Revert "Convert ansible to dockerfile (#1727)" (#1781)

This reverts commit bc50e9c.

Dockerfile

@@ -1,138 +1,112 @@
-FROM ubuntu:focal as app
+FROM ubuntu:focal as base
+MAINTAINER [email protected]
 
-# System requirements
-
-RUN apt-get update && \
-apt-get install -y software-properties-common && \
-apt-add-repository -y ppa:deadsnakes/ppa && apt-get update && \
-apt-get upgrade -qy && apt-get install language-pack-en locales git \
-python3.8-dev python3-virtualenv libmysqlclient-dev libssl-dev build-essential wget unzip -qy && \
-rm -rf /var/lib/apt/lists/*
-
-# Python is Python3.
-RUN ln -s /usr/bin/python3 /usr/bin/python
-
-# Use UTF-8.
-RUN locale-gen en_US.UTF-8
-ENV LANG en_US.UTF-8
-ENV LANGUAGE en_US:en
-ENV LC_ALL en_US.UTF-8
+# Warning: This file is experimental.
+#
+# Short-term goals:
+# * Be a suitable replacement for the `edxops/credentials` image in devstack (in progress).
+# * Take advantage of Docker caching layers: aim to put commands in order of
+#   increasing cache-busting frequency.
+# * Related to ^, use no Ansible or Paver.
+# Long-term goal:
+# * Be a suitable base for production Credentials images. This may not yet be the case.
 
+# Packages installed:
+# git; Used to pull in particular requirements from github rather than pypi,
+# and to check the sha of the code checkout.
 
-ARG COMMON_CFG_DIR="/edx/etc"
-ENV CREDENTIALS_CFG_DIR="${COMMON_CFG_DIR}/credentials"
+# language-pack-en locales; ubuntu locale support so that system utilities have a consistent
+# language and time zone.
 
-ARG COMMON_APP_DIR="/edx/app"
-ARG CREDENTIALS_SERVICE_NAME="xxx"
-ARG CREDENTIALS_APP_DIR="${COMMON_APP_DIR}/credentials"
-ENV CREDENTIALS_APP_DIR="${COMMON_APP_DIR}/credentials"
-ENV SUPERVISOR_APP_DIR="${COMMON_APP_DIR}/supervisor"
-ENV CREDENTIALS_VENV_DIR="${COMMON_APP_DIR}/credentials/venvs/credentials"
-ARG SUPERVISOR_VENV_DIR="${SUPERVISOR_APP_DIR}/venvs/supervisor"
-ARG SUPERVISOR_AVAILABLE_DIR="${SUPERVISOR_APP_DIR}/conf.available.d"
-ARG SUPERVISOR_VENV_BIN="${SUPERVISOR_VENV_DIR}/bin"
-ARG SUPEVISOR_CTL="${SUPERVISOR_VENV_BIN}/supervisorctl"
-ARG SUPERVISOR_CFG_DIR="${SUPERVISOR_APP_DIR}/conf.d"
-ENV CREDENTIALS_CODE_DIR="${CREDENTIALS_APP_DIR}/credentials"
-ARG CREDENTIALS_NODEENV_DIR="${COMMON_APP_DIR}/credentials/nodeenvs/credentials"
-ARG CREDENTIALS_NODE_VERSION="16.14.0"
-ARG CREDENTIALS_NPM_VERSION="8.5.x"
-ARG SUPERVISOR_VERSION="4.2.1"
+# python; ubuntu doesnt ship with python, so this is the python we will use to run the application
 
-ENV PATH="$CREDENTIALS_VENV_DIR/bin:$PATH"
+# python3-pip; install pip to install application requirements.txt files
 
-ENV CREDENTIALS_NODEENV_DIR "${COMMON_APP_DIR}/credentials/nodeenvs/credentials"
-ENV CREDENTIALS_NODEENV_BIN "${CREDENTIALS_NODEENV_DIR}/bin"
-ENV CREDENTIALS_NODE_MODULES_DIR "${CREDENTIALS_CODE_DIR}}/node_modules"
-ENV CREDENTIALS_NODE_BIN "${CREDENTIALS_NODE_MODULES_DIR}/.bin"
+# libssl-dev; # mysqlclient wont install without this.
 
