dev liblapack-dev libmysqlclient-dev libpng-dev libsqlite3-dev libxmlsec1-dev lynx ntp pkg-config rdfind && \
run apt update before installing deps
2020-10-16 21:22:02 +00:00
rm -rf /var/lib/apt/lists/*
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
# From then on, run as unprivileged "app" user
fix: build openedx-dev image when host user is root Sometimes, the host user is root: this may happen when tutor is run with "sudo" (which is not recommended) or on Windows. In such cases, building the image should not fail, but default to a reasonable user. Also, when we pass an invalid APP_USER_ID as a build arg, then we should fail with an explicit message. See this conversation: https://discuss.overhang.io/t/problem-with-dev-image-build-useradd-uid-0-is-not-unique/2406
2022-07-04 08:40:52 +00:00
# Note that this must always be different from root (APP_USER_ID=0)
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
ARG APP_USER_ID=1000
fix: build openedx-dev image when host user is root Sometimes, the host user is root: this may happen when tutor is run with "sudo" (which is not recommended) or on Windows. In such cases, building the image should not fail, but default to a reasonable user. Also, when we pass an invalid APP_USER_ID as a build arg, then we should fail with an explicit message. See this conversation: https://discuss.overhang.io/t/problem-with-dev-image-build-useradd-uid-0-is-not-unique/2406
2022-07-04 08:40:52 +00:00
RUN if [ "$APP_USER_ID" = 0 ]; then echo "app user may not be root" && false; fi
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
RUN useradd --home-dir /openedx --create-home --shell /bin/bash --uid ${APP_USER_ID} app
USER ${APP_USER_ID}
fix: dockerize on arm64 The version of dockerize that shipped with the "openedx" image was not compatible with arm64. The original project is unmaintained, but there is a fork that provides a version that is compatible with arm64. This was tested on arm64 with buildx: docker buildx build --tag=openedx --platform=linux/arm64 ~/.local/share/tutor/env/build/openedx Close #591
2022-03-10 14:57:19 +00:00
COPY --from=dockerize /usr/local/bin/dockerize /usr/local/bin/dockerize
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app --from=code /openedx/edx-platform /openedx/edx-platform
COPY --chown=app:app --from=locales /openedx/locale /openedx/locale
COPY --chown=app:app --from=python /opt/pyenv /opt/pyenv
COPY --chown=app:app --from=python-requirements /openedx/venv /openedx/venv
COPY --chown=app:app --from=python-requirements /openedx/requirements /openedx/requirements
COPY --chown=app:app --from=nodejs-requirements /openedx/nodeenv /openedx/nodeenv
COPY --chown=app:app --from=nodejs-requirements /openedx/edx-platform/node_modules /openedx/edx-platform/node_modules
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
ENV PATH /openedx/venv/bin:./node_modules/.bin:/openedx/nodeenv/bin:${PATH}
ENV VIRTUAL_ENV /openedx/venv/
WORKDIR /openedx/edx-platform
# Re-install local requirements, otherwise egg-info folders are missing
RUN pip install -r requirements/edx/local.in
Fix assets generation in development webpack requires the NODE_ENV environment variable which is incorrectly set "paver update_assets" in development mode. To avoid this issue, we split update_assets into its subparts.
2018-11-20 10:24:34 +00:00
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# Create folder that will store lms/cms.env.yml files, as well as
Stop the "ln -s" settings madness Creating soft links to files that do not exist is just madness, let's stop it. Instead, we take advantage of the CONFIG_ROOT environment variable, which allows to place lms/cms.env/auth.json files anywhere.
