Closed Tomaszal closed 1 year ago
glpatcern
commented
1 year ago Hi @Tomaszal, thanks, with @vascoguita we have reviewed this and we rather propose to use slim-buster for all platforms to simplify the CI and avoid duplication. Can you approve the PR?
vascoguita
commented
1 year ago Hi @Tomaszal, thanks, with @vascoguita we have reviewed this and we rather propose to use
slim-busterfor all platforms to simplify the CI and avoid duplication. Can you approve the PR?
Tomaszal
commented
1 year ago Hi @Tomaszal, thanks, with @vascoguita we have reviewed this and we rather propose to use
slim-busterfor all platforms to simplify the CI and avoid duplication. Can you approve the PR?
Done, also switched apk to apt package manager, as that's what the base image uses
micbar
commented
1 year ago @glpatcern This is bad from a maintainablility POV
I wanted to avoid a big docker base image like debian because it is badly maintained and has too many vulnerabilities.
See my trivy scan report
python:3.10-slim-buster (debian 10.13)
Total: 130 (UNKNOWN: 0, LOW: 87, MEDIUM: 19, HIGH: 23, CRITICAL: 1)python:3.10-alpine (alpine 3.17.1)
Total: 16 (UNKNOWN: 0, LOW: 0, MEDIUM: 14, HIGH: 2, CRITICAL: 0)This will pop up on every customer security scan in the future. In my opinion, we should not "call for trouble" if we do not need to.
Can we find something better maintained?
glpatcern
commented
1 year ago See my trivy scan report
All right, understood. Let's cook something tailored for arm64.
The original PR indeed had all separated, but with quite some duplication. I see we can at least parameterize the Dockerfile.
Tomaszal
commented
1 year ago I've seen that the job failed on the master branch after the latest commit so I checked the logs. It seems the build arguments aren't properly set. Currently they are comma separated (--build-arg VERSION=v9.4.1,BASEIMAGE=python:3.10-slim-buster), but according to the documentation, they need to be specified individually (--build-arg VERSION=v9.4.1 --build-arg BASEIMAGE=python:3.10-slim-buster). I think the parent workflow in reva repository needs to be modified first to fix this.
glpatcern
commented
1 year ago @Tomaszal good catch, we fixed the build arguments in master (and previously I merged this PR to master to ease the debugging process, though it's not yet complete). Now the build complains because presumably apt -y g++ fails in the Dockerfile. Can you have a look?
For reference: https://github.com/cs3org/wopiserver/actions/runs/4142747553
Tomaszal
commented
1 year ago @glpatcern this if statement doesn't seem to work, as it's still trying to run apk add. This is probably because of the single quotes in the if statement, as variables are not expanded then. Try to change them to double quotes.
glpatcern
commented
1 year ago @glpatcern this if statement doesn't seem to work
Interestingly we tried several variants of that if statement but they failed (likely because of docker's interaction with sh). You could give it a try yourself as now the release action can be fired in your fork independently from tags - at least it's configured like that.
Tomaszal
commented
1 year ago @glpatcern I see, I've tried playing around with it a bit and wasn't able to figure out why it wasn't expanding the variable correctly. However, I did come up with an alternative that should work just fine as well. Replace this if statement:
RUN if [ '$BASEIMAGE' = 'python:3.10-slim-buster' ]; then \
apt -y install g++; \
else \
apk add g++; \
fiWith this:
RUN if command -v apt &> /dev/null; then \
apt -y install g++; \
elif command -v apk &> /dev/null; then \
apk add g++; \
fiThis is probably a better solution anyway, as it doesn't require hard coding the base image name into the if statement.
glpatcern
commented
1 year ago This is probably a better solution anyway, as it doesn't require hard coding the base image name into the if statement.
Good point, thanks for this! I've pushed the change (including an extra else) and the CI is now all green :+1:
Resolves https://github.com/cs3org/wopiserver/issues/109.
Blocked by https://github.com/cs3org/reva/pull/3642.
I've never used GitHub workflows before, so I'm not 100% sure this will work as expected.
Also, I created a separate
Dockerfileforarm64as I had to switch frompython:3.11-alpinetopython:3.10-slim-busterbase image. This is because it was failing to building onalpineeven with the changes mentioned on https://github.com/grpc/grpc/issues/24722, and grpcio failed to build onpython-3.11even onslim-buster.