2020-07-25 22:11:30 +00:00
|
|
|
###### Minimal image with base system requirements for most stages
|
2020-09-17 10:53:14 +00:00
|
|
|
FROM docker.io/ubuntu:20.04 as minimal
|
2022-01-18 13:08:38 +00:00
|
|
|
LABEL maintainer="Overhang.io <contact@overhang.io>"
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2020-09-17 10:53:14 +00:00
|
|
|
ENV DEBIAN_FRONTEND=noninteractive
|
2017-12-26 00:16:35 +00:00
|
|
|
RUN apt update && \
|
2020-07-25 22:11:30 +00:00
|
|
|
apt install -y build-essential curl git language-pack-en
|
2019-12-24 16:22:12 +00:00
|
|
|
ENV LC_ALL en_US.UTF-8
|
2022-03-11 14:24:32 +00:00
|
|
|
{{ patch("openedx-dockerfile-minimal") }}
|
2019-12-24 16:22:12 +00:00
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv
|
|
|
|
FROM minimal as python
|
|
|
|
# https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites
|
2020-10-16 21:22:02 +00:00
|
|
|
RUN apt update && \
|
|
|
|
apt install -y libssl-dev zlib1g-dev libbz2-dev \
|
2020-07-25 22:11:30 +00:00
|
|
|
libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
|
|
|
|
xz-utils tk-dev libffi-dev liblzma-dev python-openssl git
|
2021-10-18 09:43:40 +00:00
|
|
|
ARG PYTHON_VERSION=3.8.12
|
2019-12-24 16:22:12 +00:00
|
|
|
ENV PYENV_ROOT /opt/pyenv
|
2021-10-18 09:43:40 +00:00
|
|
|
RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.2.2 --depth 1
|
2020-07-25 22:11:30 +00:00
|
|
|
RUN $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION
|
2020-09-17 10:53:14 +00:00
|
|
|
RUN $PYENV_ROOT/versions/$PYTHON_VERSION/bin/python -m venv /openedx/venv
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Install Dockerize to wait for mysql DB availability
|
|
|
|
FROM minimal as dockerize
|
2022-03-10 14:57:19 +00:00
|
|
|
# https://github.com/powerman/dockerize/releases
|
|
|
|
ARG DOCKERIZE_VERSION=v0.16.0
|
|
|
|
RUN dockerize_url="https://github.com/powerman/dockerize/releases/download/$DOCKERIZE_VERSION/dockerize-linux-$(uname -m | sed 's@aarch@arm@')" \
|
|
|
|
&& echo "Downloading dockerize from $dockerize_url" \
|
|
|
|
&& curl --fail --location --output /usr/local/bin/dockerize $dockerize_url \
|
|
|
|
&& chmod a+x /usr/local/bin/dockerize
|
2018-12-07 18:30:30 +00:00
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Checkout edx-platform code
|
|
|
|
FROM minimal as code
|
2022-03-25 08:04:26 +00:00
|
|
|
ARG EDX_PLATFORM_REPOSITORY={{ EDX_PLATFORM_REPOSITORY }}
|
2022-04-13 09:15:35 +00:00
|
|
|
ARG EDX_PLATFORM_VERSION={{ EDX_PLATFORM_VERSION }}
|
2018-12-03 18:59:09 +00:00
|
|
|
RUN mkdir -p /openedx/edx-platform && \
|
|
|
|
git clone $EDX_PLATFORM_REPOSITORY --branch $EDX_PLATFORM_VERSION --depth 1 /openedx/edx-platform
|
|
|
|
WORKDIR /openedx/edx-platform
