From 3136f34c3df5c75c3a00db7c7ed329a1874a61a0 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:24:46 +0530 Subject: [PATCH 01/11] Update Dockerfile to have wget and curl --- Dockerfile | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 01ccab9..e72d2ed 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,6 +17,9 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ libbluetooth-dev \ ca-certificates \ + curl \ + wget \ + git \ netbase \ tk-dev \ uuid-dev \ @@ -94,4 +97,4 @@ RUN set -eux; \ ln -svT "$src" "/usr/local/bin/$dst"; \ done -CMD ["python3"] \ No newline at end of file +CMD ["python3"] From 13a91a9ad2145e666280779bb50f231fcf8623ab Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:33:05 +0530 Subject: [PATCH 02/11] Update Dockerfile --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index e72d2ed..a3057f3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ -# accept Python version as a build argument -ARG PYTHON_VERSION - # using debian bookworm (v 12) as base image FROM debian:bookworm +# accept Python version as a build argument +ARG PYTHON_VERSION + # ensure local python is preferred over distribution python # This adds /usr/local/bin to the existing PATH variable. ENV PATH /usr/local/bin:$PATH From a66c8d1273dc8a7f0c20a19be210423ce4c61132 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:35:31 +0530 Subject: [PATCH 03/11] Removed sha verification --- Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index a3057f3..37036ca 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,7 +33,6 @@ ENV PYTHON_VERSION=${PYTHON_VERSION} RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ - echo "$PYTHON_SHA256 *python.tar.xz" | sha256sum -c -; \ # signature file is downloaded for gg verfication and removed in latersteps wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ From 8d0035c24c4a94a84367c9be0a8ddd7759f52b33 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Fri, 15 Nov 2024 13:39:10 +0530 Subject: [PATCH 04/11] Remove signature verification --- Dockerfile | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Dockerfile b/Dockerfile index 37036ca..86a50e0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -33,13 +33,7 @@ ENV PYTHON_VERSION=${PYTHON_VERSION} RUN set -eux; \ \ wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ - # signature file is downloaded for gg verfication and removed in latersteps - wget -O python.tar.xz.asc "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz.asc"; \ - GNUPGHOME="$(mktemp -d)"; export GNUPGHOME; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$GPG_KEY"; \ - gpg --batch --verify python.tar.xz.asc python.tar.xz; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" python.tar.xz.asc; \ + # extracting python to specific folder /usr/src/python and removed tar file to save space mkdir -p /usr/src/python; \ tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ From 9f80e686bd3e46873a9df92c37350931b99888a1 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Fri, 15 Nov 2024 17:12:40 +0530 Subject: [PATCH 05/11] add c library packages for compilation --- Dockerfile | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 86a50e0..611d0df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -17,12 +17,30 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ libbluetooth-dev \ ca-certificates \ - curl \ + curl \ wget \ - git \ + git \ netbase \ + uuid-dev \ + dpkg-dev \ + gcc \ + gnupg \ + libbluetooth-dev \ + libbz2-dev \ + libc6-dev \ + libdb-dev \ + libffi-dev \ + libgdbm-dev \ + liblzma-dev \ + libncursesw5-dev \ + libreadline-dev \ + libsqlite3-dev \ + libssl-dev \ + make \ tk-dev \ uuid-dev \ + xz-utils \ + zlib1g-dev \ ; \ rm -rf /var/lib/apt/lists/* From d18d576144c82e4a09b093e87c44a3e496229ba9 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Fri, 15 Nov 2024 17:45:37 +0530 Subject: [PATCH 06/11] workflow for python image --- .../workflows/build-python-base-image.yaml | 66 +++++++++---------- .../build-python-image-trimmed-tag.yaml | 56 ++++++++++++++++ 2 files changed, 89 insertions(+), 33 deletions(-) create mode 100644 .github/workflows/build-python-image-trimmed-tag.yaml diff --git a/.github/workflows/build-python-base-image.yaml b/.github/workflows/build-python-base-image.yaml index 0b773f4..74162da 100644 --- a/.github/workflows/build-python-base-image.yaml +++ b/.github/workflows/build-python-base-image.yaml @@ -1,4 +1,4 @@ -name: build-publish-jenkins-jdk17-image +name: build-publish-python-image on: # push: # branches: @@ -19,35 +19,35 @@ jobs: runs-on: ubuntu-latest steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Log in to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build and publish docker image with tag - uses: docker/build-push-action@v6 - with: - file: Dockerfile - push: true - platforms: linux/amd64,linux/arm64 - tags: | - ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} - build-args: | - PYTHON_VERSION=${{ inputs.python_version }} - - - name: set up docker and scan docker image for vulnerabilities - uses: docker-practice/actions-setup-docker@master - - run: | - set -x - docker version - docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} + - name: Checkout code + uses: actions/checkout@v4 + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and publish docker image with tag + uses: docker/build-push-action@v6 + with: + file: Dockerfile + push: true + platforms: linux/amd64,linux/arm64 + tags: | + ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} + build-args: | + PYTHON_VERSION=${{ inputs.python_version }} + + - name: set up docker and scan docker image for vulnerabilities + uses: docker-practice/actions-setup-docker@master + - run: | + set -x + docker version + docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} diff --git a/.github/workflows/build-python-image-trimmed-tag.yaml b/.github/workflows/build-python-image-trimmed-tag.yaml new file mode 100644 index 0000000..af20e55 --- /dev/null +++ b/.github/workflows/build-python-image-trimmed-tag.yaml @@ -0,0 +1,56 @@ +name: build-publish-python-image +on: + # push: + # branches: + # - main + workflow_dispatch: + inputs: + python_version: + description: "Python version" + type: string + default: "3.11.0" + +permissions: + contents: write + +run-name: build-publish-python-${{ inputs.python_version }}-image +jobs: + build-publish-python-image: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Extract major and minor version + id: set-version + run: echo "PYTHON_VERSION_MAJOR_MINOR=$(echo '${{ inputs.python_version }}' | cut -d. -f1,2)" >> $GITHUB_ENV + + - name: Log in to Docker Hub + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and publish docker image with tag + uses: docker/build-push-action@v6 + with: + file: Dockerfile + push: true + tags: | + ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ env.PYTHON_VERSION_MAJOR_MINOR }} + build-args: | + PYTHON_VERSION=${{ inputs.python_version }} + + - name: set up docker and scan docker image for vulnerabilities + uses: docker-practice/actions-setup-docker@master + - run: | + set -x + docker version + docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} From fe9f30fee743a4a416f2763ace4e495d6919eb6d Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Fri, 15 Nov 2024 20:42:54 +0530 Subject: [PATCH 07/11] docker file changes --- Dockerfile | 159 +++++++++++++++++++++++------------------------------ 1 file changed, 68 insertions(+), 91 deletions(-) diff --git a/Dockerfile b/Dockerfile index 611d0df..0d1f044 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,111 +1,88 @@ -# using debian bookworm (v 12) as base image +# Using Debian Bookworm (v12) as the base image FROM debian:bookworm -# accept Python version as a build argument +# Accept Python version as a build argument ARG PYTHON_VERSION -# ensure local python is preferred over distribution python -# This adds /usr/local/bin to the existing PATH variable. -ENV PATH /usr/local/bin:$PATH +# Ensure local Python is preferred over the distribution's Python +ENV PATH="/usr/local/bin:$PATH" -# applications in the environment can handle UTF-8 encoded characters correctly. -ENV LANG C.UTF-8 +# Applications in the environment can handle UTF-8 encoded characters correctly +ENV LANG="C.UTF-8" -# runtime dependencies +# Install runtime dependencies RUN set -eux; \ - apt-get update; \ - apt-get install -y --no-install-recommends \ - libbluetooth-dev \ + apt-get update; \ + apt-get install -y --no-install-recommends \ + libbluetooth-dev \ ca-certificates \ - curl \ + curl \ wget \ - git \ - netbase \ - uuid-dev \ - dpkg-dev \ - gcc \ - gnupg \ + git \ + netbase \ + uuid-dev \ + dpkg-dev \ + gcc \ + gnupg \ libbluetooth-dev \ - libbz2-dev \ - libc6-dev \ - libdb-dev \ - libffi-dev \ - libgdbm-dev \ - liblzma-dev \ - libncursesw5-dev \ - libreadline-dev \ - libsqlite3-dev \ - libssl-dev \ - make \ - tk-dev \ + libbz2-dev \ + libc6-dev \ + libdb-dev \ + libffi-dev \ + libgdbm-dev \ + liblzma-dev \ + libncursesw5-dev \ + libreadline-dev \ + libsqlite3-dev \ + libssl-dev \ + make \ + tk-dev \ uuid-dev \ - xz-utils \ - zlib1g-dev \ - ; \ - rm -rf /var/lib/apt/lists/* + xz-utils \ + zlib1g-dev \ + && rm -rf /var/lib/apt/lists/* -# set as an environment variable for use within the Dockerfile +# Set the Python version as an environment variable for later use ENV PYTHON_VERSION=${PYTHON_VERSION} -# build and compile python +# Build and compile Python RUN set -eux; \ - \ - wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ - - # extracting python to specific folder /usr/src/python and removed tar file to save space - mkdir -p /usr/src/python; \ - tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ - rm python.tar.xz; \ - \ - cd /usr/src/python; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ - ./configure \ - --build="$gnuArch" \ - --enable-loadable-sqlite-extensions \ - --enable-optimizations \ - --enable-option-checking=fatal \ - --enable-shared \ - --with-lto \ - --with-ensurepip \ - ; \ - nproc="$(nproc)"; \ - EXTRA_CFLAGS="$(dpkg-buildflags --get CFLAGS)"; \ - LDFLAGS="$(dpkg-buildflags --get LDFLAGS)"; \ - make -j "$nproc" \ - "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \ - "LDFLAGS=${LDFLAGS:-}" \ - ; \ -# prevent accidental usage of a system installed libpython of the same version - rm python; \ - make -j "$nproc" \ - "EXTRA_CFLAGS=${EXTRA_CFLAGS:-}" \ - "LDFLAGS=${LDFLAGS:--Wl},-rpath='\$\$ORIGIN/../lib'" \ - python \ - ; \ - make install; \ - \ - ldconfig; \ - \ + wget -O python.tar.xz "https://www.python.org/ftp/python/${PYTHON_VERSION%%[a-z]*}/Python-$PYTHON_VERSION.tar.xz"; \ + mkdir -p /usr/src/python; \ + tar --extract --directory /usr/src/python --strip-components=1 --file python.tar.xz; \ + rm python.tar.xz; \ + cd /usr/src/python; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + ./configure \ + --build="$gnuArch" \ + --enable-loadable-sqlite-extensions \ + --enable-optimizations \ + --enable-option-checking=fatal \ + --enable-shared \ + --with-lto \ + --with-ensurepip; \ + nproc="$(nproc)"; \ + make -j "$nproc"; \ + make install; \ + ldconfig; \ export PYTHONDONTWRITEBYTECODE=1; \ - python3 --version; \ - \ - pip3 install \ - --disable-pip-version-check \ - --no-cache-dir \ - --no-compile \ - 'setuptools==68.0.0' \ - wheel \ - ; \ - pip3 --version - + python3 --version; \ + pip3 install \ + --disable-pip-version-check \ + --no-cache-dir \ + --no-compile \ + 'setuptools==68.0.0' \ + wheel; \ + pip3 --version -# make some useful symlinks that are expected to exist ("/usr/local/bin/python" and friends) +# Create symlinks for common Python utilities RUN set -eux; \ - for src in idle3 pip3 pydoc3 python3 python3-config; do \ - dst="$(echo "$src" | tr -d 3)"; \ - [ -s "/usr/local/bin/$src" ]; \ - [ ! -e "/usr/local/bin/$dst" ]; \ - ln -svT "$src" "/usr/local/bin/$dst"; \ - done + for src in idle3 pip3 pydoc3 python3 python3-config; do \ + dst="$(echo "$src" | tr -d 3)"; \ + [ -s "/usr/local/bin/$src" ]; \ + [ ! -e "/usr/local/bin/$dst" ]; \ + ln -svT "$src" "/usr/local/bin/$dst"; \ + done +# Set the default command to Python3 CMD ["python3"] From 750cc82484ceced71b50c6908e455d91d394b552 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Fri, 15 Nov 2024 20:45:27 +0530 Subject: [PATCH 08/11] aqua trivy scan issue fixed --- .github/workflows/build-python-image-trimmed-tag.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-python-image-trimmed-tag.yaml b/.github/workflows/build-python-image-trimmed-tag.yaml index af20e55..50d4c47 100644 --- a/.github/workflows/build-python-image-trimmed-tag.yaml +++ b/.github/workflows/build-python-image-trimmed-tag.yaml @@ -1,4 +1,4 @@ -name: build-publish-python-image +name: build-publish-python-image-trimmed-tag on: # push: # branches: @@ -53,4 +53,4 @@ jobs: - run: | set -x docker version - docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} + docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ env.PYTHON_VERSION_MAJOR_MINOR }} From 9649d24e9b876120bf41d015bcc44db121451e91 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:52:34 +0530 Subject: [PATCH 09/11] remove trivy scan --- .../workflows/build-python-image-trimmed-tag.