blob: af8db00eeffc1e5d691cdf004441b4dfb11d8624 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
# syntax=docker/dockerfile:1
ARG python_version=3.11.0rc2
FROM python:$python_version-slim-buster as builder
WORKDIR /nsjail
RUN apt-get -y update \
&& apt-get install -y \
bison=2:3.3.* \
flex=2.6.* \
g++=4:8.3.* \
gcc=4:8.3.* \
git=1:2.20.* \
libprotobuf-dev=3.6.* \
libnl-route-3-dev=3.4.* \
make=4.2.* \
pkg-config=0.29-6 \
protobuf-compiler=3.6.*
RUN git clone -b master --single-branch https://github.com/google/nsjail.git . \
&& git checkout dccf911fd2659e7b08ce9507c25b2b38ec2c5800
RUN make
# ------------------------------------------------------------------------------
FROM python:$python_version-slim-buster as base
# Everything will be a user install to allow snekbox's dependencies to be kept
# separate from the packages exposed during eval.
ENV PATH=/root/.local/bin:$PATH \
PIP_DISABLE_PIP_VERSION_CHECK=1 \
PIP_NO_CACHE_DIR=false \
PIP_USER=1
RUN apt-get -y update \
&& apt-get install -y \
g++=4:8.3.* \
git=1:2.20.* \
libnl-route-3-200=3.4.* \
libprotobuf17=3.6.* \
&& rm -rf /var/lib/apt/lists/*
COPY --from=builder /nsjail/nsjail /usr/sbin/
RUN chmod +x /usr/sbin/nsjail
# ------------------------------------------------------------------------------
FROM base as venv
COPY requirements/ /snekbox/requirements/
WORKDIR /snekbox
# pip installs to the default user site since PIP_USER is set.
RUN pip install -U -r requirements/requirements.pip
# This must come after the first pip command! From the docs:
# All RUN instructions following an ARG instruction use the ARG variable
# implicitly (as an environment variable), thus can cause a cache miss.
ARG DEV
# Install numpy when in dev mode; one of the unit tests needs it.
RUN if [ -n "${DEV}" ]; \
then \
pip install -U -r requirements/coverage.pip \
&& PYTHONUSERBASE=/snekbox/user_base pip install numpy~=1.19; \
fi
# At the end to avoid re-installing dependencies when only a config changes.
COPY config/ /snekbox/config/
ENTRYPOINT ["gunicorn"]
CMD ["-c", "config/gunicorn.conf.py"]
# ------------------------------------------------------------------------------
FROM venv
# Use a separate directory to avoid importing the source over the installed pkg.
# The venv already installed dependencies, so nothing besides snekbox itself
# will be installed. Note requirements.pip cannot be used as a constraint file
# because it contains extras, which pip disallows.
RUN --mount=source=.,target=/snekbox_src,rw \
pip install /snekbox_src[gunicorn,sentry]
RUN PYTHONUSERBASE=/snekbox/user_base pip install anyio[trio] \
arrow \
attrs \
beautifulsoup4 \
fishhook \
forbiddenfruit \
fuzzywuzzy \
lark \
more-itertools \
networkx \
numpy \
pandas \
pendulum \
python-dateutil \
pyyaml \
sympy \
toml \
typing-extensions \
tzdata \
yarl
|
