Dockerfile staging and speed improvements

.dockleconfig

@@ -0,0 +1,6 @@
+# This file is allows you to specify a list of files that is acceptable to Dockle
+# To allow multiple files, use a list of names. example below
+# DOCKLE_ACCEPT_FILES=file1,path/to/file2,file3/path,etc
+# https://github.com/goodwithtech/dockle#accept-suspicious-environment-variables--files--file-extensions
+# The apiflask/settings file is a stub file that apiflask creates, and has no sensitive data in. We are ignoring it since it is unused
+DOCKLE_ACCEPT_FILES=app/.venv/lib/python3.11/site-packages/apiflask/settings.py 

.grype.yml

@@ -0,0 +1,26 @@
+# List of vulnerabilities to ignore for the anchore scan
+# https://github.com/anchore/grype#specifying-matches-to-ignore
+# More info can be found in the docs/infra/vulnerability-management.md file
+
+# Please add safelists in the following format to make it easier when checking
+# Package/module name: URL to vulnerability for checking updates
+#  Versions:     URL to the version history
+#  Dependencies: Name of any other packages or modules that are dependent on this version
+#                 Link to the dependencies for ease of checking for updates
+#  Issue:         Why there is a finding and why this is here or not been removed
+#  Last checked:  Date last checked in scans
+# - vulnerability: The-CVE-or-vuln-id # Remove comment at start of line
+
+ignore:
+  # These settings ignore any findings that fall into these categories
+  - fix-state: not-fixed
+  - fix-state: wont-fix
+  - fix-state: unknown
+
+  # Certifi:       https://cve.report/CVE-2022-23491
+  #  Versions:     https://pypi.org/project/certifi/#history
+  #  Dependencies: None
+  #  Issue:        No update in the last month to resolve the finding, however the finding is showing the latest
+  #                version being the same one as the finding, with a 0 - 2022.12.7 (latest) vs 2022.12.07 (non-existent version)
+  #  Last checked: 02-02-2023
+  - vulnerability: GHSA-43fp-rhv2-5gv8

.hadolint.yaml

@@ -0,0 +1,10 @@
+# List of settings and ignore or safelist findings for the hadolint scanner
+
+# For more information on any settings you can specify, see the actions' documentation here
+# https://github.com/hadolint/hadolint#configure
+override:
+  info: 
+    # Casts the apt-get install <package>=<version> finding as info
+    # We have this set since there is no way to specify version for
+    #  build-essentials in the Dockerfile
+    - DL3008 

.trivyignore

@@ -0,0 +1,9 @@
+# List of vulnerabilities to ignore for the trivy scan
+# Please add safelists in the following format to make it easier when checking
+# Package/module name: URL to vulnerability for checking updates
+#  Versions:     URL to the version history
+#  Dependencies: Name of any other packages or modules that are dependent on this version
+#                 Link to the dependencies for ease of checking for updates
+#  Issue:         Why there is a finding and why this is here or not been removed
+#  Last checked:  Date last checked in scans
+#The-CVE-or-vuln-id # Remove comment at start of line

Makefile

@@ -0,0 +1,49 @@
+# PROJECT_NAME defaults to name of the current directory.
+PROJECT_NAME ?= $(notdir $(PWD))
+
+# For now only support a single app in the folder `app/` within the repo
+# In the future, support multiple apps, and which app is being operated
+# on will be determined by the APP_NAME Makefile argument
+APP_NAME ?= app
+
+
+.PHONY : \
+	release-build \
+	release-image-name \
+	release-image-tag \
+	help
+
+########################
+## Release Management ##
+########################
+
+# Include project name in image name so that image name
+# does not conflict with other images during local development
+IMAGE_NAME := $(PROJECT_NAME)-$(APP_NAME)
+
+GIT_REPO_AVAILABLE := $(shell git rev-parse --is-inside-work-tree 2>/dev/null)
+
+# Generate a unique tag based solely on the git hash.
+# This will be the identifier used for deployment via terraform.
+ifdef GIT_REPO_AVAILABLE
+IMAGE_TAG := $(shell git rev-parse HEAD)
+else
+IMAGE_TAG := "unknown-dev.$(DATE)"
+endif
+
+# Generate an informational tag so we can see where every image comes from.
+DATE := $(shell date -u '+%Y%m%d.%H%M%S')
+INFO_TAG := $(DATE).$(USER)
+
+release-build:
+	cd $(APP_NAME) && $(MAKE) release-build \
+		OPTS="--tag $(IMAGE_NAME):latest --tag $(IMAGE_NAME):$(IMAGE_TAG)"
+
+release-image-name: ## Prints the image name of the release image
+	@echo $(IMAGE_NAME)
+
+release-image-tag: ## Prints the image tag of the release image
+	@echo $(IMAGE_TAG)
+
+help: ## Prints the help documentation and info about each command
+	@grep -E '^[/a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "\033[36m%-30s\033[0m %s\n", $$1, $$2}'

app/Dockerfile

@@ -2,26 +2,47 @@
 # https://hub.docker.com/_/python
 
 # The build stage that will be used to deploy to the various environments
-# needs to be called `release` in order to integrate with the repo's
-# top-level Makefile
-FROM python:3-slim AS release
-
-# Install poetry, the package manager.
-# https://python-poetry.org
-RUN pip install poetry
+# This is what the other stages will call as their base
+FROM python:3.11-slim-bullseye AS build
 
+# Keep container packages up-to-date.
 RUN apt-get update \
     && apt-get install --no-install-recommends --yes \
     build-essential \
     libpq-dev \
     postgresql
 
