christianlight/tutor
7
0
Fork 0
mirror of https://github.com/ChristianLight/tutor.git synced 2024-06-01 13:50:47 +00:00
Code Issues Releases Activity
71e469174f
tutor/tutor/templates/build/openedx/Dockerfile

317 lines
13 KiB
Docker
Raw Normal View History

feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
# syntax=docker/dockerfile:1.4
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Minimal image with base system requirements for most stages
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
FROM docker.io/ubuntu:20.04 as minimal
improvement: use LABEL instead of MAINTAINER in Dockerfile see https://docs.docker.com/engine/reference/builder/#maintainer-deprecated
2022-01-18 13:08:38 +00:00
LABEL maintainer="Overhang.io <contact@overhang.io>"
:sunrise:
2017-07-03 10:39:19 +00:00
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
ENV DEBIAN_FRONTEND=noninteractive
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
apt update && \
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
apt install -y build-essential curl git language-pack-en
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV LC_ALL en_US.UTF-8
dockerfile patch added in the minimal section
2022-03-11 14:24:32 +00:00
{{ patch("openedx-dockerfile-minimal") }}
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install python with pyenv in /opt/pyenv and create virtualenv in /openedx/venv
FROM minimal as python
# https://github.com/pyenv/pyenv/wiki/Common-build-problems#prerequisites
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update && \
run apt update before installing deps
2020-10-16 21:22:02 +00:00
apt install -y libssl-dev zlib1g-dev libbz2-dev \
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
libreadline-dev libsqlite3-dev wget curl llvm libncurses5-dev libncursesw5-dev \
xz-utils tk-dev libffi-dev liblzma-dev python-openssl git
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# Install pyenv
feat: upgrade to Palm Among other changes: ORA2 file uploads were stored in a folder named "SET-ME-PLEASE (ex. bucket-name)" (sigh). With this change, the folder should be automatically renamed to "openedxuploads". This issue has been occuring since June 2019... (sigh²) Close #707
2023-04-12 08:35:00 +00:00
# https://www.python.org/downloads/
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# https://github.com/pyenv/pyenv/releases
feat: upgrade to Palm Among other changes: ORA2 file uploads were stored in a folder named "SET-ME-PLEASE (ex. bucket-name)" (sigh). With this change, the folder should be automatically renamed to "openedxuploads". This issue has been occuring since June 2019... (sigh²) Close #707
2023-04-12 08:35:00 +00:00
ARG PYTHON_VERSION=3.8.15
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV PYENV_ROOT /opt/pyenv
feat: upgrade to Palm Among other changes: ORA2 file uploads were stored in a folder named "SET-ME-PLEASE (ex. bucket-name)" (sigh). With this change, the folder should be automatically renamed to "openedxuploads". This issue has been occuring since June 2019... (sigh²) Close #707
2023-04-12 08:35:00 +00:00
RUN git clone https://github.com/pyenv/pyenv $PYENV_ROOT --branch v2.3.17 --depth 1
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# Install Python
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
RUN $PYENV_ROOT/bin/pyenv install $PYTHON_VERSION
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# Create virtualenv
v11.0.0 (2020-12-09) - 💥[Improvement] Upgrade Open edX to Koa - 💥 Setting changes: - The ``ACTIVATE_HTTPS`` setting was renamed to ``ENABLE_HTTPS``. - Other ``ACTIVATE_*`` variables were all renamed to ``RUN_*``. - The ``WEB_PROXY`` setting was removed and ``RUN_CADDY`` was added. - The ``NGINX_HTTPS_PORT`` setting is deprecated. - Architectural changes: - Use Caddy as a web proxy for automated SSL/TLS certificate generation: - Nginx no longer listens to port 443 for https traffic - The Caddy configuration file comes with a new ``caddyfile`` patch for much simpler SSL/TLS management. - Configuration files for web proxies are no longer provided. - Kubernetes deployment no longer requires setting up a custom Ingress resource or custom manager. - Gunicorn and Whitenoise are replaced by uwsgi: this increases boostrap performance and makes it no longer necessary to mount media folders in the Nginx container. - Replace memcached and rabbitmq by redis. - Additional features: - Make it possible to disable all plugins at once with ``plugins disable all``. - Add ``tutor k8s wait`` command to wait for a pod to become ready - Faster, more reliable static assets with local memory caching - Deprecation: proxy files for Apache and Nginx are no longer provided out of the box. - Removed plugin `{{ patch (...) }}` statements: - "https-create", "k8s-ingress-rules", "k8s-ingress-tls-hosts": these are no longer necessary. Instead, declare your app in the "caddyfile" patch. - "local-docker-compose-nginx-volumes": this patch was primarily used to serve media assets. The recommended is now to serve assets with uwsgi.
2020-09-17 10:53:14 +00:00
RUN $PYENV_ROOT/versions/$PYTHON_VERSION/bin/python -m venv /openedx/venv
:sunrise:
2017-07-03 10:39:19 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Checkout edx-platform code
FROM minimal as code
feat: Make the platform repository and NPM registry configurable from config.yml Previously, the only way for Tutor users to use a fork of edx-platform or a custom NPM registry was to use build args during the image build. This is suboptimal in the case of automatically building images from CI pipelines, which may want to auto-detect when an image needs to be rebuilt based on config.yml changes. In addition, the EDX_PLATFORM_VERSION build argument can already be set via a corresponding config.yml parameter (OPENEDX_COMMON_VERSION), so it's reasonable to follow that precedent and also introduce config.yml parameters to correspond with the EDX_PLATFORM_REPOSITORY and NPM_REGISTRY build arguments. Thus, introduce two new configuration parameters: - EDX_PLATFORM_REPOSITORY - NPM_REGISTRY These parameters can now optionally be used instead of the aforementioned build args.