-RUN addgroup credentials
-RUN adduser --disabled-login --disabled-password credentials --ingroup credentials
+# libmysqlclient-dev; to install header files needed to use native C implementation for
+# MySQL-python for performance gains.
 
+# wget to download a watchman binary archive
 
-RUN mkdir -p "$CREDENTIALS_APP_DIR"
+# unzip to unzip a watchman binary archive
 
-# Working directory will be root of repo.
-WORKDIR ${CREDENTIALS_CODE_DIR}
-
-RUN virtualenv -p python3.8 --always-copy ${CREDENTIALS_VENV_DIR}
-RUN virtualenv -p python3.8 --always-copy ${SUPERVISOR_VENV_DIR}
+# If you add a package here please include a comment above describing what it is used for
+RUN apt-get update && \
+apt-get install -y software-properties-common && \
+apt-add-repository -y ppa:deadsnakes/ppa && apt-get update && \
+apt-get upgrade -qy && apt-get install language-pack-en locales git \
+python3.8-dev python3.8-venv libmysqlclient-dev libssl-dev build-essential wget unzip -qy && \
+rm -rf /var/lib/apt/lists/*
 
+# Create Python env
+ENV VIRTUAL_ENV=/edx/app/credentials/venvs/credentials
+RUN python3.8 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-ENV PATH "${CREDENTIALS_NODEENV_DIR}/bin:$PATH"
-# No need to activate credentials venv as it is already in path
+# Create Node env
 RUN pip install nodeenv
+ENV NODE_ENV=/edx/app/credentials/nodeenvs/credentials
+RUN nodeenv $NODE_ENV --node=16.14.0 --prebuilt
+ENV PATH="$NODE_ENV/bin:$PATH"
+RUN npm install -g [email protected]
 
-#install supervisor and deps in its virtualenv
-RUN . ${SUPERVISOR_VENV_BIN}/activate && \
-  pip install supervisor==${SUPERVISOR_VERSION} backoff==1.4.3 boto==2.48.0 && \
-  deactivate
-
-RUN nodeenv ${CREDENTIALS_NODEENV_DIR} --node=${CREDENTIALS_NODE_VERSION} --prebuilt
-RUN npm install -g npm@${CREDENTIALS_NPM_VERSION}
-
-# Copy just JS requirements and install them.
-COPY package.json package.json
-COPY package-lock.json package-lock.json
-RUN npm install --production
-
-# create supervisor job
-COPY /configuration_files/supervisor.conf /etc/systemd/system/supervisor.service
-COPY /configuration_files/supervisorctl ${SUPERVISOR_VENV_BIN}/supervisorctl
-
-# Copy just Python requirements & install them.
-COPY requirements ${CREDENTIALS_CODE_DIR}/requirements
-COPY Makefile ${CREDENTIALS_CODE_DIR}
-
-#Configurations from edx_service task
-RUN mkdir ${CREDENTIALS_APP_DIR}/data/
-RUN mkdir ${CREDENTIALS_APP_DIR}/staticfiles/
-RUN mkdir -p /edx/var/credentials/
-# Log dir
-RUN mkdir -p /edx/var/log/
-
-
-ENV CREDENTIALS_CFG="${COMMON_CFG_DIR}/credentials.yml"
-COPY configuration_files/credentials.yml ${CREDENTIALS_CFG}
-
-# credentials service config commands below
-RUN pip install -r ${CREDENTIALS_CODE_DIR}/requirements/production.txt
-
-# After the requirements so changes to the code will not bust the image cache
-COPY . ${CREDENTIALS_CODE_DIR}/
-
-COPY scripts/devstack.sh "$CREDENTIALS_APP_DIR/devstack.sh"
-# Enable supervisor script
-COPY scripts/credentials.sh $CREDENTIALS_APP_DIR/credentials.sh
-COPY /configuration_files/credentials.conf ${SUPERVISOR_AVAILABLE_DIR}/credentials.conf
-COPY /configuration_files/credentials.conf ${SUPERVISOR_CFG_DIR}/credentials.conf
-# Manage.py symlink
-COPY /manage.py /edx/bin/manage.credentials
-
-RUN chown credentials:credentials "$CREDENTIALS_APP_DIR/devstack.sh" && chmod a+x "$CREDENTIALS_APP_DIR/devstack.sh"
-
-# placeholder file for the time being unless devstack provisioning scripts need it.
-RUN touch ${CREDENTIALS_APP_DIR}/credentials_env
-# Expose ports.
-EXPOSE 18150
-
-
-FROM app as production
-
+RUN locale-gen en_US.UTF-8
+ENV LANG en_US.UTF-8
+ENV LANGUAGE en_US:en
+ENV LC_ALL en_US.UTF-8
 ENV DJANGO_SETTINGS_MODULE credentials.settings.production
 
