etags/Dockerfile

FROM python:3.9-slim-buster AS builder
# staticx has two issues:
# 1. It does not seem to play well with alpine (at least for Python+pie).
#    In that configuration, it seems to think it's a glibc executable
# 2. It does not play well with PIE executables, see
#       https://github.com/JonathonReinhart/staticx/issues/71

RUN true \
    && apt-get update                             \
    && apt-get install --no-install-recommends -y \
         build-essential=12.6                     \
         patchelf=0.9*                            \
         zlib1g-dev=1:1.2.11*                     \
    && pip3 install scons==4.0.1                  \
    && pip3 install pyinstaller==4.1              \
                    patchelf-wrapper==1.2.0       \
                    staticx==0.12.0               \
    && rm -rf /var/lib/apt/lists/*

ARG PYINSTALLER_TAG=v4.1

# HACK to get around https://github.com/JonathonReinhart/staticx/issues/71
RUN true \
    && apt-get update                                                     \
    && apt-get install --no-install-recommends -y                         \
          git=1:2.20*                                                     \
    && git clone --depth 1 --single-branch --branch ${PYINSTALLER_TAG}    \
          https://github.com/pyinstaller/pyinstaller.git /tmp/pyinstaller \
    && cd /tmp/pyinstaller/bootloader                                     \
    && CC="gcc -no-pie" python ./waf configure --no-lsb all               \
    && cp -R /tmp/pyinstaller/PyInstaller/bootloader/*                    \
             /usr/local/lib/python*/site-packages/PyInstaller/bootloader/ \
    && rm -rf /var/lib/apt/lists/*

# # ENTRYPOINT ["etags.py"]
#
COPY requirements.txt /src/
COPY etags.py /src/

WORKDIR /src

RUN true                                        \
    && pip3 install -r requirements.txt         \
    && pyinstaller -F etags.py                  \
    && staticx                                  \
         --strip                                \
         --no-compress                          \
         -l $(find /lib -name libgcc_s.so.1)    \
         dist/etags dist/app                    \
    && chmod 755 dist/app

FROM scratch

# Allow ssl comms
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/

# So we can set the user
COPY --from=builder /etc/passwd /etc/passwd
COPY --from=builder /etc/group /etc/group

# This should need no privileges
USER nobody:nogroup

# Environment variables that should be set
ENV AWS_DEFAULT_REGION=us-west-2
ENV AWS_ACCESS_KEY_ID=AKIAEXAMPLE
ENV AWS_SECRET_ACCESS_KEY=dummy
# Set if you're not talking to real DDB
# ENV DDB_ENDPOINT
ENV ETAGS_TABLE=etags
# Setting this variable to nothing will turn off bus notification
ENV ETAGS_BUS_NAME=

ENTRYPOINT ["/app"]

COPY --from=builder /src/dist/app /app