2022-03-25 08:04:26 +00:00
ARG EDX_PLATFORM_REPOSITORY={{ EDX_PLATFORM_REPOSITORY }}
fix: Correct EDX_PLATFORM_VERSION default for local edx-platform forks PR #619 set the EDX_PLATFORM_VERSION build arg's default to OPENEDX_COMMON_VERSION. While this works fine for setting a non-default branch to run edx code from (say, "master"), it may break if the user sets OPENEDX_COMMON_VERSION to a branch or tag name that does not exist upstream in repositories *other than* EDX_PLATFORM_REPOSITORY. Thus, introduce a separate configuration parameter, EDX_PLATFORM_VERSION, to match the build arg of the same name. Set its default to OPENEDX_COMMON_VERSION. This way, the user can deploy an arbitrarily-named fork of edx-platform, while retaining the default OPENEDX_COMMON_VERSION (like, for example "open-release/maple.3") for everything else.
2022-04-13 09:15:35 +00:00
ARG EDX_PLATFORM_VERSION={{ EDX_PLATFORM_VERSION }}
Migrate openedx-docker project to Tutor :woman_teacher: The project gets a new name and some proper documentation. Build/Deploy are now properly separated.
2018-12-03 18:59:09 +00:00
RUN mkdir -p /openedx/edx-platform && \
git clone $EDX_PLATFORM_REPOSITORY --branch $EDX_PLATFORM_VERSION --depth 1 /openedx/edx-platform
WORKDIR /openedx/edx-platform
:sunrise:
2017-07-03 10:39:19 +00:00
improvement: use `git am` instead of `cherry-pick`
2022-06-16 12:51:12 +00:00
# Identify tutor user to apply patches using git
feat: cleaner git tree in openedx Docker image With "git patch", the resulting source tree was dirty, showing uncommitted changes. Here, we replace "git patch" with "git cherry-pick". We avoid pulling the entire remote repo by fetching individual commits. To do that, we need to assign an identity to the git user.
2021-09-09 14:23:11 +00:00
RUN git config --global user.email "tutor@overhang.io" \
&& git config --global user.name "Tutor"
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- if patch("openedx-dockerfile-git-patches-default") %}
feat: upgrade to open-release/lilac.master One of the breaking changes of this release is the removal of the webui and android features; these are moved to dedicated plugins. This causes a breaking change: the renaming of the DOCKER_IMAGE_ANDROID config variable to ANDROID_DOCKER_IMAGE. See this TEP for reference: https://discuss.overhang.io/t/separate-webui-and-android-from-tutor-core-and-move-to-dedicated-plugins/1473
2021-04-13 20:14:43 +00:00
# Custom edx-platform patches
feat: Conditional edx-platform patching During Docker images build process, apply custom edx-platform patches when tutor patch 'openedx-dockerfile-git-patches-default' is defined or apply current release patches in other case. It avoids possible conflicts between the actually used edx-platform version and the current release patches.
2021-04-14 17:57:22 +00:00
{{ patch("openedx-dockerfile-git-patches-default") }}
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- else %}
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
# Patch edx-platform
sec: apply rate limiting security fix
2022-04-20 17:05:06 +00:00
{%- endif %}
Apply XSS certificate vulnerability patch https://github.com/edx/edx-platform/pull/20904 https://groups.google.com/forum/#!msg/openedx-ops/fi2WVlD0iNo/hFZrAnLpCAAJ
2019-07-04 22:27:28 +00:00
feat: upgrade to Palm Among other changes: ORA2 file uploads were stored in a folder named "SET-ME-PLEASE (ex. bucket-name)" (sigh). With this change, the folder should be automatically renamed to "openedxuploads". This issue has been occuring since June 2019... (sigh²) Close #707
2023-04-12 08:35:00 +00:00
{# Example: RUN curl -fsSL https://github.com/openedx/edx-platform/commit/<GITSHA1>.patch | git am #}
feat: add "openedx-dockerfile-post-git-checkout" patch This will be convenient for plugins which need to patch edx-platform.
2021-09-09 14:25:07 +00:00
{{ patch("openedx-dockerfile-post-git-checkout") }}
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
##### Empty layer with just the repo at the root.
# This is useful when overriding the build context with a host repo:
# docker build --build-context edx-platform=/path/to/edx-platform
FROM scratch as edx-platform
COPY --from=code /openedx/edx-platform /
feat: auto-mount edx-platform python requirements These changes make to possible to run: tutor mounts add /path/to/my-xblock The xblock directory with then be auto-magically bind-mounted in the "openedx" image at build time, and the lms*/cms* containers at run time. This makes it effectively possible to work as a developer on edx-platform requirements. We take the opportunity to move some openedx-specific code to a dedicated module. Close https://github.com/openedx/wg-developer-experience/issues/177
2023-09-04 17:08:15 +00:00
{# Create empty layers for all bind-mounted directories #}
{% for name in iter_mounted_directories(MOUNTS, "openedx") %}
FROM scratch as mnt-{{ name }}
{% endfor %}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Download extra locales to /openedx/locale/contrib/locale
FROM minimal as locales
feat: upgrade i18n openedx strings to nutmeg.2 Strings could not be pulled from transifex because the file names were incorrect. This is now fixed and we are now able to pull the i18n strings from the nutmeg.2 tag.