-COPY scripts/credentials.sh "$CREDENTIALS_APP_DIR/credentials.sh"
-
-ENTRYPOINT ["/edx/app/credentials/credentials.sh"]
-
-
-FROM app as dev
-
-# credentials service config commands below
-RUN pip install -r ${CREDENTIALS_CODE_DIR}/requirements/dev.txt
-
-
+EXPOSE 18150
+RUN useradd -m --shell /bin/false app
+
+# Install watchman
+RUN wget https://github.com/facebook/watchman/releases/download/v2020.08.17.00/watchman-v2020.08.17.00-linux.zip
+RUN unzip watchman-v2020.08.17.00-linux.zip
+RUN mkdir -p /usr/local/{bin,lib} /usr/local/var/run/watchman
+RUN cp watchman-v2020.08.17.00-linux/bin/* /usr/local/bin
+RUN cp watchman-v2020.08.17.00-linux/lib/* /usr/local/lib
+RUN chmod 755 /usr/local/bin/watchman
+RUN chmod 2777 /usr/local/var/run/watchman
+
+# Now install credentials
+WORKDIR /edx/app/credentials/credentials
+
+# Copy the requirements explicitly even though we copy everything below
+# this prevents the image cache from busting unless the dependencies have changed.
+COPY requirements/production.txt /edx/app/credentials/credentials/requirements/production.txt
+COPY requirements/pip_tools.txt /edx/app/credentials/credentials/requirements/pip_tools.txt
+
+# Dependencies are installed as root so they cannot be modified by the application user.
+RUN pip install -r requirements/pip_tools.txt
+RUN pip install -r requirements/production.txt
+
+RUN mkdir -p /edx/var/log
+
+# Code is owned by root so it cannot be modified by the application user.
+# So we copy it before changing users.
+USER app
+
+# Gunicorn 19 does not log to stdout or stderr by default. Once we are past gunicorn 19, the logging to STDOUT need not be specified.
+CMD gunicorn --workers=2 --name credentials -c /edx/app/credentials/credentials/credentials/docker_gunicorn_configuration.py --log-file - --max-requests=1000 credentials.wsgi:application
+
+# This line is after the requirements so that changes to the code will not
+# bust the image cache
+COPY . /edx/app/credentials/credentials
+
+# We don't switch back to the app user for devstack because we need devstack users to be
+# able to update requirements and generally run things as root.
+FROM base as dev
+USER root
 ENV DJANGO_SETTINGS_MODULE credentials.settings.devstack
+RUN pip install -r /edx/app/credentials/credentials/requirements/dev.txt
+
+# Temporary compatibility hack while devstack is supporting
+# both the old `edxops/credentials` image and this image:
+# Add in a dummy ../credentials_env file.
+# The credentials_env file was originally needed for sourcing to get
+# environment variables like DJANGO_SETTINGS_MODULE, but now we just set
+# those variables right in the Dockerfile.
+RUN touch ../credentials_env
 
-ENTRYPOINT ["/edx/app/credentials/devstack.sh"]
-CMD ["start"]
+CMD while true; do python ./manage.py runserver 0.0.0.0:18150; sleep 2; done