diff --git a/Dockerfile b/Dockerfile index 4e084be..868a9a7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -# vim: ft=Dockerfile sw=4 ts=4 expandtab +# vim: ft=dockerfile ts=4 sw=4 expandtab ############################################################################### # # Multi-stage Python 3.x build @@ -8,7 +8,7 @@ # OPTIMAL=1 . enable profile-guided-optimizations (PGO) # PYTHON_VERSION=3.5.3 # -# ** NOTE **: +# ** NOTE **: # . LTO requires PGO # . ensure both variables are unset for typical builds # @@ -31,7 +31,8 @@ # ############################################################################### -FROM gcr.io/google-containers/debian-base-amd64:0.2 as runtime +#FROM gcr.io/google-containers/debian-base-amd64:v2.0.0 as runtime +FROM debian:buster-slim as base ENV PATH /usr/local/bin:$PATH @@ -43,12 +44,14 @@ ENV LANG C.UTF-8 COPY ./init-functions /lib/lsb/ RUN set -ex \ - && apt-mark unhold apt gnupg libcap2 libsemanage1 passwd libbz2-1.0\ - && runDeps='curl gnupg libsqlite3-0 zlib1g libexpat1 bash tcpdump procps less binutils libbz2-1.0 netcat-openbsd git' \ - && apt-get -qq update; apt-get install -y $runDeps \ - && find /usr -type f -name "*.so" -exec strip --strip-unneeded {} + \ - && apt-get remove binutils --purge -y -qq \ - && find /var/lib/apt/lists \ + && apt update \ + && apt -y upgrade \ + && apt-mark unhold apt libcap2 libsemanage1 passwd \ + && apt-get install --no-install-recommends -qq -y ca-certificates libsqlite3-0 zlib1g libexpat1 bash procps less libbz2-1.0 netcat-openbsd git binutils \ + && find /usr -type f -name "*.so" -exec strip --strip-unneeded {} + \ + && apt-get remove -qq --allow-remove-essential --purge -y -qq \ + binutils e2fsprogs e2fslibs libx11-6 libx11-data \ + && find /var/lib/apt/lists \ /usr/share/man \ /usr/share/doc \ /var/log \ @@ -60,28 +63,45 @@ RUN set -ex \ LABEL stage RUNTIME ############################################################################### -FROM runtime as build-setup +FROM scratch as runtime -ADD gnupg/pubring.gpg gnupg/trustdb.gpg /root/.gnupg/ +ENV PATH /usr/local/bin:$PATH -RUN set -ex \ - && mkdir -p /root/.gnupg \ - && chmod 700 /root/.gnupg \ - && buildDeps='libsqlite3-dev zlib1g-dev libexpat1-dev libssl-dev xz-utils dpkg-dev binutils libbz2-dev libreadline-dev' \ - && apt-get -qq update; apt-get -qq -y install ${buildDeps} +# http://bugs.python.org/issue19846 +# > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK. +ENV LANG C.UTF-8 + +COPY ./init-functions /lib/lsb/ + +COPY --from=base / / + +############################################################################### +FROM alpine as source-download ARG PYTHON_VERSION +ENV PYTHON_VERSION ${PYTHON_VERSION} -RUN curl -L -o /python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz" \ - && curl -L -o /python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc" \ - && gpg --keyserver ha.pool.sks-keyservers.net --refresh-keys 2>&1 | egrep -v 'requesting key|not changed' \ - && gpg --batch --verify /python.tar.xz.asc /python.tar.xz \ - && mkdir -p /usr/src/python \ - && tar -xJC /usr/src/python --strip-components=1 -f /python.tar.xz +ENV SRCDIR /python +RUN apk add curl +RUN mkdir -p /python /build \ + && tar -xJC ${SRCDIR} --strip-components=1 -f <( curl -sL "https://www.python.org/ftp/python/${PYTHON_VERSION}/Python-${PYTHON_VERSION}.tar.xz" ) +############################################################################### +FROM runtime as build-setup + +WORKDIR /python + +RUN apt-get update +RUN apt-get -y install --no-install-recommends \ + libsqlite3-dev zlib1g-dev