2022-08-30 09:17:37 +00:00
ARG OPENEDX_I18N_VERSION={{ OPENEDX_COMMON_VERSION }}
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
RUN cd /tmp \
feat: upgrade all services to open-release/koa.3 We remove security patches and custom fixes which are now part of koa.3. We take the opportunity to make it possible to build the openedx Docker image without relying on a corresponding openedx-i18n repo tag: often, we want to test whether the image simply builds successfully, and we don't need up-to-date translations. For those cases, it's now possible to pass the `-a OPENEDX_I18N_VERSION=oldertag` build argument.
2021-04-07 21:47:52 +00:00
&& curl -L -o openedx-i18n.tar.gz https://github.com/openedx/openedx-i18n/archive/$OPENEDX_I18N_VERSION.tar.gz \
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
&& tar xzf /tmp/openedx-i18n.tar.gz \
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
&& mkdir -p /openedx/locale/contrib \
feat: upgrade all services to open-release/koa.3 We remove security patches and custom fixes which are now part of koa.3. We take the opportunity to make it possible to build the openedx Docker image without relying on a corresponding openedx-i18n repo tag: often, we want to test whether the image simply builds successfully, and we don't need up-to-date translations. For those cases, it's now possible to pass the `-a OPENEDX_I18N_VERSION=oldertag` build argument.
2021-04-07 21:47:52 +00:00
&& mv openedx-i18n-*/edx-platform/locale /openedx/locale/contrib \
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
&& rm -rf openedx-i18n*
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install python requirements in virtualenv
FROM python as python-requirements
Install python requirements in venv in docker image Installing the requirements in a virtualenv is necessary to run "pip install ..." commands in development mode, when the USERID is != 0.
2019-03-09 16:51:25 +00:00
ENV PATH /openedx/venv/bin:${PATH}
ENV VIRTUAL_ENV /openedx/venv/
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
ENV XDG_CACHE_HOME /openedx/.cache
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
&& apt install -y software-properties-common libmysqlclient-dev libxmlsec1-dev libgeos-dev
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Install the right version of pip/setuptools
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# https://pypi.org/project/setuptools/
# https://pypi.org/project/pip/
# https://pypi.org/project/wheel/
setuptools==67.6.1 pip==23.0.1. wheel==0.40.0
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
fix: build error caused by removed py2neo package On Oct. 10, py2neo package was abruptly removed from pypi, GitHub, and the py2neo website now displays just a super funny meme: https://py2neo.org/ Yes, we should get rid of that dependency, but we are still supposed to support existing users. So we install py2neo from our fork.
2023-10-10 09:32:50 +00:00
# Install missing py2neo package that was abruptly trimmed from pypi
RUN pip install https://github.com/overhangio/py2neo/releases/download/2021.2.3/py2neo-2021.2.3.tar.gz
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Install base requirements
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=bind,from=edx-platform,source=/requirements/edx/base.txt,target=/openedx/edx-platform/requirements/edx/base.txt \
--mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install -r /openedx/edx-platform/requirements/edx/base.txt
:sunrise:
2017-07-03 10:39:19 +00:00
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# Install extra requirements
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
# Use redis as a django cache https://pypi.org/project/django-redis/
django-redis==5.2.0 \
# uwsgi server https://pypi.org/project/uWSGI/
uwsgi==2.0.21
Serve static assets with whitenoise instead of nginx This drastically simplifies volume management, as it is no longer necessary to manually copy static assets from the docker image to the bind-mounted volume. This deprecates the "k8s-deployments-nginx-init-containers" patch, as we no longer need to init the nginx container. Plugins are encouraged to start using whitenoise as well for serving static assets. TODO: - test media serving: DOES NOT WORK. Whitenoise was designed to serve a fixed list of static files. Godammit. - compare performances
2020-01-21 15:30:16 +00:00
feat: openedx Dockerfile python requirements extension patch Add patches to extend python requirements installation process in openedx and openedx-dev Dockerfiles
2021-04-07 13:24:29 +00:00
{{ patch("openedx-dockerfile-post-python-requirements") }}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Install private requirements: this is useful for installing custom xblocks.
COPY ./requirements/ /openedx/requirements
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
cd /openedx/requirements/ \
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
&& touch ./private.txt \
&& pip install -r ./private.txt
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
{% for extra_requirements in OPENEDX_EXTRA_PIP_REQUIREMENTS %}
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install '{{ extra_requirements }}'
feat: allow to specify extra pip packages in config Added OPENEDX_EXTRA_PIP_REQUIREMENTS setting, which allows to specify extra pip packages that should be installed. Moved "openedx-scorm-xblock" package from Dockerfile to the new setting in the config.yml.
