Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile
Closed, ResolvedPublicFeature
Actions

Assigned To

Authored By

	bd808
	Nov 18 2021, 11:51 PM

Description

In the Toolhub and Wikimedia-Developer-Portal projects I am trying to use Blubber generated Dockerfiles in combination with docker-compose to make standardized development environments. Largely this works by having containers with various runtime tools installed and then mounting the project's local git clone into the container as host volume.

This works well when the container only needs to read the mounted volume, but when it also needs to write to the volume things become trickier. Docker Desktop for MacOS has built-in magic for handling UID/GID mismatches between the running container and the host filesystem's permissions. Linux Docker does not transparently handle this same problem.

One way to make read-write host volumes work on both platforms is to use the user configuration option of a docker-compose.yaml service to set the effective runtime user of the container to the same UID+GID as the host filesystem needs (https://www.mediawiki.org/wiki/MediaWiki-Docker/Configuration_recipes/Customize_base_image).

This solution works very well for the mounted host volume read-write needs, but it causes a different set of permissions problems in that it changes the runtime effective UID/GID away from the effective UID/GID that was used at container build time. This means that the $HOME for the runtime user and any other files inside the container set to be read/write by the runtime user during build time do not match the effective UID/GID at runtime.

I have found a few ways to hack around this second level of permissions (see T295318 for the continuing saga) with other changes added at runtime after switching effective UID/GID, but they are a game of whack-a-mole and will have to be duplicated and adjusted across projects.

I believe that the side effects of the runtime UID/GID change could be avoided if Blubber generated Dockerfiles allowed using build-time arguments to change the UID and GID values used for the "somebody" and "runuser" users.

This might look something like:

ARG LIVES_UID=65533
ARG LIVES_GID=65533
ARG RUNS_UID=900
ARG RUNS_GID=900
RUN (getent group "$LIVES_GID" || groupadd -o -g "$LIVES_GID" -r "somebody") && (getent passwd "$LIVES_UID" || useradd -l -o -m -d "/home/somebody" -r -g "$LIVES_GID" -u "$LIVES_UID" "somebody") && mkdir -p "/srv/dockerize/bin" && chown "$LIVES_UID":"$LIVES_GID" "/srv/dockerize/bin" && mkdir -p "/opt/lib" && chown "$LIVES_UID":"$LIVES_GID" "/opt/lib"
RUN (getent group "$RUNS_GID" || groupadd -o -g "$RUNS_GID" -r "runuser") && (getent passwd "$RUNS_UID" || useradd -l -o -m -d "/home/runuser" -r -g "runuser" -u "$RUNS_UID" "runuser")

With this modification to the Dockerfile in place, a docker-compose.yaml would be able to specify a build-time UID & GID that match the needed runtime UID & GID:

services:
  web:
    build:
      context: .
      dockerfile: .pipeline/local-python.Dockerfile
      args:
         LIVES_UID: $LOCAL_UID
         LIVES_GID: $LOCAL_GID
    user: "${LOCAL_UID}:${LOCAL_GID}"

For "normal" builds of the Dockerfile this change would be a no-op as no arguments would typically be passed to the builder and the Dockerfile contains the same default values for these variables as the previous hardcoded values.

Details

Subject	Repo	Branch	Lines +/-
Revert "Revert "feature: build-time arguments for lives & runs user config""	blubber	master	+174 -63
Revert "feature: build-time arguments for lives & runs user config"	blubber	master	+63 -174
feature: build-time arguments for lives & runs user config	blubber	master	+174 -63
Revert "blubberoid: pipeline bot promote"	operations/deployment-charts	master	+1 -1

Customize query in gerrit

Related Objects
Search...

Status	Subtype	Assigned	Task
Resolved	BUG REPORT	bd808	T295823 Failures updating python packages in dev environment following Linux Docker improvements
Resolved	Feature	bd808	T296046 Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile
Resolved		Dzahn	T300682 contint1001 and contint2001 need a newer version of Docker installed

Event Timeline

bd808 created this task.Nov 18 2021, 11:51 PM

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 18 2021, 11:51 PM

dancy subscribed.Nov 18 2021, 11:54 PM

thcipriani subscribed.Nov 19 2021, 12:16 AM

bd808 updated the task description. (Show Details)Nov 19 2021, 12:21 AM

bd808 added a project: Toolhub.Nov 19 2021, 1:20 AM

bd808 moved this task from Backlog to Radar on the Toolhub board.

bd808 added a parent task: T295823: Failures updating python packages in dev environment following Linux Docker improvements.Nov 19 2021, 1:30 AM

bd808 changed the subtype of this task from "Task" to "Feature Request".

Support for build-time arguments would be a nice general feature IMO. The only constraint I would want included would be that arguments must have default values (to maintain backwards compatibility and now have things like PipelineLib fail when arguments were defined but no values were provided). Something like this for your use case:

version: v4
uses:
  - BUILDTIME_UID: 123
  - RUNTIME_UID: 124
runs:
  uid: ${RUNTIME_UID}
lives:
  uid: ${BUILDTIME_UID}

This would require quite a bit of refactoring, however. Parsing this kind of configuration and still maintaining the correct validation of fields pre-substitution would require refactoring just about every validator, and it pretty much breaks policy constraints.

A more minimal feature to allow just the runs/lives uid/gid to be argument names seems a little crufty to me but would require a lot less refactoring. It would still break policy on those fields (allowing at build-time to basically disable the non-root constraints by setting the argument values for both UID/GID pairs to 0, e.g.). I'm not sure about this to be honest, at least I'm not sure I'd want it enabled for the WMF blubberoid endpoint.

