diff options
| -rw-r--r-- | .dockerignore | 26 | ||||
| -rw-r--r-- | Pipfile | 2 | ||||
| -rw-r--r-- | Pipfile.lock | 12 | ||||
| -rw-r--r-- | azure-pipelines.yml | 59 | ||||
| -rw-r--r-- | binaries/nsjail2.5-alpine-x86_64 | bin | 678704 -> 0 bytes | |||
| -rw-r--r-- | binaries/nsjail2.6-ubuntu-x86_64 | bin | 750328 -> 0 bytes | |||
| -rw-r--r-- | docker-compose.yml | 3 | ||||
| -rw-r--r-- | docker/Dockerfile | 12 | ||||
| -rw-r--r-- | docker/base.Dockerfile | 42 | ||||
| -rw-r--r-- | docker/venv.Dockerfile | 12 | ||||
| -rw-r--r-- | snekbox/nsjail.py | 6 |
11 files changed, 109 insertions, 65 deletions
diff --git a/.dockerignore b/.dockerignore index 8914ea8..2a5ccec 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,18 +1,8 @@ -.venv -scripts -htmlcov -__pycache__ -.vagrant -.pytest_cache -.git -.github -.cache -Vagrantfile -.coverage -.coveragerc -.gitignore -.travis.yml -docker -docker-compose.yml -LICENSE -README.md +# Exclude everything +* + +# Make exceptions for what's needed +!snekbox +!Pipfile +!Pipfile.lock +!LICENSE @@ -22,7 +22,7 @@ flake8-string-format = "*" flake8-formatter-junit-xml = "*" [requires] -python_version = "3.6" +python_version = "3.7" [scripts] lint = "flake8" diff --git a/Pipfile.lock b/Pipfile.lock index 358c6c0..466a42b 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "fe7027dedd12b67ee1b1f6a38e18184e8c3a77479b3ef564cce983d6816dc10d" + "sha256": "814185e2e1b964ab58af9a9df416ace7b5b416475d828ec9b31a9dfecb5693e1" }, "pipfile-spec": 6, "requires": { - "python_version": "3.6" + "python_version": "3.7" }, "sources": [ { @@ -250,14 +250,6 @@ ], "version": "==0.8" }, - "importlib-resources": { - "hashes": [ - "sha256:6e2783b2538bd5a14678284a3962b0660c715e5a0f10243fd5e00a4b5974f50b", - "sha256:d3279fd0f6f847cced9f7acc19bd3e5df54d34f93a2e7bb5f238f81545787078" - ], - "markers": "python_version < '3.7'", - "version": "==1.0.2" - }, "junit-xml": { "hashes": [ "sha256:602f1c480a19d64edb452bf7632f76b5f2cb92c1938c6e071dcda8ff9541dc21" diff --git a/azure-pipelines.yml b/azure-pipelines.yml index e423b28..bd916a4 100644 --- a/azure-pipelines.yml +++ b/azure-pipelines.yml @@ -11,7 +11,7 @@ jobs: - task: UsePythonVersion@0 displayName: 'Set Python version' inputs: - versionSpec: '3.6.x' + versionSpec: '3.7.x' addToPath: true - script: pip3 install pipenv @@ -32,7 +32,10 @@ jobs: - job: build displayName: 'Build' dependsOn: test - condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) + + variables: + BASE_CHANGED: true + VENV_CHANGED: true steps: - task: Docker@1 @@ -43,8 +46,58 @@ jobs: dockerRegistryEndpoint: 'DockerHub' command: 'login' + - script: | + REQUEST_URL="https://dev.azure.com/python-discord/${SYSTEM_TEAMPROJECTID}/_apis/build/builds?queryOrder=finishTimeDescending&resultFilter=succeeded&\$top=1&repositoryType=${BUILD_REPOSITORY_PROVIDER}&repositoryId=${BUILD_REPOSITORY_NAME}&branchName=${BUILD_SOURCEBRANCH}&api-version=5.0" + echo "Retrieving previous build's commit using $REQUEST_URL" + RESPONSE="$(curl -sSL "${REQUEST_URL}")" + + if [[ $BUILD_REASON = "PullRequest" ]]; then + PREV_COMMIT="$(echo "${RESPONSE}" | grep -Po '"pr\.sourceSha"\s*:\s*"\K.