2021-11-17 18:37:35 +00:00
{% endfor %}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Install nodejs with nodeenv in /openedx/nodeenv
FROM python as nodejs-requirements
ENV PATH /openedx/nodeenv/bin:/openedx/venv/bin:${PATH}
# Install nodeenv with the version provided by edx-platform
feat: upgrade to olive
2022-11-22 12:53:29 +00:00
# https://github.com/openedx/edx-platform/blob/master/requirements/edx/base.txt
feat: upgrade to Palm Among other changes: ORA2 file uploads were stored in a folder named "SET-ME-PLEASE (ex. bucket-name)" (sigh). With this change, the folder should be automatically renamed to "openedxuploads". This issue has been occuring since June 2019... (sigh²) Close #707
2023-04-12 08:35:00 +00:00
# https://github.com/pyenv/pyenv/releases
chore: upgrade nodeenv to fix nodejs install We upgrade nodeenv as an attempt to fix incomplete reads. From time to time we face the following error: #67 [linux/amd64 nodejs-requirements 2/4] RUN nodeenv /openedx/nodeenv --node=16.14.0 --prebuilt #67 0.338 * Install prebuilt node (16.14.0) .Incomplete read while readingfrom https://nodejs.org/download/release/v16.14.0/node-v16.14.0-linux-x64.tar.gz #67 204.1 . #67 204.1 Traceback (most recent call last): #67 204.1 File "/openedx/venv/bin/nodeenv", line 8, in <module> #67 204.1 sys.exit(main()) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 1104, in main #67 204.1 create_environment(env_dir, args) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 980, in create_environment #67 204.1 install_node(env_dir, src_dir, args) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 739, in install_node #67 204.1 install_node_wrapped(env_dir, src_dir, args) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 762, in install_node_wrapped #67 204.1 download_node_src(node_url, src_dir, args) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 602, in download_node_src #67 204.1 with ctx as archive: #67 204.1 File "/opt/pyenv/versions/3.8.15/lib/python3.8/contextlib.py", line 113, in __enter__ #67 204.1 return next(self.gen) #67 204.1 File "/openedx/venv/lib/python3.8/site-packages/nodeenv.py", line 573, in tarfile_open #67 204.1 tf = tarfile.open(*args, **kwargs) #67 204.1 File "/opt/pyenv/versions/3.8.15/lib/python3.8/tarfile.py", line 1601, in open #67 204.1 saved_pos = fileobj.tell() #67 204.1 AttributeError: 'bytes' object has no attribute 'tell' This change was added to 1.8.0 as an attempt to resolve the issue: https://github.com/ekalinin/nodeenv/pull/329 We are not sure it will work every time, but it can't hurt.
2023-09-13 09:01:04 +00:00
RUN pip install nodeenv==1.8.0
chore: upgrade to node 16 in openedx Docker image
2022-06-03 16:38:59 +00:00
RUN nodeenv /openedx/nodeenv --node=16.14.0 --prebuilt
Upgrade node to 5.5.1 in openedx image
2018-12-25 23:08:06 +00:00
Remove redundancy in dependency install Full dependency install is replaced by just nodejs dependency install, which should considerably accelerate the build step. This closes #2. Kudos to @sampaccoud for suggesting this!
2018-02-07 07:22:04 +00:00
# Install nodejs requirements
feat: Make the platform repository and NPM registry configurable from config.yml Previously, the only way for Tutor users to use a fork of edx-platform or a custom NPM registry was to use build args during the image build. This is suboptimal in the case of automatically building images from CI pipelines, which may want to auto-detect when an image needs to be rebuilt based on config.yml changes. In addition, the EDX_PLATFORM_VERSION build argument can already be set via a corresponding config.yml parameter (OPENEDX_COMMON_VERSION), so it's reasonable to follow that precedent and also introduce config.yml parameters to correspond with the EDX_PLATFORM_REPOSITORY and NPM_REGISTRY build arguments. Thus, introduce two new configuration parameters: - EDX_PLATFORM_REPOSITORY - NPM_REGISTRY These parameters can now optionally be used instead of the aforementioned build args.
2022-03-25 08:04:26 +00:00
ARG NPM_REGISTRY={{ NPM_REGISTRY }}
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
WORKDIR /openedx/edx-platform
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=bind,from=edx-platform,source=/package.json,target=/openedx/edx-platform/package.json \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
--mount=type=bind,from=edx-platform,source=/package-lock.json,target=/openedx/edx-platform/package-lock.json \
fix: copy-node-modules error with buildx
2023-07-21 10:00:25 +00:00
--mount=type=bind,from=edx-platform,source=/scripts/copy-node-modules.sh,target=/openedx/edx-platform/scripts/copy-node-modules.sh \
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
--mount=type=cache,target=/root/.npm,sharing=shared \
npm clean-install --no-audit --registry=$NPM_REGISTRY
:sunrise:
2017-07-03 10:39:19 +00:00
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
###### Production image with system and python requirements
FROM minimal as production
# Install system requirements
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
&& apt install -y gettext gfortran graphviz graphviz-dev libffi-dev libfreetype6-dev libgeos-dev libjpeg8-dev liblapack-dev libmysqlclient-dev libpng-dev libsqlite3-dev libxmlsec1-dev lynx mysql-client ntp pkg-config rdfind
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
# From then on, run as unprivileged "app" user
fix: build openedx-dev image when host user is root Sometimes, the host user is root: this may happen when tutor is run with "sudo" (which is not recommended) or on Windows. In such cases, building the image should not fail, but default to a reasonable user. Also, when we pass an invalid APP_USER_ID as a build arg, then we should fail with an explicit message. See this conversation: https://discuss.overhang.io/t/problem-with-dev-image-build-useradd-uid-0-is-not-unique/2406
2022-07-04 08:40:52 +00:00
# Note that this must always be different from root (APP_USER_ID=0)
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
ARG APP_USER_ID=1000
fix: build openedx-dev image when host user is root Sometimes, the host user is root: this may happen when tutor is run with "sudo" (which is not recommended) or on Windows. In such cases, building the image should not fail, but default to a reasonable user. Also, when we pass an invalid APP_USER_ID as a build arg, then we should fail with an explicit message. See this conversation: https://discuss.overhang.io/t/problem-with-dev-image-build-useradd-uid-0-is-not-unique/2406
2022-07-04 08:40:52 +00:00
RUN if [ "$APP_USER_ID" = 0 ]; then echo "app user may not be root" && false; fi
fix: 600GB openedx-dev image on macOS On macOS, building the "openedx-dev" Docker image resulted in an image that required more than 600 GB of disk space. This was due to the `adduser` command which was called with a user ID of 2x10⁹ (on macOS only). This resulted in a very large /var/log/faillog file, hence the image size. Related upstream discussion: https://github.com/moby/moby/issues/5419 Close https://github.com/openedx/wg-developer-experience/issues/178
2023-10-11 08:02:03 +00:00
RUN useradd --no-log-init --home-dir /openedx --create-home --shell /bin/bash --uid ${APP_USER_ID} app
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
USER ${APP_USER_ID}
improvement: COPY dockerize for faster build Dockerize now ships with multi-arch Docker images, so we can just COPY the binary from these images. This allows us to skip an image layer.