2018-12-25 23:24:01 +00:00
# the tutor-specific settings files.
RUN mkdir -p /openedx/config ./lms/envs/tutor ./cms/envs/tutor
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app revisions.yml /openedx/config/
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
ENV LMS_CFG /openedx/config/lms.env.yml
ENV CMS_CFG /openedx/config/cms.env.yml
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV REVISION_CFG /openedx/config/revisions.yml
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app settings/lms/*.py ./lms/envs/tutor/
COPY --chown=app:app settings/cms/*.py ./cms/envs/tutor/
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
# Copy user-specific locales to /openedx/locale/user/locale and compile them
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
RUN mkdir /openedx/locale/user
COPY --chown=app:app ./locale/ /openedx/locale/user/locale/
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
RUN cd /openedx/locale/user && \
chore: resolve "deprecated django-admin.py is deprecated" warning See: https://docs.djangoproject.com/en/dev/internals/deprecation/#deprecation-removed-in-4-0
2022-02-21 11:07:57 +00:00
django-admin compilemessages -v1
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Compile i18n strings: in some cases, js locales are not properly compiled out of the box
Add missing js translations to openedx Client-side translations are stored in "djangojs.js" files. Supposedly, these files were properly compiled prior to the Ironwood release -- but this is not the case, so we need to re-generate them. Also, we need to re-generate the djangojs.js files for the custom, downloaded locales. The assets collection settings are also fixed to take into account the separate locale folder. This step needs to happen prior to static assets collection, as the djangojs files are collected to the staticfiles/ folder. See these conversations: https://discuss.overhang.io/t/localization-not-works-perfect/363 https://discuss.openedx.org/t/localization-not-work-for-js-files/1671
2020-04-01 18:05:06 +00:00
# and we need to do a pass ourselves. Also, we need to compile the djangojs.js files for
# the downloaded locales.
RUN ./manage.py lms --settings=tutor.i18n compilejsi18n
RUN ./manage.py cms --settings=tutor.i18n compilejsi18n
Move scripts to dedicated folder in openedx image
2018-12-25 18:32:05 +00:00
# Copy scripts
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app ./bin /openedx/bin
Fix assets collection in docker image "openedx-assets" script was not copied with the right permissions in the docker image.
2019-07-04 09:36:22 +00:00
RUN chmod a+x /openedx/bin/*
Move scripts to dedicated folder in openedx image
2018-12-25 18:32:05 +00:00
ENV PATH /openedx/bin:${PATH}
Make it possible to patch build templates Thus, build templates are no longer copied, but rendered.
2019-07-04 08:45:15 +00:00
{{ patch("openedx-dockerfile-pre-assets") }}
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
# Collect production assets. By default, only assets from the default theme
# will be processed. This makes the docker image lighter and faster to build.
Automatically build themes from openedx/themes No need for the THEMES variable.
2018-12-14 11:59:32 +00:00
# Only the custom themes added to /openedx/themes will be compiled.
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
# Here, we don't run "paver update_assets" which is slow, compiles all themes
# and requires a complex settings file. Instead, we decompose the commands
# and run each one individually to collect the production static assets to
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
# /openedx/staticfiles.
Added config values for #gunicorn workers
2019-09-19 13:39:18 +00:00
ENV NO_PYTHON_UNINSTALL 1
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV NO_PREREQ_INSTALL 1
# We need to rely on a separate openedx-assets command to accelerate asset processing.
# For instance, we don't want to run all steps of asset collection every time the theme
# is modified.
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
RUN openedx-assets xmodule \
&& openedx-assets npm \
&& openedx-assets webpack --env=prod \
&& openedx-assets common
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app ./themes/ /openedx/themes/
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
RUN openedx-assets themes \
Reduce openedx image size with static asset deduplication This is inspired from FUN's openedx-docker project: static files are de-duplicated with rdfind to reduce the uncompressed image size by 320Mb.
2020-09-01 17:14:30 +00:00
&& openedx-assets collect --settings=tutor.assets \
# De-duplicate static assets with symlinks
&& rdfind -makesymlinks true -followsymlinks true /openedx/staticfiles/
:sunrise:
2017-07-03 10:39:19 +00:00
Make data directories in openedx/xqueue containers These directories are not necessary per se, but they allow us to use our tutor settings without having to mount an external directory.
2019-06-07 06:53:33 +00:00
# Create a data directory, which might be used (or not)
RUN mkdir /openedx/data
Working stack: still some bugs to fix
2017-12-26 00:16:35 +00:00
# service variant is "lms" or "cms"
Working devstack This allows the user to run their own devstack inside the containers. Yay! Also, we handle file permissions cleanly: in docker-entrypoint.sh we chmod the data and edx-platform files to the same UID of the user on the host machine. No more permission headaches!
2018-04-09 17:16:58 +00:00
ENV SERVICE_VARIANT lms
refactor: get rid of the openedx Docker entrypoint The entrypoint in the "openedx" Docker image was used only to define the DJANGO_SETTINGS_MODULE environment variable, based on SERVICE_VARIANT and SETTINGS. We ditch SETTINGS in favour of defining explicitely DJANGO_SETTINGS_MODULE. The problem with the Docker entrypoint is that it was bypassed whenever we ran `tutor local exec` or `tutor k8s exec`. By removing it we make it simpler for end-users to run manage.py commands in kubernetes.