libexpat1-dev \ + libssl-dev xz-utils dpkg-dev binutils libbz2-dev \ + libreadline-dev libffi-dev libncurses5 \ + libncurses5-dev libncursesw5 openssl \ + gcc g++ make autoconf libtool \ + dpkg-dev + LABEL stage BUILD-SETUP -LABEL version ${PYTHON_VERSION} ############################################################################### FROM build-setup as builder @@ -90,36 +110,42 @@ ARG BUILD_ARGS ARG PYTHON_VERSION ENV LANG C.UTF-8 +ENV CFLAGS -I/usr/include/openssl + +WORKDIR /build + +COPY --from=source-download /python /python + RUN set -ex \ - && cd /usr/src/python \ - && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ + && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \ && [ $(( ` echo $PYTHON_VERSION | cut -d"." -f1 ` )) -lt 3 ] && BUILD_ARGS="" \ - ; ./configure \ - --build="$gnuArch" \ - --enable-loadable-sqlite-extensions \ - --enable-shared \ - --with-system-expat \ - --with-system-ffi \ - --without-ensurepip ${BUILD_ARGS} \ - && make -j $(( 1 * $( egrep '^processor[[:space:]]+:' /proc/cpuinfo | wc -l ) )) \ - && make install + ; ../python/configure \ + --build="$gnuArch" \ + --enable-loadable-sqlite-extensions \ + --enable-shared \ + --with-system-expat \ + --with-system-ffi \ + --without-ensurepip ${BUILD_ARGS} + +RUN make -j $(( 1 * $( egrep '^processor[[:space:]]+:' /proc/cpuinfo | wc -l ) )) \ + && make install RUN set -ex \ find /usr/local -type f -name "*.so" -exec strip --strip-unneeded {} + \ & ldconfig \ & find /usr/local -depth \ - \( \ - \( -type d -a \( -name test -o -name tests -o -name __pycache__ \) \) \ - -o \ - \( -type f -a \( -name '*.pyc' -o -name '*.pyo' \) \) \ - -o \ - \( -name "idle*" \) \ - \) -exec rm -rf '{}' + \ + \( \ + \( -type d -a \( -name test -o -name tests -o -name __pycache__ \) \) \ + -o \ + \( -type f -a \( -name '*.pyc' -o -name '*.pyo' \) \) \ + -o \ + \( -name "idle*" \) \ + \) -exec rm -rf '{}' + \ && find /var/lib/apt/lists \ /usr/share/man \ /usr/share/doc \ /var/log \ - -type f -exec rm -f {} + + -type f -exec rm -f {} + # make some useful symlinks that are expected to exist RUN ["/bin/bash", "-c", "if [[ $( echo ${PYTHON_VERSION} | cut -d'.' -f1 ) == '3' ]]; then cd /usr/local/bin && ln -sf pydoc3 pydoc && ln -sf python3 python && ln -sf python3-config python-config; fi"] @@ -131,29 +157,29 @@ LABEL version ${PYTHON_VERSION} FROM builder as post-build # if this is called "PIP_VERSION", pip explodes with "ValueError: invalid truth value ''" -ENV PYTHON_PIP_VERSION 9.0.1 +ENV PYTHON_PIP_VERSION 22.2.2 + -COPY ./ipython_config.py / +ADD https://bootstrap.pypa.io/get-pip.py . RUN set -ex; ldconfig -RUN set -ex; curl -sL -o get-pip.py 'https://bootstrap.pypa.io/get-pip.py'; RUN set -ex; python get-pip.py \ --disable-pip-version-check \ - --no-cache-dir \ - "pip==$PYTHON_PIP_VERSION"; pip --version + --no-cache-dir; \ + pip --version + # "pip==$PYTHON_PIP_VERSION"; -RUN mkdir -p $HOME/.ipython/profile_default ; -RUN mv ipython_config.py $HOME/.ipython/profile_default/. ; -RUN pip install 'ipython<6' ipdb RUN set -ex; \ find /usr/local -depth \ \( \ \( -type d -a \( -name test -o -name tests -o -name __pycache__ \) \) \ - -o \ - \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name '*.exe' \) \) \ + -o \ + \( -type f -a \( -name '*.pyc' -o -name '*.pyo' -o -name '*.exe' \) \) \ \) -exec rm -rf '{}' +; +RUN set -ex; \ + find /usr/share/ RUN rm -rf /root/.cache ARG PYTHON_VERSION @@ -161,10 +187,10 @@ LABEL stage POST-BUILD LABEL version ${PYTHON_VERSION} ############################################################################### -FROM