From 342e6aca6ee8e65d3ea560c8a65ba025c3e5b067 Mon Sep 17 00:00:00 2001
From: snyk-bot <snyk-bot@snyk.io>
Date: Mon, 17 Feb 2025 07:58:48 +0000
Subject: [PATCH] fix: Dockerfile to reduce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-ALPINE318-EXPAT-7908292
- https://snyk.io/vuln/SNYK-ALPINE318-EXPAT-7908293
- https://snyk.io/vuln/SNYK-ALPINE318-KRB5-8366395
- https://snyk.io/vuln/SNYK-ALPINE318-EXPAT-7908294
- https://snyk.io/vuln/SNYK-ALPINE318-KRB5-8366393
---
 Dockerfile | 150 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 149 insertions(+), 1 deletion(-)
 mode change 120000 => 100644 Dockerfile

diff --git a/Dockerfile b/Dockerfile
deleted file mode 120000
index c6297a9..0000000
--- a/Dockerfile
+++ /dev/null
@@ -1 +0,0 @@
-Dockerfile_alpine
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..87be5fe
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,149 @@
+# syntax=docker/dockerfile:1.1.7-experimental
+#############################################
+# Tox testsuite for multiple python version #
+#############################################
+FROM advian/tox-base:alpine-3.18 as tox
+ARG PYTHON_VERSIONS="3.11"
+ARG POETRY_VERSION="1.5.1"
+RUN export RESOLVED_VERSIONS=`pyenv_resolve $PYTHON_VERSIONS` \
+    && echo RESOLVED_VERSIONS=$RESOLVED_VERSIONS \
+    && for pyver in $RESOLVED_VERSIONS; do pyenv install -s $pyver; done \
+    && pyenv global $RESOLVED_VERSIONS \
+    && poetry self update $POETRY_VERSION || pip install -U poetry==$POETRY_VERSION \
+    && pip install -U tox \
+    && apk add --no-cache \
+        git \
+    && true
+
+######################
+# Base builder image #
+######################
+FROM python:3.12.3-alpine3.18 as builder_base
+
+ENV \
+  # locale
+  LC_ALL=C.UTF-8 \
+  # python:
+  PYTHONFAULTHANDLER=1 \
+  PYTHONUNBUFFERED=1 \
+  PYTHONHASHSEED=random \
+  # pip:
+  PIP_NO_CACHE_DIR=off \
+  PIP_DISABLE_PIP_VERSION_CHECK=on \
+  PIP_DEFAULT_TIMEOUT=100 \
+  # poetry:
+  POETRY_VERSION=1.5.1
+
+
+RUN apk add --no-cache \
+        curl \
+        git \
+        bash \
+        build-base \
+        libffi-dev \
+        linux-headers \
+        openssl \
+        openssl-dev \
+        tini \
+        openssh-client \
+        cargo \
+    # githublab ssh
+    && mkdir -p -m 0700 ~/.ssh && ssh-keyscan gitlab.com github.com | sort > ~/.ssh/known_hosts \
+    # Installing `poetry` package manager:
+    && curl -sSL https://install.python-poetry.org | python3 - \
+    && echo 'export PATH="/root/.local/bin:$PATH"' >>/root/.profile \
+    && export PATH="/root/.local/bin:$PATH" \
+    && true
+
+SHELL ["/bin/bash", "-lc"]
+
+
+# Copy only requirements, to cache them in docker layer:
+WORKDIR /pysetup
+COPY ./poetry.lock ./pyproject.toml /pysetup/
+# Install basic requirements (utilizing an internal docker wheelhouse if available)
+RUN --mount=type=ssh pip3 install wheel virtualenv \
+    && poetry export -f requirements.txt --without-hashes -o /tmp/requirements.txt \
+    && pip3 wheel --wheel-dir=/tmp/wheelhouse -r /tmp/requirements.txt \
+    && virtualenv /.venv && source /.venv/bin/activate && echo 'source /.venv/bin/activate' >>/root/.profile \
+    && pip3 install --no-deps --find-links=/tmp/wheelhouse/ /tmp/wheelhouse/*.whl \
+    && true
+
+
+####################################
+# Base stage for production builds #
+####################################
+FROM builder_base as production_build
+# Copy entrypoint script
+COPY ./docker/entrypoint.sh /docker-entrypoint.sh
+# Only files needed by production setup
+COPY ./poetry.lock ./pyproject.toml ./README.rst ./src /app/
+WORKDIR /app
+# Build the wheel package with poetry and add it to the wheelhouse
+RUN --mount=type=ssh source /.venv/bin/activate \
+    && poetry build -f wheel --no-interaction --no-ansi \
+    && cp dist/*.whl /tmp/wheelhouse \
+    && chmod a+x /docker-entrypoint.sh \
+    && true
+
+
+#########################
+# Main production build #
+#########################
+FROM python:3.12.3-alpine3.18 as production
+COPY --from=production_build /tmp/wheelhouse /tmp/wheelhouse
+COPY --from=production_build /docker-entrypoint.sh /docker-entrypoint.sh
+WORKDIR /app
+# Install system level deps for running the package (not devel versions for building wheels)
+# and install the wheels we built in the previous step. generate default config
+RUN --mount=type=ssh apk add --no-cache \
+        git \
+        bash \
+        tini \
+    && chmod a+x /docker-entrypoint.sh \
+    && WHEELFILE=`echo /tmp/wheelhouse/rmcli-*.whl` \
+    && pip3 install --find-links=/tmp/wheelhouse/ "$WHEELFILE"[all] \
+    && rm -rf /tmp/wheelhouse/ \
+    # Do whatever else you need to
+    && true
+ENTRYPOINT ["/sbin/tini", "--", "/docker-entrypoint.sh"]
+
+
+#####################################
+# Base stage for development builds #
+#####################################
+FROM builder_base as devel_build
+# Install deps
+WORKDIR /pysetup
+RUN --mount=type=ssh source /.venv/bin/activate \
+    && poetry install --no-interaction --no-ansi \
+    && true
+
+
+#0############
+# Run tests #
+#############
+FROM devel_build as test
+COPY . /app
+WORKDIR /app
+ENTRYPOINT ["/sbin/tini", "--", "docker/entrypoint-test.sh"]
+# Re run install to get the service itself installed
+RUN --mount=type=ssh source /.venv/bin/activate \
+    && poetry install --no-interaction --no-ansi \
+    && docker/pre_commit_init.sh \
+    && true
+
+
+###########
+# Hacking #
+###########
+FROM devel_build as devel_shell
+# Copy everything to the image
+COPY . /app
+WORKDIR /app
+RUN apk add --no-cache zsh \
+    && sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" \
+    && echo "source /root/.profile" >>/root/.zshrc \
+    && pip3 install git-up \
+    && true
+ENTRYPOINT ["/bin/zsh", "-l"]