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2021-09-09 14:23:11 +00:00
|
|
|
# Identify tutor user to cherry-pick commits
|
|
|
|
RUN git config --global user.email "tutor@overhang.io" \
|
|
|
|
&& git config --global user.name "Tutor"
|
|
|
|
|
2021-04-14 17:57:22 +00:00
|
|
|
{% if patch("openedx-dockerfile-git-patches-default") %}
|
2021-04-13 20:14:43 +00:00
|
|
|
# Custom edx-platform patches
|
2021-04-14 17:57:22 +00:00
|
|
|
{{ patch("openedx-dockerfile-git-patches-default") }}
|
|
|
|
{% else %}
|
2019-12-24 16:22:12 +00:00
|
|
|
# Patch edx-platform
|
2021-10-18 09:43:40 +00:00
|
|
|
# Fix forum notification for questions
|
2022-02-01 15:29:10 +00:00
|
|
|
# https://github.com/openedx/edx-platform/pull/29611
|
2021-10-18 09:43:40 +00:00
|
|
|
RUN git fetch --depth=2 https://github.com/open-craft/edx-platform/ 03731f19459e558f188c06aac5cc9ca1bbc675c2 && git cherry-pick 03731f19459e558f188c06aac5cc9ca1bbc675c2
|
2022-04-12 15:23:38 +00:00
|
|
|
# SAML security fix
|
|
|
|
# https://github.com/overhangio/edx-platform/tree/overhangio/sec-fix-saml-vulnerability
|
|
|
|
RUN git fetch --depth=2 https://github.com/overhangio/edx-platform/ 3b985f207853e88090d68a81acd52866b71f5af7 && git cherry-pick 3b985f207853e88090d68a81acd52866b71f5af7
|
2021-04-14 17:57:22 +00:00
|
|
|
{% endif %}
|
2019-07-04 22:27:28 +00:00
|
|
|
|
2022-02-01 15:29:10 +00:00
|
|
|
{# Example: RUN git fetch --depth=2 https://github.com/openedx/edx-platform <GITSHA1> && git cherry-pick <GITSHA1> #}
|
2021-09-09 14:25:07 +00:00
|
|
|
{{ patch("openedx-dockerfile-post-git-checkout") }}
|
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Download extra locales to /openedx/locale/contrib/locale
|
|
|
|
FROM minimal as locales
|
2021-04-07 21:47:52 +00:00
|
|
|
ARG OPENEDX_I18N_VERSION={{ OPENEDX_COMMON_VERSION }}
|
2018-12-07 18:30:30 +00:00
|
|
|
RUN cd /tmp \
|
2021-04-07 21:47:52 +00:00
|
|
|
&& curl -L -o openedx-i18n.tar.gz https://github.com/openedx/openedx-i18n/archive/$OPENEDX_I18N_VERSION.tar.gz \
|
2018-12-07 18:30:30 +00:00
|
|
|
&& tar xzf /tmp/openedx-i18n.tar.gz \
|
2020-04-16 17:26:49 +00:00
|
|
|
&& mkdir -p /openedx/locale/contrib \
|
2021-04-07 21:47:52 +00:00
|
|
|
&& mv openedx-i18n-*/edx-platform/locale /openedx/locale/contrib \
|
2018-12-07 18:30:30 +00:00
|
|
|
&& rm -rf openedx-i18n*
|
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Install python requirements in virtualenv
|
|
|
|
FROM python as python-requirements
|
2019-03-09 16:51:25 +00:00
|
|
|
ENV PATH /openedx/venv/bin:${PATH}
|
|
|
|
ENV VIRTUAL_ENV /openedx/venv/
|
2020-07-25 22:11:30 +00:00
|
|
|
|
2021-12-01 22:41:20 +00:00
|
|
|
RUN apt update && apt install -y software-properties-common libmysqlclient-dev libxmlsec1-dev libgeos-dev