2023-03-13 17:07:26 +00:00
# https://hub.docker.com/r/powerman/dockerize/tags
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
COPY --link --from=docker.io/powerman/dockerize:0.19.0 /usr/local/bin/dockerize /usr/local/bin/dockerize
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
COPY --chown=app:app --from=edx-platform / /openedx/edx-platform
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app --from=locales /openedx/locale /openedx/locale
COPY --chown=app:app --from=python /opt/pyenv /opt/pyenv
COPY --chown=app:app --from=python-requirements /openedx/venv /openedx/venv
COPY --chown=app:app --from=python-requirements /openedx/requirements /openedx/requirements
feat: auto-mount edx-platform python requirements These changes make to possible to run: tutor mounts add /path/to/my-xblock The xblock directory with then be auto-magically bind-mounted in the "openedx" image at build time, and the lms*/cms* containers at run time. This makes it effectively possible to work as a developer on edx-platform requirements. We take the opportunity to move some openedx-specific code to a dedicated module. Close https://github.com/openedx/wg-developer-experience/issues/177
2023-09-04 17:08:15 +00:00
COPY --chown=app:app --from=python-requirements /mnt /mnt
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app --from=nodejs-requirements /openedx/nodeenv /openedx/nodeenv
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
COPY --chown=app:app --from=nodejs-requirements /openedx/edx-platform/node_modules /openedx/node_modules
# Symlink node_modules such that we can bind-mount the edx-platform repository
RUN ln -s /openedx/node_modules /openedx/edx-platform/node_modules
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
ENV PATH /openedx/venv/bin:./node_modules/.bin:/openedx/nodeenv/bin:${PATH}
ENV VIRTUAL_ENV /openedx/venv/
WORKDIR /openedx/edx-platform
feat: auto-mount edx-platform python requirements These changes make to possible to run: tutor mounts add /path/to/my-xblock The xblock directory with then be auto-magically bind-mounted in the "openedx" image at build time, and the lms*/cms* containers at run time. This makes it effectively possible to work as a developer on edx-platform requirements. We take the opportunity to move some openedx-specific code to a dedicated module. Close https://github.com/openedx/wg-developer-experience/issues/177
2023-09-04 17:08:15 +00:00
{# Install auto-mounted directories as Python packages. #}
{% for name in iter_mounted_directories(MOUNTS, "openedx") %}
COPY --from=mnt-{{ name }} --chown=app:app / /mnt/{{ name }}
RUN pip install -e "/mnt/{{ name }}"
{% endfor %}
fix: installation of local requirements The `compilejsi18n` command was failing during image building because the Open-edX package was not installed properly. The reason for that was an earlier change where we got rid of the `pip install -r requirements/edx/local.in` command. Installing the Open-edX package was part of this requirement file. The local.in requirements file no longer exists, but we still need to `pip install -e .` the edx-platform repo. To run this command we need both the edx-platform repo and the virtualenv. The good news is that there are no more local requirements in the base.txt requirements file. This means that we no longer have to COPY the edx-platform repo in the requirements installation step. Thus, changes in edx-platform will no longer trigger a rebuild of the pip requirements; this means that re-builds will be much faster when making changes to edx-platform. Note that plugins that implemented the "openedx-dockerfile-post-python-requirements" patch and that needed access to the edx-platform repo will no longer work. Instead, these plugins should implement the "openedx-dockerfile-pre-assets" patch. This scenario should be very rare, though. Close #726
2022-10-03 10:00:11 +00:00
# We install edx-platform here because it creates an egg-info folder in the current
# repo. We need both the source code and the virtualenv to run this command.
RUN pip install -e .
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
# Create folder that will store lms/cms.env.yml files, as well as
Stop the "ln -s" settings madness Creating soft links to files that do not exist is just madness, let's stop it. Instead, we take advantage of the CONFIG_ROOT environment variable, which allows to place lms/cms.env/auth.json files anywhere.