*?[^\\](?="\s*[,}])')" + if [[ -z $PREV_COMMIT ]]; then + echo "Could not retrieve the previous build's commit. Falling back to the head of the target branch." + PREV_COMMIT="origin/$SYSTEM_PULLREQUEST_TARGETBRANCH" + fi + else + PREV_COMMIT="$(echo "${RESPONSE}" | grep -Po '"sourceVersion"\s*:\s*"\K.*?[^\\](?="\s*[,}])')" + fi + + if [[ -n $PREV_COMMIT ]]; then + echo "Using $PREV_COMMIT to compare diffs." + + if [[ -z "$(git diff $PREV_COMMIT -- docker/base.Dockerfile)" ]]; then + echo "No changes detected in docker/base.Dockerfile. The base image will not be built." + echo "##vso[task.setvariable variable=BASE_CHANGED]false" + fi + + if [[ -z "$(git diff $PREV_COMMIT -- docker/venv.Dockerfile Pipfile*)" ]]; then + echo "No changes detected in docker/venv.Dockerfile or the Pipfiles. The venv image will not be built." + echo "##vso[task.setvariable variable=VENV_CHANGED]false" + fi + else + echo "No previous commit was retrieved. Either the previous build is too old and was deleted or the branch was empty before this build. All images will be built." + fi + displayName: 'Check Changed Files' + + - script: docker build -t pythondiscord/snekbox-base:latest -f docker/base.Dockerfile . + displayName: 'Build Base Image' + condition: and(succeeded(), eq(variables.BASE_CHANGED, 'true')) + + - script: docker build -t pythondiscord/snekbox-venv:latest -f docker/venv.Dockerfile . + displayName: 'Build Virtual Environment Image' + condition: and(succeeded(), or(eq(variables.BASE_CHANGED, 'true'), eq(variables.VENV_CHANGED, 'true'))) + - script: docker build -t pythondiscord/snekbox:latest -f docker/Dockerfile . displayName: 'Build Final Image' + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) + + - script: docker push pythondiscord/snekbox-base:latest + displayName: 'Push Base Image to Dockerhub' + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'), eq(variables.BASE_CHANGED, 'true')) + + - script: docker push pythondiscord/snekbox-venv:latest + displayName: 'Push Virtual Environment Image to Dockerhub' + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest'), or(eq(variables.BASE_CHANGED, 'true'), eq(variables.VENV_CHANGED, 'true'))) - script: docker push pythondiscord/snekbox:latest - displayName: 'Push Image to Dockerhub' + displayName: 'Push Final Image to Dockerhub' + condition: and(succeeded(), ne(variables['Build.Reason'], 'PullRequest')) diff --git a/binaries/nsjail2.5-alpine-x86_64 b/binaries/nsjail2.5-alpine-x86_64 Binary files differdeleted file mode 100644 index 9af91fc..0000000 --- a/binaries/nsjail2.5-alpine-x86_64 +++ /dev/null diff --git a/binaries/nsjail2.6-ubuntu-x86_64 b/binaries/nsjail2.6-ubuntu-x86_64 Binary files differdeleted file mode 100644 index d8df21b..0000000 --- a/binaries/nsjail2.6-ubuntu-x86_64 +++ /dev/null diff --git