|
2020-07-25 22:11:30 +00:00
|
|
|
|
|
|
|
# Note that this means that we need to reinstall all requirements whenever there is a
|
|
|
|
# change in edx-platform, which sucks. But there is no obvious alternative, as we need
|
|
|
|
# to install some packages from edx-platform.
|
|
|
|
COPY --from=code /openedx/edx-platform /openedx/edx-platform
|
|
|
|
WORKDIR /openedx/edx-platform
|
|
|
|
|
|
|
|
# Install the right version of pip/setuptools
|
2019-12-24 16:22:12 +00:00
|
|
|
RUN pip install setuptools==44.1.0 pip==20.0.2 wheel==0.34.2
|
2020-07-25 22:11:30 +00:00
|
|
|
|
|
|
|
# Install base requirements
|
|
|
|
RUN pip install -r ./requirements/edx/base.txt
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2020-09-17 10:53:14 +00:00
|
|
|
# Install django-redis for using redis as a django cache
|
|
|
|
RUN pip install django-redis==4.12.1
|
2020-04-25 12:20:13 +00:00
|
|
|
|
2020-09-17 10:53:14 +00:00
|
|
|
# Install uwsgi
|
2021-10-18 09:43:40 +00:00
|
|
|
RUN pip install uwsgi==2.0.20
|
2020-01-21 15:30:16 +00:00
|
|
|
|
2021-04-07 13:24:29 +00:00
|
|
|
{{ patch("openedx-dockerfile-post-python-requirements") }}
|
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
# Install private requirements: this is useful for installing custom xblocks.
|
|
|
|
COPY ./requirements/ /openedx/requirements
|
|
|
|
RUN cd /openedx/requirements/ \
|
|
|
|
&& touch ./private.txt \
|
|
|
|
&& pip install -r ./private.txt
|
|
|
|
|
2021-11-17 18:37:35 +00:00
|
|
|
{% for extra_requirements in OPENEDX_EXTRA_PIP_REQUIREMENTS %}RUN pip install '{{ extra_requirements }}'
|
|
|
|
{% endfor %}
|
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Install nodejs with nodeenv in /openedx/nodeenv
|
|
|
|
FROM python as nodejs-requirements
|
|
|
|
ENV PATH /openedx/nodeenv/bin:/openedx/venv/bin:${PATH}
|
|
|
|
|
|
|
|
# Install nodeenv with the version provided by edx-platform
|
2021-04-13 20:14:43 +00:00
|
|
|
RUN pip install nodeenv==1.6.0
|
2019-12-24 16:22:12 +00:00
|
|
|
RUN nodeenv /openedx/nodeenv --node=12.13.0 --prebuilt
|
2018-12-25 23:08:06 +00:00
|
|
|
|
2018-02-07 07:22:04 +00:00
|
|
|
# Install nodejs requirements
|
2022-03-25 08:04:26 +00:00
|
|
|
ARG NPM_REGISTRY={{ NPM_REGISTRY }}
|
2020-07-25 22:11:30 +00:00
|
|
|
COPY --from=code /openedx/edx-platform/package.json /openedx/edx-platform/package.json
|
|
|
|
WORKDIR /openedx/edx-platform
|
2019-12-24 16:22:12 +00:00
|
|
|
RUN npm install --verbose --registry=$NPM_REGISTRY
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2020-07-25 22:11:30 +00:00
|
|
|
###### Production image with system and python requirements
|
|
|
|
FROM minimal as production
|
|
|
|
|
|
|
|
# Install system requirements
|
2020-10-16 21:22:02 +00:00
|
|
|
RUN apt update && \
|
2020-09-17 10:53:14 +00:00
|
|
|
apt install -y gettext gfortran graphviz graphviz-dev libffi-dev libfreetype6-dev libgeos-dev libjpeg8-dev liblapack-dev libmysqlclient-dev libpng-dev libsqlite3-dev libxmlsec1-dev lynx ntp pkg-config rdfind && \
|
2020-10-16 21:22:02 +00:00
|
|
|
rm -rf /var/lib/apt/lists/*
|
2020-07-25 22:11:30 +00:00
|
|
|
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
# From then on, run as unprivileged "app" user
|
|
|
|
ARG APP_USER_ID=1000
|
|
|
|
RUN useradd --home-dir /openedx --create-home --shell /bin/bash --uid ${APP_USER_ID} app
|
|
|
|
USER ${APP_USER_ID}
|
|
|
|
|
2022-03-10 14:57:19 +00:00
|
|
|
COPY --from=dockerize /usr/local/bin/dockerize /usr/local/bin/dockerize
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
COPY --chown=app:app --from=code /openedx/edx-platform /openedx/edx-platform
|
|
|
|
COPY --chown=app:app --from=locales /openedx/locale /openedx/locale
|
|
|
|
COPY --chown=app:app --from=python /opt/pyenv /opt/pyenv
|
|
|
|
COPY --chown=app:app --from=python-requirements /openedx/venv /openedx/venv
|
|
|
|
COPY --chown=app:app --from=python-requirements /openedx/requirements /openedx/requirements
|
|
|
|
COPY --chown=app:app --from=nodejs-requirements /openedx/nodeenv /openedx/nodeenv
|
|
|
|
COPY --chown=app:app --from=nodejs-requirements /openedx/edx-platform/node_modules /openedx/edx-platform/node_modules