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/build-python-image-trimmed-tag.yaml b/.github/workflows/build-python-image-trimmed-tag.yaml index 50d4c47..11005ce 100644 --- a/.github/workflows/build-python-image-trimmed-tag.yaml +++ b/.github/workflows/build-python-image-trimmed-tag.yaml @@ -48,9 +48,9 @@ jobs: build-args: | PYTHON_VERSION=${{ inputs.python_version }} - - name: set up docker and scan docker image for vulnerabilities - uses: docker-practice/actions-setup-docker@master - - run: | - set -x - docker version - docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ env.PYTHON_VERSION_MAJOR_MINOR }} + # - name: set up docker and scan docker image for vulnerabilities + # uses: docker-practice/actions-setup-docker@master + # - run: | + # set -x + # docker version + # docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ env.PYTHON_VERSION_MAJOR_MINOR }} From 39aeb6ae4432777718386337a5008c6af8d98978 Mon Sep 17 00:00:00 2001 From: Krishnadhas N K <108367225+githubofkrishnadhas@users.noreply.github.com> Date: Tue, 19 Nov 2024 13:53:02 +0530 Subject: [PATCH 10/11] remove trivy scan --- .github/workflows/build-python-base-image.yaml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build-python-base-image.yaml b/.github/workflows/build-python-base-image.yaml index 74162da..0ba9c11 100644 --- a/.github/workflows/build-python-base-image.yaml +++ b/.github/workflows/build-python-base-image.yaml @@ -39,15 +39,14 @@ jobs: with: file: Dockerfile push: true - platforms: linux/amd64,linux/arm64 tags: | ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} build-args: | PYTHON_VERSION=${{ inputs.python_version }} - - name: set up docker and scan docker image for vulnerabilities - uses: docker-practice/actions-setup-docker@master - - run: | - set -x - docker version - docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} + # - name: set up docker and scan docker image for vulnerabilities + # uses: docker-practice/actions-setup-docker@master + # - run: | + # set -x + # docker version + # docker run -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image ${{ secrets.DOCKERHUB_USERNAME }}/python:${{ inputs.python_version }} From 63d536375339f9517cd6cf2e7ef85f77f8e5aef4 Mon Sep 17 00:00:00 2001 From: githubofkrishnadhas Date: Tue, 19 Nov 2024 20:38:37 +0530 Subject: [PATCH 11/11] update readme --- README.md | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/README.md b/README.md index d737a38..e638ab8 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,9 @@ # python-automated-image Build a python image to be used as a base image +[![build-publish-python-image](https://github.com/devwithkrishna/python-automated-image/actions/workflows/build-python-base-image.yaml/badge.svg)](https://github.com/devwithkrishna/python-automated-image/actions/workflows/build-python-base-image.yaml) + +[![build-publish-python-image-trimmed-tag](https://github.com/devwithkrishna/python-automated-image/actions/workflows/build-python-image-trimmed-tag.yaml/badge.svg)](https://github.com/devwithkrishna/python-automated-image/actions/workflows/build-python-image-trimmed-tag.yaml) # Explanations @@ -14,3 +17,24 @@ For example, if PYTHON_VERSION is 3.10.12rc1 (where rc1 denotes a release candid * docker build --build-arg PYTHON_VERSION=3.11 -t my-python-image . * PYTHONDONTWRITEBYTECODE=1 --> prevents python from generating .pyc files + +# How this works + +* we will be inputting python version in the workflow like semvar versions - major.minor.patch versions +* semvar is mandatory +* we will then pull the python code from python ftp site and compile them in run time +* base image used is debian bookworm flavour + + + +* There are 2 workflows + * build-python-base-image.yaml + * build-python-image-trimmed-tag.yaml + +As the name suggests the differene between both of them are the tag + +* first one uses the input python version as tag +* second one takes only major and minor version as image tag + + +* Images are pushed here https://hub.docker.com/r/dockerofkrishnadhas/python/tags \ No newline at end of file