a/docker-compose.yml b/docker-compose.yml index 2b22db4..1fe8e39 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,7 +1,8 @@ -version: '3' +version: "3.7" services: pdsnk: hostname: "pdsnk" privileged: true image: pythondiscord/snekbox:latest network_mode: "host" + init: true diff --git a/docker/Dockerfile b/docker/Dockerfile index b8d5637..5ef8a88 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,13 +1,7 @@ -FROM pythondiscord/snekbox-base:latest +FROM pythondiscord/snekbox-venv:latest -RUN apk add --update tini +ENTRYPOINT ["pipenv", "run"] +CMD ["snekbox"] -RUN mkdir -p /snekbox COPY . /snekbox WORKDIR /snekbox - -RUN pipenv --rm -RUN pipenv sync - -ENTRYPOINT ["/sbin/tini", "--"] -CMD ["pipenv", "run", "snekbox"] diff --git a/docker/base.Dockerfile b/docker/base.Dockerfile index cdbd98e..19fc1b8 100644 --- a/docker/base.Dockerfile +++ b/docker/base.Dockerfile @@ -1,23 +1,25 @@ -FROM python:3.6.6-alpine3.7 - -RUN apk add --no-cache libstdc++ protobuf -RUN apk add --update build-base - -ENV PIPENV_VENV_IN_PROJECT=1 -ENV PIPENV_IGNORE_VIRTUALENVS=1 -ENV PIPENV_NOSPIN=1 -ENV PIPENV_HIDE_EMOJIS=1 -ENV PYTHONPATH=/snekbox +FROM alpine:3.9.2 as builder +RUN apk add --no-cache --update \ + bison \ + bsd-compat-headers \ + flex \ + g++ \ + gcc \ + git \ + libnl3-dev \ + linux-headers \ + make \ + protobuf-dev +RUN git clone --depth=1 https://github.com/google/nsjail.git /nsjail +WORKDIR /nsjail +RUN make +FROM python:3.7.3-alpine3.9 +ENV PIP_NO_CACHE_DIR=false +RUN apk add --no-cache --update \ + libnl3 \ + libstdc++ \ + protobuf RUN pip install pipenv - -RUN mkdir -p /snekbox -COPY Pipfile /snekbox -COPY Pipfile.lock /snekbox -COPY . /snekbox -WORKDIR /snekbox - -RUN pipenv sync --dev - -RUN cp binaries/nsjail2.5-alpine-x86_64 /usr/sbin/nsjail +COPY --from=builder /nsjail/nsjail /usr/sbin/ RUN chmod +x /usr/sbin/nsjail diff --git a/docker/venv.Dockerfile b/docker/venv.Dockerfile new file mode 100644 index 0000000..61aba58 --- /dev/null +++ b/docker/venv.Dockerfile @@ -0,0 +1,12 @@ +FROM pythondiscord/snekbox-base:latest + +ENV PIP_NO_CACHE_DIR=false \ + PIPENV_DONT_USE_PYENV=1 \ + PIPENV_HIDE_EMOJIS=1 \ + PIPENV_NOSPIN=1 \ + PIPENV_VENV_IN_PROJECT=1 + +COPY Pipfile Pipfile.lock /snekbox/ +WORKDIR /snekbox + +RUN pipenv sync diff --git a/snekbox/nsjail.py b/snekbox/nsjail.py index 458a94e..ec43c25 100644 --- a/snekbox/nsjail.py +++ b/snekbox/nsjail.py @@ -8,7 +8,7 @@ class NsJail: def __init__(self, nsjail_binary='nsjail', - python_binary=os.path.dirname(sys.executable) + os.sep + 'python3.6'): + python_binary=os.path.dirname(sys.executable) + os.sep + 'python3.7'): self.nsjail_binary = nsjail_binary self.python_binary = python_binary self._nsjail_workaround() @@ -19,8 +19,8 @@ class NsJail: 'sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ), 'LANG': 'en_US.UTF-8', - 'PYTHON_VERSION': '3.6.5', - 'PYTHON_PIP_VERSION': '10.0.1', + 'PYTHON_VERSION': '3.7.3', + 'PYTHON_PIP_VERSION': '19.0.3', 'PYTHONDONTWRITEBYTECODE': '1', } |