2018-12-25 23:24:01 +00:00
# the tutor-specific settings files.
RUN mkdir -p /openedx/config ./lms/envs/tutor ./cms/envs/tutor
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app revisions.yml /openedx/config/
v14.0.0: upgrade to Nutmeg - 💥 [Feature] Upgrade to Nutmeg: (by @regisb) - 💥 [Feature] Persistent grades are now enabled by default. - [Bugfix] Remove edX references from bulk emails ([issue](https://github.com/openedx/build-test-release-wg/issues/100)). - [Improvement] For Tutor Nightly (and only Nightly), official plugins are now installed from their nightly branches on GitHub instead of a version range on PyPI. This will allow Nightly users to install all official plugins by running ``pip install -e ".[full]"``. - [Bugfix] Start MongoDB when running migrations, because a new data migration fails if MongoDB is not running
2022-04-11 15:26:17 +00:00
ENV LMS_CFG /openedx/config/lms.env.yml
ENV CMS_CFG /openedx/config/cms.env.yml
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV REVISION_CFG /openedx/config/revisions.yml
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app settings/lms/*.py ./lms/envs/tutor/
COPY --chown=app:app settings/cms/*.py ./cms/envs/tutor/
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
# Copy user-specific locales to /openedx/locale/user/locale and compile them
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
RUN mkdir /openedx/locale/user
COPY --chown=app:app ./locale/ /openedx/locale/user/locale/
Make it easy to add custom translation strings to edx-platform Users can now add custom translation strings to a locale folder at build time, very much in the same way as custom themes or requirements. This is quite convenient, although is does require quite a bit of time to rebuild the docker images.
2020-04-16 17:26:49 +00:00
RUN cd /openedx/locale/user && \
chore: resolve "deprecated django-admin.py is deprecated" warning See: https://docs.djangoproject.com/en/dev/internals/deprecation/#deprecation-removed-in-4-0
2022-02-21 11:07:57 +00:00
django-admin compilemessages -v1
Switch to multi-stage build for openedx image This reduces the size of the final image from 3.25Gb to 2.8Gb. Also, it should be faster to rebuild the image in most cases. For instance, we will not have to re-install nodejs requirements after part of the edx-platform repo was modified.
2020-07-25 22:11:30 +00:00
# Compile i18n strings: in some cases, js locales are not properly compiled out of the box
Add missing js translations to openedx Client-side translations are stored in "djangojs.js" files. Supposedly, these files were properly compiled prior to the Ironwood release -- but this is not the case, so we need to re-generate them. Also, we need to re-generate the djangojs.js files for the custom, downloaded locales. The assets collection settings are also fixed to take into account the separate locale folder. This step needs to happen prior to static assets collection, as the djangojs files are collected to the staticfiles/ folder. See these conversations: https://discuss.overhang.io/t/localization-not-works-perfect/363 https://discuss.openedx.org/t/localization-not-work-for-js-files/1671
2020-04-01 18:05:06 +00:00
# and we need to do a pass ourselves. Also, we need to compile the djangojs.js files for
# the downloaded locales.
RUN ./manage.py lms --settings=tutor.i18n compilejsi18n
RUN ./manage.py cms --settings=tutor.i18n compilejsi18n
Move scripts to dedicated folder in openedx image
2018-12-25 18:32:05 +00:00
# Copy scripts
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app ./bin /openedx/bin
Fix assets collection in docker image "openedx-assets" script was not copied with the right permissions in the docker image.
2019-07-04 09:36:22 +00:00
RUN chmod a+x /openedx/bin/*
Move scripts to dedicated folder in openedx image
2018-12-25 18:32:05 +00:00
ENV PATH /openedx/bin:${PATH}
Make it possible to patch build templates Thus, build templates are no longer copied, but rendered.
2019-07-04 08:45:15 +00:00
{{ patch("openedx-dockerfile-pre-assets") }}
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
# Collect production assets. By default, only assets from the default theme
# will be processed. This makes the docker image lighter and faster to build.
Automatically build themes from openedx/themes No need for the THEMES variable.
2018-12-14 11:59:32 +00:00
# Only the custom themes added to /openedx/themes will be compiled.
Package static assets inside the openedx image This allows us to deploy much faster: all we have to do is to copy the assets from the container to the shared volume. We also changed the way themes are managed: similarly to static assets, they are now packaged inside the docker image.
2018-12-07 18:30:30 +00:00
# Here, we don't run "paver update_assets" which is slow, compiles all themes
# and requires a complex settings file. Instead, we decompose the commands
# and run each one individually to collect the production static assets to
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
# /openedx/staticfiles.
Added config values for #gunicorn workers
2019-09-19 13:39:18 +00:00
ENV NO_PYTHON_UNINSTALL 1
v10.0.0 Upgrade to Juniper (2020-06-15) Here, we upgrade the Open edX platform from Ironwood to Juniper. This upgrade does not come with many feature changes, but there are many technical improvements under the hood: - Upgrade from Python 2.7 to 3.5 - Upgrade from Mongodb v3.2 to v3.6 - Upgrade Ruby to 2.5.7 We took the opportunity to completely rething the way locally running platforms should be accessed for testing purposes. It is no longer possible to access a running platform from http://localhost and http://studio.localhost. Instead, users should access http://local.overhang.io and https://studio.local.overhang.io. This drastically simplifies internal communication between Docker containers. To upgrade, users should simply run: tutor local quickstart For Kubernetes platform, the upgrade process is outlined when running: tutor k8s upgrade --from=ironwood
2019-12-24 16:22:12 +00:00
ENV NO_PREREQ_INSTALL 1
# We need to rely on a separate openedx-assets command to accelerate asset processing.
# For instance, we don't want to run all steps of asset collection every time the theme
# is modified.
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
RUN openedx-assets xmodule \
&& openedx-assets npm \
&& openedx-assets webpack --env=prod \
&& openedx-assets common
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
COPY --chown=app:app ./themes/ /openedx/themes/
Add openedx-assets command This is great for running a local webserver and watching theme changes in just two commands.