+# Install poetry, the package manager.
+# https://python-poetry.org
+RUN pip install --no-cache-dir poetry==1.3.1
+
+# setup user stuff
+ARG RUN_UID
+ARG RUN_USER
+
+RUN : "${RUN_USER:?RUN_USER and RUN_UID need to be set and non-empty.}" && \
+    [ "${RUN_USER}" = "root" ] || \
+    (useradd -mU --home "/home/${RUN_USER}" --uid ${RUN_UID} "${RUN_USER}" \
+    && mkdir /app \
+    && chown -R ${RUN_UID} "/home/${RUN_USER}" /app)
+
+USER ${RUN_USER}
+
+#-------------------------------------------------------------------------------
+# Development build environment
+#-------------------------------------------------------------------------------
+FROM build as dev
+
+ARG RUN_USER
+
+USER ${RUN_USER}
+
 # Set the application working directory.
 WORKDIR /srv
 
 COPY pyproject.toml poetry.lock ./
 RUN poetry config virtualenvs.in-project false && poetry env use python
-RUN poetry install --no-root
+RUN poetry install --no-root --with app,dev
 
 # Copy application files.
 COPY . /srv
@@ -33,5 +54,64 @@ ENV HOST=0.0.0.0
 # Install application dependencies.
 # https://python-poetry.org/docs/basic-usage/#installing-dependencies
 RUN poetry install
+
 # Run the application.
 CMD ["poetry", "run", "python", "-m", "api"]
+
+#-------------------------------------------------------------------------------
+# Non-development build environment
+#-------------------------------------------------------------------------------
+FROM build as app-build
+
+ARG RUN_USER
+USER ${RUN_USER}
+
+# Set the application working directory.
+WORKDIR /app
+
+# install dependencies
+# use a project-local virtualenv to be easy to find
+ENV POETRY_VIRTUALENVS_IN_PROJECT true
+COPY pyproject.toml poetry.lock ./
+RUN poetry install --no-root --with app --without dev
+
+COPY . ./
+
+# Install application dependencies
+# The name of the wheel file comes from pyproject.toml
+RUN poetry build --format wheel && poetry run pip install 'dist/template_application_flask-0.1.0-py3-none-any.whl'
+
+#-------------------------------------------------------------------------------
+# Application only
+#-------------------------------------------------------------------------------
+# now copy over just the installed components into the final image
+FROM scratch as release
+
+ARG RUN_USER
+USER ${RUN_USER}
+
+COPY --from=app-build /etc/passwd /etc/group /etc/
+COPY --from=app-build /app/.venv /app/.venv
+
+# Include GPG for the DOR Import task.
+# Ideally this isn't included for every other ECS task/service, but we'll do it for now.
+
+COPY --from=app-build /usr/share/ca-certificates/* /usr/share/ca-certificates/
+COPY --from=app-build /usr/local/bin/python* /usr/local/bin/
+
+# Include etc files that link to /usr/local/lib/
+COPY --from=app-build /etc/ld.so.conf /etc/ld.so.cache /etc/
+COPY --from=app-build /etc/ld.so.conf.d/ /etc/ld.so.conf.d/
+
+# Include required libs
+COPY --from=app-build /usr/lib/x86_64-linux-gnu/ /usr/lib/x86_64-linux-gnu/
+COPY --from=app-build /lib/* /lib/
+COPY --from=app-build /usr/local/lib/ /usr/local/lib/
+COPY --from=app-build /usr/local/include/python* /usr/local/include/
+COPY --from=app-build /lib64/* /lib64/
+COPY --from=app-build --chown=${RUN_USER} /tmp/ /tmp/
+
+ENV PATH="/app/.venv/bin:$PATH"
+
+# run the application
+CMD ["run-api"]

app/Makefile

@@ -33,15 +33,37 @@ else
 PY_RUN_CMD := docker-compose run $(DOCKER_EXEC_ARGS) --rm $(APP_NAME) poetry run
 endif
 
+# Docker user configuration
+#
+# Can be set by adding user=<username> and/ or uid=<id> to make command.
+#
+# If variables are not set explicitly: try looking up values from current
+# environment, otherwise fixed defaults.
+#
+# uid= defaults to 0 if user= set (which makes sense if user=root, otherwise you
+# probably want to set uid as well).
+#
+# Tested to work consistently on popular Linux flavors and Mac.
+ifeq ($(user),)
+RUN_USER ?= $(or $(strip $(USER)),nodummy)
+RUN_UID ?= $(or $(strip $(shell id -u)),4000)
+else
+RUN_USER = $(user)
+RUN_UID = $(or $(strip $(uid)),0)
+endif
+
+export RUN_USER
+export RUN_UID
+
 ##################################################
 # API Build & Run
 ##################################################
 
 build:
-	docker-compose build
+	docker-compose build $(APP_NAME)
 
 start:
-	docker-compose up --detach
+	docker-compose up --detach $(APP_NAME)
 
 run-logs: start
 	docker-compose logs --follow --no-color $(APP_NAME)
@@ -177,6 +199,21 @@ lint-security: # https://bandit.readthedocs.io/en/latest/index.html
 create-user-csv:
 	$(PY_RUN_CMD) create-user-csv
 
+
+##################################################
+# Release Management
+##################################################
+
+release-build:
+	docker buildx build \
+		--target release \
+		--platform=linux/amd64 \
+		$(OPTS) \
+		--build-arg RUN_USER=container \
+		--build-arg RUN_UID=4000 \
+		.
+
+
 ##################################################
 # Miscellaneous Utilities
 ##################################################

app/local.env

@@ -78,4 +78,4 @@ AWS_DEFAULT_REGION=us-east-1
 ############################
 # Example CSV Generation
 ############################
-USER_ROLE_CSV_OUTPUT_PATH = ./
+USER_ROLE_CSV_OUTPUT_PATH=./