runtime +FROM runtime as release COPY --from=post-build /usr/local /usr/local -COPY --from=post-build /root /root +COPY --from=post-build /root/* /root/ RUN /sbin/ldconfig @@ -172,4 +198,4 @@ LABEL stage FINAL ARG PYTHON_VERSION LABEL version ${PYTHON_VERSION} -CMD ["ipython"] +CMD ["python"] diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..76703c4 --- /dev/null +++ b/LICENSE @@ -0,0 +1,29 @@ +BSD 3-Clause License + +Copyright (c) 2022, Revolution Systems, LLC +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + +1. Redistributions of source code must retain the above copyright notice, this + list of conditions and the following disclaimer. + +2. Redistributions in binary form must reproduce the above copyright notice, + this list of conditions and the following disclaimer in the documentation + and/or other materials provided with the distribution. + +3. Neither the name of the copyright holder nor the names of its + contributors may be used to endorse or promote products derived from + this software without specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/Makefile b/Makefile index f2703bf..519d02a 100644 --- a/Makefile +++ b/Makefile @@ -1,16 +1,18 @@ -.PHONY: image push-image build-image optimal +.PHONY: image push-image build-image optimal buil-builder include .version PYTHON_VERSION ?= 3.6.2 -FUCKOFF = ${MAJOR_VERSION} TAG = ${PYTHON_VERSION}-wee -IMAGE_TAG = ${IMAGE}:${TAG} +IMAGE_TAG = ${IMAGE}:${TAG}${TAG_SUFFIX} +LATEST = ${IMAGE}:latest -BUILD_ARGS = +PLATFORMS ?= linux/amd64 + +TARGETS := --platform ${PLATFORMS} ifdef PKG_PROXY PROXY_ARGS := --build-arg=http_proxy=${PKG_PROXY} --build-arg=https_proxy=${PKG_PROXY} @@ -36,12 +38,21 @@ ifdef LTO endif -build-image: +ifndef DOCKERFILE + DOCKERFILE := ./Dockerfile +endif + +TAG_SUFFIX ?= + +build-builder: + docker buildx build ${PROXY_ARGS} ${TARGETS} --cache-from=type=registry,ref=${LATEST} --cache-to=type=registry,ref=${LATEST},mode=max -f ${DOCKERFILE} --build-arg=PYTHON_VERSION=${PYTHON_VERSION} --build-arg=BUILD_ARGS="${BUILD_ARGS}" --target builder -t ${IMAGE_TAG} . + +build-image: build-builder @echo building ${IMAGE_TAG} - @docker build ${PROXY_ARGS} --build-arg=PYTHON_VERSION=${PYTHON_VERSION} --build-arg=BUILD_ARGS="${BUILD_ARGS}" -t ${IMAGE_TAG} --compress . + docker buildx build ${PROXY_ARGS} ${TARGETS} --cache-from=type=registry,ref=${LATEST} -f ${DOCKERFILE} --build-arg=PYTHON_VERSION=${PYTHON_VERSION} --build-arg=BUILD_ARGS="${BUILD_ARGS}" --load -t ${IMAGE_TAG} . push-image: @echo pushing ${IMAGE_TAG} - @docker push ${IMAGE_TAG} + docker buildx build ${PROXY_ARGS} ${TARGETS} --cache-from=type=registry,ref=${LATEST} -f ${DOCKERFILE} --build-arg=PYTHON_VERSION=${PYTHON_VERSION} --build-arg=BUILD_ARGS="${BUILD_ARGS}" --push -t ${IMAGE_TAG} . -image: build-image push-image +image: push-image diff --git a/gnupg/crls.d/DIR.txt b/gnupg/crls.d/DIR.txt new file mode 100644 index 0000000..2a29a47 --- /dev/null +++ b/gnupg/crls.d/DIR.txt @@ -0,0 +1 @@ +v:1: diff --git a/gnupg/pubring.gpg b/gnupg/pubring.gpg index 613e7bd..6ceb2ba 100644 Binary files a/gnupg/pubring.gpg and b/gnupg/pubring.gpg differ diff --git a/gnupg/pubring.gpg~ b/gnupg/pubring.gpg~ new file mode 100644 index 0000000..14e8c4f Binary files /dev/null and b/gnupg/pubring.gpg~ differ diff --git a/gnupg/tofu.db b/gnupg/tofu.db new file mode 100644 index 0000000..2c20cca Binary files /dev/null and b/gnupg/tofu.db differ diff --git a/gnupg/trustdb.gpg b/gnupg/trustdb.gpg index 769059a..b303cb7 100644 Binary files a/gnupg/trustdb.gpg and b/gnupg/trustdb.gpg differ