2018-12-24 07:54:32 +00:00
RUN openedx-assets themes \
Reduce openedx image size with static asset deduplication This is inspired from FUN's openedx-docker project: static files are de-duplicated with rdfind to reduce the uncompressed image size by 320Mb.
2020-09-01 17:14:30 +00:00
&& openedx-assets collect --settings=tutor.assets \
# De-duplicate static assets with symlinks
&& rdfind -makesymlinks true -followsymlinks true /openedx/staticfiles/
:sunrise:
2017-07-03 10:39:19 +00:00
Make data directories in openedx/xqueue containers These directories are not necessary per se, but they allow us to use our tutor settings without having to mount an external directory.
2019-06-07 06:53:33 +00:00
# Create a data directory, which might be used (or not)
RUN mkdir /openedx/data
feat: full edx-platform setup with `tutor dev launch -m ...` Before this commit, setting up an edx-platform development environment took multiple steps: tutor dev launch tutor dev run --mount=/path/to/edx-platform lms bash >> pip install -e . >> npm clean-install >> openedx-assets build --env=dev This commit moves the steps under ``run`` into an init task, which is automatically run by ``launch``. Thus, setup is now one command: tutor dev launch --mount=edx-platform These extra init steps are only applicable when bind-mounting edx-platform (because bind-mounting the repository overrides some important artifacts that exist on the image, which must be re-generated). Thus, the new init tasks exists early if it detects that it is *not* operating on a bind-mounted repository. Finally, we try to simplify the Open edX development docs so that it is clearer how bind-mounting fits into the development process. These bind-mounts: * ../build/openedx/themes:/openedx/themes * ../build/openedx/requirements:/openedx/requirements existed in the dev lms and cms containers, but they did not exist in the lms-job and cms-job containers. This means that themes and requirements that were *built into the image* would exist in the job containers, but live updates to the themes and requirements would not apply. To resolve this, we set ``volumes:`` on the lms-job and cms-job services so that they match the volumes for the normal lms and cms services. Part of: https://github.com/openedx/wg-developer-experience/issues/146 Closes: https://github.com/openedx/wg-developer-experience/issues/152 This works around (but does not close) these related issues: * https://github.com/openedx/wg-developer-experience/issues/150 * https://github.com/openedx/wg-developer-experience/issues/151
2023-03-15 12:31:49 +00:00
# If this "canary" file is missing from a container, then that indicates that a
# local edx-platform was bind-mounted into that container, thus overwriting the
# canary. This information is useful during edx-platform initialisation.
RUN echo \
"This copy of edx-platform was built into a Docker image." \
> bindmount-canary
Working stack: still some bugs to fix
2017-12-26 00:16:35 +00:00
# service variant is "lms" or "cms"
Working devstack This allows the user to run their own devstack inside the containers. Yay! Also, we handle file permissions cleanly: in docker-entrypoint.sh we chmod the data and edx-platform files to the same UID of the user on the host machine. No more permission headaches!
2018-04-09 17:16:58 +00:00
ENV SERVICE_VARIANT lms
refactor: get rid of the openedx Docker entrypoint The entrypoint in the "openedx" Docker image was used only to define the DJANGO_SETTINGS_MODULE environment variable, based on SERVICE_VARIANT and SETTINGS. We ditch SETTINGS in favour of defining explicitely DJANGO_SETTINGS_MODULE. The problem with the Docker entrypoint is that it was bypassed whenever we ran `tutor local exec` or `tutor k8s exec`. By removing it we make it simpler for end-users to run manage.py commands in kubernetes.
2022-04-12 14:07:48 +00:00
ENV DJANGO_SETTINGS_MODULE lms.envs.tutor.production
Working stack: still some bugs to fix
2017-12-26 00:16:35 +00:00
Make it possible to patch build templates Thus, build templates are no longer copied, but rendered.