|
2020-07-25 22:11:30 +00:00
|
|
|
|
|
|
|
ENV PATH /openedx/venv/bin:./node_modules/.bin:/openedx/nodeenv/bin:${PATH}
|
|
|
|
ENV VIRTUAL_ENV /openedx/venv/
|
|
|
|
WORKDIR /openedx/edx-platform
|
|
|
|
|
|
|
|
# Re-install local requirements, otherwise egg-info folders are missing
|
|
|
|
RUN pip install -r requirements/edx/local.in
|
2018-11-20 10:24:34 +00:00
|
|
|
|
2019-12-24 16:22:12 +00:00
|
|
|
# Create folder that will store lms/cms.env.json files, as well as
|
2018-12-25 23:24:01 +00:00
|
|
|
# the tutor-specific settings files.
|
|
|
|
RUN mkdir -p /openedx/config ./lms/envs/tutor ./cms/envs/tutor
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
COPY --chown=app:app revisions.yml /openedx/config/
|
2019-12-24 16:22:12 +00:00
|
|
|
ENV LMS_CFG /openedx/config/lms.env.json
|
|
|
|
ENV STUDIO_CFG /openedx/config/cms.env.json
|
|
|
|
ENV REVISION_CFG /openedx/config/revisions.yml
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
COPY --chown=app:app settings/lms/*.py ./lms/envs/tutor/
|
|
|
|
COPY --chown=app:app settings/cms/*.py ./cms/envs/tutor/
|
2018-12-07 18:30:30 +00:00
|
|
|
|
2020-04-16 17:26:49 +00:00
|
|
|
# Copy user-specific locales to /openedx/locale/user/locale and compile them
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
RUN mkdir /openedx/locale/user
|
|
|
|
COPY --chown=app:app ./locale/ /openedx/locale/user/locale/
|
2020-04-16 17:26:49 +00:00
|
|
|
RUN cd /openedx/locale/user && \
|
2022-02-21 11:07:57 +00:00
|
|
|
django-admin compilemessages -v1
|
2020-07-25 22:11:30 +00:00
|
|
|
|
|
|
|
# Compile i18n strings: in some cases, js locales are not properly compiled out of the box
|
2020-04-01 18:05:06 +00:00
|
|
|
# and we need to do a pass ourselves. Also, we need to compile the djangojs.js files for
|
|
|
|
# the downloaded locales.
|
|
|
|
RUN ./manage.py lms --settings=tutor.i18n compilejsi18n
|
|
|
|
RUN ./manage.py cms --settings=tutor.i18n compilejsi18n
|
|
|
|
|
2018-12-25 18:32:05 +00:00
|
|
|
# Copy scripts
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
COPY --chown=app:app ./bin /openedx/bin
|
2019-07-04 09:36:22 +00:00
|
|
|
RUN chmod a+x /openedx/bin/*
|
2018-12-25 18:32:05 +00:00
|
|
|
ENV PATH /openedx/bin:${PATH}
|
|
|
|
|
2019-07-04 08:45:15 +00:00
|
|
|
{{ patch("openedx-dockerfile-pre-assets") }}
|
|
|
|
|
2018-12-07 18:30:30 +00:00
|
|
|
# Collect production assets. By default, only assets from the default theme
|
|
|
|
# will be processed. This makes the docker image lighter and faster to build.
|
2018-12-14 11:59:32 +00:00
|
|
|
# Only the custom themes added to /openedx/themes will be compiled.
|
2018-12-07 18:30:30 +00:00
|
|
|
# Here, we don't run "paver update_assets" which is slow, compiles all themes
|
|
|
|
# and requires a complex settings file. Instead, we decompose the commands
|
|
|
|
# and run each one individually to collect the production static assets to
|
2018-12-24 07:54:32 +00:00
|
|
|
# /openedx/staticfiles.
|
2019-09-19 13:39:18 +00:00
|
|
|
ENV NO_PYTHON_UNINSTALL 1
|
2019-12-24 16:22:12 +00:00
|
|
|
ENV NO_PREREQ_INSTALL 1
|
|
|
|
# We need to rely on a separate openedx-assets command to accelerate asset processing.
|
|
|
|
# For instance, we don't want to run all steps of asset collection every time the theme
|
|
|
|
# is modified.
|
2018-12-24 07:54:32 +00:00
|
|
|
RUN openedx-assets xmodule \
|
|
|
|
&& openedx-assets npm \
|
|
|
|
&& openedx-assets webpack --env=prod \
|
|
|
|
&& openedx-assets common
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
COPY --chown=app:app ./themes/ /openedx/themes/
|
2018-12-24 07:54:32 +00:00
|
|
|
RUN openedx-assets themes \
|
2020-09-01 17:14:30 +00:00
|
|
|
&& openedx-assets collect --settings=tutor.assets \
|
|
|
|
# De-duplicate static assets with symlinks
|
|
|
|
&& rdfind -makesymlinks true -followsymlinks true /openedx/staticfiles/
|
2017-07-03 10:39:19 +00:00
|
|
|
|
2019-06-07 06:53:33 +00:00
|
|
|
# Create a data directory, which might be used (or not)
|
|
|
|
RUN mkdir /openedx/data
|
|
|
|
|
2017-12-26 00:16:35 +00:00
|
|
|
# service variant is "lms" or "cms"
|
2018-04-09 17:16:58 +00:00
|
|
|
ENV SERVICE_VARIANT lms
|
2018-12-25 23:17:23 +00:00
|
|
|
ENV SETTINGS tutor.production
|
2017-12-26 00:16:35 +00:00
|
|
|
|
2019-07-04 08:45:15 +00:00
|
|
|
{{ patch("openedx-dockerfile") }}
|
|
|
|
|
2019-10-22 14:13:50 +00:00
|
|
|
# Entrypoint will set right environment variables
|
2018-04-09 17:16:58 +00:00
|
|
|
ENTRYPOINT ["docker-entrypoint.sh"]
|
feat: run all services as unprivileged containers
With this change, containers are no longer run as "root" but as unprivileged
users. This is necessary in some environments, notably some Kubernetes
clusters.
