2021-01-06 07:25:11 +00:00
|
|
|
FROM python:3.9-slim-buster AS builder
|
|
|
|
# staticx has two issues:
|
|
|
|
# 1. It does not seem to play well with alpine (at least for Python+pie).
|
|
|
|
# In that configuration, it seems to think it's a glibc executable
|
|
|
|
# 2. It does not play well with PIE executables, see
|
|
|
|
# https://github.com/JonathonReinhart/staticx/issues/71
|
2021-01-05 02:23:42 +00:00
|
|
|
|
2021-01-06 07:25:11 +00:00
|
|
|
RUN true \
|
|
|
|
&& apt-get update \
|
|
|
|
&& apt-get install --no-install-recommends -y \
|
|
|
|
build-essential=12.6 \
|
|
|
|
patchelf=0.9* \
|
|
|
|
&& pip3 install pyinstaller==4.1 \
|
|
|
|
scons==4.0.1 \
|
|
|
|
patchelf-wrapper==1.2.0 \
|
|
|
|
staticx==0.12.0 \
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
2021-01-05 02:23:42 +00:00
|
|
|
|
2021-01-06 07:25:11 +00:00
|
|
|
ARG PYINSTALLER_TAG=v4.1
|
2021-01-05 02:23:42 +00:00
|
|
|
|
2021-01-06 07:25:11 +00:00
|
|
|
# HACK to get around https://github.com/JonathonReinhart/staticx/issues/71
|
|
|
|
RUN true \
|
|
|
|
&& apt-get update \
|
|
|
|
&& apt-get install --no-install-recommends -y \
|
|
|
|
git=1:2.20* \
|
|
|
|
zlib1g-dev=1:1.2.11* \
|
|
|
|
&& git clone --depth 1 --single-branch --branch ${PYINSTALLER_TAG} \
|
|
|
|
https://github.com/pyinstaller/pyinstaller.git /tmp/pyinstaller \
|
|
|
|
&& cd /tmp/pyinstaller/bootloader \
|
|
|
|
&& CC="gcc -no-pie" python ./waf configure --no-lsb all \
|
|
|
|
&& cp -R /tmp/pyinstaller/PyInstaller/bootloader/* \
|
|
|
|
/usr/local/lib/python*/site-packages/PyInstaller/bootloader/ \
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
# # ENTRYPOINT ["etags.py"]
|
|
|
|
#
|
|
|
|
COPY requirements.txt /src/
|
|
|
|
COPY etags.py /src/
|
|
|
|
|
|
|
|
WORKDIR /src
|
|
|
|
|
|
|
|
RUN true \
|
|
|
|
&& pip3 install -r requirements.txt \
|
|
|
|
&& pyinstaller -F etags.py \
|
|
|
|
&& staticx \
|
|
|
|
--strip \
|
|
|
|
--no-compress \
|
|
|
|
-l /lib/x86_64-linux-gnu/libgcc_s.so.1 \
|
|
|
|
dist/etags dist/app \
|
|
|
|
&& chmod 755 dist/app
|
|
|
|
|
|
|
|
FROM scratch
|
|
|
|
|
|
|
|
# Allow ssl comms
|
|
|
|
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
|
|
|
|
|
|
|
|
# So we can set the user
|
|
|
|
COPY --from=builder /etc/passwd /etc/passwd
|
|
|
|
COPY --from=builder /etc/group /etc/group
|
|
|
|
|
|
|
|
# This should need no privileges
|
|
|
|
USER nobody:nogroup
|
|
|
|
|
|
|
|
# Environment variables that should be set
|
|
|
|
ENV AWS_DEFAULT_REGION=us-west-2
|
|
|
|
ENV AWS_ACCESS_KEY_ID=AKIAEXAMPLE
|
|
|
|
ENV AWS_SECRET_ACCESS_KEY=dummy
|
|
|
|
# Set if you're not talking to real DDB
|
|
|
|
# ENV DDB_ENDPOINT
|
|
|
|
ENV ETAGS_TABLE=etags
|
|
|
|
# Setting this variable to nothing will turn off bus notification
|
|
|
|
ENV ETAGS_BUS_NAME=
|
|
|
|
|
|
|
|
ENTRYPOINT ["/app"]
|
|
|
|
|
|
|
|
COPY --from=builder /src/dist/app /app
|