2019-07-04 08:45:15 +00:00
{{ patch("openedx-dockerfile") }}
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
EXPOSE 8000
###### Intermediate image with dev/test dependencies
FROM production as development
# Install useful system requirements (as root)
USER root
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt,sharing=locked \
apt update && \
feat: leverage `RUN --mount` for faster image building We make use of the Docker build cache to install python and nodejs requirements faster in the case of repeated builds. This feature is only possible for users of BuildKit, so we detect whether `docker buildx` is available at runtime. We do not make use of `COPY --link` because the `--link` option is incompatible with `--chown=app:app`: https://github.com/docker/buildx/issues/1408 For reference, see: https://www.docker.com/blog/dockerfiles-now-support-multiple-build-contexts/ https://docs.docker.com/engine/reference/commandline/buildx_build/#build-context
2023-04-03 18:44:15 +00:00
apt install -y vim iputils-ping dnsutils telnet
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
USER app
# Install dev python requirements
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install -r requirements/edx/development.txt
feat: upgrade ipdb/ipython in openedx-dev image
2022-12-13 07:32:10 +00:00
# https://pypi.org/project/ipdb/
# https://pypi.org/project/ipython
feat!: assume BuildKit is available
2023-10-27 08:54:23 +00:00
RUN --mount=type=cache,target=/openedx/.cache/pip,sharing=shared \
pip install ipdb==0.13.13 ipython==8.12.0
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
feat: auto-mount edx-platform python requirements These changes make to possible to run: tutor mounts add /path/to/my-xblock The xblock directory with then be auto-magically bind-mounted in the "openedx" image at build time, and the lms*/cms* containers at run time. This makes it effectively possible to work as a developer on edx-platform requirements. We take the opportunity to move some openedx-specific code to a dedicated module. Close https://github.com/openedx/wg-developer-experience/issues/177
2023-09-04 17:08:15 +00:00
{# Re-install mounted requirements, otherwise they will be superseded by upstream reqs #}
{% for name in iter_mounted_directories(MOUNTS, "openedx") %}
COPY --from=mnt-{{ name }} --chown=app:app / /mnt/{{ name }}
RUN pip install -e "/mnt/{{ name }}"
{% endfor %}
feat: default to ipdb as PYTHONBREAKPOINT PYTHONBREAKPOINT has been exposed as an environment variable in the openedx Dockerfile available to be changed in config.yml. The docs have also been changed to recommend using breakpoint and explaining how PYTHONBREAKPOINT can be modified to use a custom debugger. Close https://github.com/overhangio/2u-tutor-adoption/issues/45
2022-06-22 09:26:50 +00:00
# Add ipdb as default PYTHONBREAKPOINT
ENV PYTHONBREAKPOINT=ipdb.set_trace
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
# Recompile static assets: in development mode all static assets are stored in edx-platform,
# and the location of these files is stored in webpack-stats.json. If we don't recompile
# static assets, then production assets will be served instead.
RUN rm -r /openedx/staticfiles && \
mkdir /openedx/staticfiles && \
openedx-assets webpack --env=dev
{{ patch("openedx-dev-dockerfile-post-python-requirements") }}
# Default django settings
refactor: get rid of the openedx Docker entrypoint The entrypoint in the "openedx" Docker image was used only to define the DJANGO_SETTINGS_MODULE environment variable, based on SERVICE_VARIANT and SETTINGS. We ditch SETTINGS in favour of defining explicitely DJANGO_SETTINGS_MODULE. The problem with the Docker entrypoint is that it was bypassed whenever we ran `tutor local exec` or `tutor k8s exec`. By removing it we make it simpler for end-users to run manage.py commands in kubernetes.
2022-04-12 14:07:48 +00:00
ENV DJANGO_SETTINGS_MODULE lms.envs.tutor.development
feat: run all services as unprivileged containers With this change, containers are no longer run as "root" but as unprivileged users. This is necessary in some environments, notably some Kubernetes clusters. To make this possible, we need to manually fix bind-mounted volumes in docker-compose. This is pretty much equivalent to the behaviour in Kubernetes, where permissions are fixed at runtime if the volume owner is incorrect. Thus, we have a consistent behaviour between docker-compose and Kubernetes. We achieve this by bind-mounting some repos inside "*-permissions" services. These services run as root user on docker-compose and will fix the required permissions, as per build/permissions/setowner.sh These services simply do not run on Kubernetes, where we don't rely on bind-mounted volumes. There, we make use of Kubernete's built-in volume ownership feature. With this change, we get rid of the "openedx-dev" Docker image, in the sense that it no longer has its own Dockerfile. Instead, the dev image is now simply a different target in the multi-layer openedx Docker image. This makes it much faster to build the openedx-dev image. Because we declare the APP_USER_ID in the dev/docker-compose.yml file, we need to pass the user ID from the host there. The only way to achieve that is with a tutor config variable. The downside of this approach is that the dev/docker-compose.yml file is no longer portable from one machine to the next. We consider that this is not such a big issue, as it affects the development environment only. We take this opportunity to replace the base image of the "forum" image. There is now no need to re-install ruby inside the image. The total image size is only decreased by 10%, but re-building the image is faster. In order to run the smtp service as non-root, we switch from namshi/smtp to devture/exim-relay. This change should be backward-compatible. Note that the nginx container remains privileged. We could switch to nginxinc/nginx-unprivileged, but it's probably not worth the effort, as we are considering to get rid of the nginx container altogether. Close #323.
2021-09-23 10:04:19 +00:00
CMD ./manage.py $SERVICE_VARIANT runserver 0.0.0.0:8000
###### Final image with production cmd
FROM production as final
:sunrise:
2017-07-03 10:39:19 +00:00
feat: configure uwsgi through an ini file
2023-02-25 03:01:35 +00:00
# Default amount of uWSGI processes
ENV UWSGI_WORKERS=2
# Copy the default uWSGI configuration
COPY --chown=app:app settings/uwsgi.ini .
:sunrise:
2017-07-03 10:39:19 +00:00
# Run server
feat: configure uwsgi through an ini file
2023-02-25 03:01:35 +00:00
CMD uwsgi uwsgi.ini
feat: patch for openedx-dockerfile-final
2022-05-26 01:36:22 +00:00
{{ patch("openedx-dockerfile-final") }}
Copy Permalink