To make this possible, we need to manually fix bind-mounted volumes in
docker-compose. This is pretty much equivalent to the behaviour in Kubernetes,
where permissions are fixed at runtime if the volume owner is incorrect. Thus,
we have a consistent behaviour between docker-compose and Kubernetes.
We achieve this by bind-mounting some repos inside "*-permissions" services.
These services run as root user on docker-compose and will fix the required
permissions, as per build/permissions/setowner.sh These services simply do not
run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make
use of Kubernete's built-in volume ownership feature.
With this change, we get rid of the "openedx-dev" Docker image, in the sense
that it no longer has its own Dockerfile. Instead, the dev image is now simply
a different target in the multi-layer openedx Docker image. This makes it much
faster to build the openedx-dev image.
Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need
to pass the user ID from the host there. The only way to achieve that is with a
tutor config variable. The downside of this approach is that the
dev/docker-compose.yml file is no longer portable from one machine to the next.
We consider that this is not such a big issue, as it affects the development
environment only.
We take this opportunity to replace the base image of the "forum" image. There
is now no need to re-install ruby inside the image. The total image size is
only decreased by 10%, but re-building the image is faster.
In order to run the smtp service as non-root, we switch from namshi/smtp to
devture/exim-relay. This change should be backward-compatible.
Note that the nginx container remains privileged. We could switch to
nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are
considering to get rid of the nginx container altogether.
Close #323.
2021-09-23 10:04:19 +00:00
|
|
|
EXPOSE 8000
|
|
|
|
|
|
|
|
###### Intermediate image with dev/test dependencies
|
|
|
|
FROM production as development
|
|
|
|
|
|
|
|
# Install useful system requirements (as root)
|
|
|
|
USER root
|
|
|
|
RUN apt update && \
|
|
|
|
apt install -y vim iputils-ping dnsutils telnet \
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
USER app
|
|
|
|
|
|
|
|
# Install dev python requirements
|
|
|
|
RUN pip install -r requirements/edx/development.txt
|
|
|
|
RUN pip install ipdb==0.13.4 ipython==7.27.0
|
|
|
|
|
|
|
|
# Recompile static assets: in development mode all static assets are stored in edx-platform,
|
|
|
|
# and the location of these files is stored in webpack-stats.json. If we don't recompile
|
|
|
|
# static assets, then production assets will be served instead.
|
|
|
|
RUN rm -r /openedx/staticfiles && \
|
|
|
|
mkdir /openedx/staticfiles && \
|
|
|
|
openedx-assets webpack --env=dev
|
|
|
|
|
|
|
|
{{ patch("openedx-dev-dockerfile-post-python-requirements") }}
|
|
|
|
|
|
|
|
# Default django settings
|
|
|
|
ENV SETTINGS tutor.development
|
|
|
|
|
|
|
|
CMD ./manage.py $SERVICE_VARIANT runserver 0.0.0.0:8000
|
|
|
|
|
|
|
|
###### Final image with production cmd
|
|
|
|
FROM production as final
|
2017-07-03 10:39:19 +00:00
|
|
|
|
|
|
|
# Run server
|
2020-09-17 10:53:14 +00:00
|
|
|
CMD uwsgi \
|
|
|
|
--static-map /static=/openedx/staticfiles/ \
|
|
|
|
--static-map /media=/openedx/media/ \
|
|
|
|
--http 0.0.0.0:8000 \
|
|
|
|
--thunder-lock \
|
|
|
|
--single-interpreter \
|
|
|
|
--enable-threads \
|
|
|
|
--processes=${UWSGI_WORKERS:-2} \
|
2021-04-30 08:56:39 +00:00
|
|
|
--buffer-size=8192 \
|
2020-09-17 10:53:14 +00:00
|
|
|
--wsgi-file ${SERVICE_VARIANT}/wsgi.py
|