2022-04-12 14:07:48 +00:00
ENV DJANGO_SETTINGS_MODULE lms.envs.tutor.production
Working stack: still some bugs to fix
2017-12-26 00:16:35 +00:00
Make it possible to patch build templates Thus, build templates are no longer copied, but rendered.
2019-07-04 08:45:15 +00:00
{{ patch("openedx-dockerfile") }}
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
EXPOSE 8000
###### Intermediate image with dev/test dependencies
FROM production as development
# Install useful system requirements (as root)
USER root
RUN apt update && \
apt install -y vim iputils-ping dnsutils telnet \
&& rm -rf /var/lib/apt/lists/*
USER app
# Install dev python requirements
RUN pip install -r requirements/edx/development.txt
RUN pip install ipdb==0.13.4 ipython==7.27.0
feat: default to ipdb as PYTHONBREAKPOINT PYTHONBREAKPOINT has been exposed as an environment variable in the openedx Dockerfile available to be changed in config.yml. The docs have also been changed to recommend using breakpoint and explaining how PYTHONBREAKPOINT can be modified to use a custom debugger. Close https://github.com/overhangio/2u-tutor-adoption/issues/45
2022-06-22 09:26:50 +00:00
# Add ipdb as default PYTHONBREAKPOINT
ENV PYTHONBREAKPOINT=ipdb.set_trace
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
# Recompile static assets: in development mode all static assets are stored in edx-platform,
# and the location of these files is stored in webpack-stats.json. If we don't recompile
# static assets, then production assets will be served instead.
RUN rm -r /openedx/staticfiles && \
mkdir /openedx/staticfiles && \
openedx-assets webpack --env=dev
{{ patch("openedx-dev-dockerfile-post-python-requirements") }}
# Default django settings
refactor: get rid of the openedx Docker entrypoint The entrypoint in the "openedx" Docker image was used only to define the DJANGO_SETTINGS_MODULE environment variable, based on SERVICE_VARIANT and SETTINGS. We ditch SETTINGS in favour of defining explicitely DJANGO_SETTINGS_MODULE. The problem with the Docker entrypoint is that it was bypassed whenever we ran `tutor local exec` or `tutor k8s exec`. By removing it we make it simpler for end-users to run manage.py commands in kubernetes.
2022-04-12 14:07:48 +00:00
ENV DJANGO_SETTINGS_MODULE lms.envs.tutor.development
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
CMD ./manage.py $SERVICE_VARIANT runserver 0.0.0.0:8000
###### Final image with production cmd
FROM production as final
:sunrise:
2017-07-03 10:39:19 +00:00
# Run server
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
CMD uwsgi \
--static-map /static=/openedx/staticfiles/ \
--static-map /media=/openedx/media/ \
--http 0.0.0.0:8000 \
--thunder-lock \
--single-interpreter \
--enable-threads \
--processes=${UWSGI_WORKERS:-2} \
fix: 502 error on request to lms with large header According to [1], request to uwsgi with header larger than the default value 4096 will end up with below error as #426: invalid request block size: 4123 (max 4096)...skip hr_instance_read(): Connection reset by peer [plugins/http/http.c line 647] This commit fixes it by changing the maximum buffer size as 4096 Also: Similar issue was already identifed and fixed in [2] on tutor-ecommerce [1] https://uwsgi-docs.readthedocs.io/en/latest/ThingsToKnow.html [2] https://github.com/overhangio/tutor-ecommerce/commit/6df2c99362ee12239eb27b79455539411e4d479e Close #426
2021-04-30 08:56:39 +00:00
--buffer-size=8192 \
refactor: get rid of the openedx Docker entrypoint The entrypoint in the "openedx" Docker image was used only to define the DJANGO_SETTINGS_MODULE environment variable, based on SERVICE_VARIANT and SETTINGS. We ditch SETTINGS in favour of defining explicitely DJANGO_SETTINGS_MODULE. The problem with the Docker entrypoint is that it was bypassed whenever we ran `tutor local exec` or `tutor k8s exec`. By removing it we make it simpler for end-users to run manage.py commands in kubernetes.
2022-04-12 14:07:48 +00:00
--wsgi-file $SERVICE_VARIANT/wsgi.py
feat: patch for openedx-dockerfile-final
2022-05-26 01:36:22 +00:00
{{ patch("openedx-dockerfile-final") }}
Copy Permalink