Just to get a little more background on the use case. How/where are you calling Blubber(oid) to generate the Dockerfiles?

In T296046#7517186, @dduvall wrote:

Just to get a little more background on the use case. How/where are you calling Blubber(oid) to generate the Dockerfiles?

It is done with curl in the project's Makefile. The relevant parts are:

this := $(word $(words $(MAKEFILE_LIST)),$(MAKEFILE_LIST))
PROJECT_DIR := $(dir $(this))
PIPELINE_DIR := $(PROJECT_DIR)/.pipeline
BLUBBEROID := https://blubberoid.wikimedia.org
DOCKERFILES := $(PIPELINE_DIR)/local-python.Dockerfile $(PIPELINE_DIR)/dev-nodejs.Dockerfile $(PIPELINE_DIR)/oauth-client.Dockerfile

start: .env $(DOCKERFILES) ## Start the docker-compose stack
    docker-compose up --build --detach
.PHONY: start

%.Dockerfile: $(PIPELINE_DIR)/blubber.yaml
    echo "# Dockerfile for *local development*." > $@
    echo "# Generated by Blubber from .pipeline/blubber.yaml" >> $@
    curl -sH 'content-type: application/yaml' --data-binary @$^ \
    $(BLUBBEROID)/v1/$(*F) >> $@

In T296046#7517186, @dduvall wrote:

A more minimal feature to allow just the runs/lives uid/gid to be argument names seems a little crufty to me but would require a lot less refactoring. It would still break policy on those fields (allowing at build-time to basically disable the non-root constraints by setting the argument values for both UID/GID pairs to 0, e.g.).

This is all I want or need. Adding support for arbitrary ARG usage may have relevance for some other use case, but I specifically only desire a hook for changing the build-time UID & GID pairs for the lives and runs users that are currently hard coded defaults in the binary. And very importantly I do not want to change these values as part of the Blubber configuration itself, I want to change them when using docker-compose up --build to compile the Blubber generated Dockerfile locally.

I would be satisfied if enabling this required a special configuration in the Blubber input or other argument to the Blubber invocation itself. This may make implementation more complicated than simply emitting the ARG SOMEBODY_UID=65533
values into the Dockerfile output with the default values being the existing {lives,runs}.{uid,gid} values from the config however.

I'm not sure about this to be honest, at least I'm not sure I'd want it enabled for the WMF blubberoid endpoint.

How specifically would the ARG support make the current system less secure? I could hack the same functionality by setting distinctive values for {lives,runs}.{uid,gid} obeying the constraints and then running the Dockerfile output through sed to replace them with my own arbitrary values prior to local compilation. The really isn't anything that Blubber can do to control changes in the Dockerfile post-generation. This hook would make my use case easier to implement, but I can make it possible via post-processing if necessary.

In T296046#7517415, @bd808 wrote:

[...] I specifically only desire a hook for changing the build-time UID & GID pairs for the lives and runs users that are currently hard coded defaults in the binary.

Those are default values, not hard coded ones. All of runs.uid, runs.gid, lives.uid, lives.gid can all be set in the end-user configuration.

And very importantly I do not want to change these values as part of the Blubber configuration itself, I want to change them when using docker-compose up --build to compile the Blubber generated Dockerfile locally.

This is why I asked to know more about the use case. It sounds like you're building on the development host. Are you generating the Dockerfile there as well? If so, could you pre-process the blubber.yaml with something like envsubst to inject the values you need for uid/gid?

I'm not sure about this to be honest, at least I'm not sure I'd want it enabled for the WMF blubberoid endpoint.

How specifically would the ARG support make the current system less secure? I could hack the same functionality by setting distinctive values for {lives,runs}.{uid,gid} obeying the constraints and then running the Dockerfile output through sed to replace them with my own arbitrary values prior to local compilation. The really isn't anything that Blubber can do to control changes in the Dockerfile post-generation. This hook would make my use case easier to implement, but I can make it possible via post-processing if necessary.

You're right. It doesn't make the current system less secure, it just makes policy/validation for user/uid/gid sort of pointless, more of a design muddlement concern than anything. And sure, you can do anything you want to the output—I'm thinking more in terms of how this will effect the deployment pipeline than a development environment. But also, back to my other question: If you can do anything to the output in your use case, do you control the input? Can you perhaps just preprocess it and make the necessary substitutions there? Build chains have so many options for preprocessing sources already. I'm not against implementing something specific to Blubber/Docker, but just wondering if there's a general tool available that would work for you now.

In T296046#7517692, @dduvall wrote:

You're right. It doesn't make the current system less secure, it just makes policy/validation for user/uid/gid sort of pointless, more of a design muddlement concern than anything. And sure, you can do anything you want to the output—I'm thinking more in terms of how this will effect the deployment pipeline than a development environment. But also, back to my other question: If you can do anything to the output in your use case, do you control the input? Can you perhaps just preprocess it and make the necessary substitutions there? Build chains have so many options for preprocessing sources already. I'm not against implementing something specific to Blubber/Docker, but just wondering if there's a general tool available that would work for you now.

The main complication I have with pre-processing on the way towards Blubber or post-processing on the way back is doing that with development host agnostic means. The dev environments that I have built so far for Toolhub and the very work-in-progress documentation portal only require git, make, bash, and Docker on the host system with everything fancier than that done inside of a Blubber defined container.

I can certainly add more host requirements or construct other ways to pre/post process the Blubber data if this is not a feature addition that Blubber would like to support. It just seemed that the thing to look for first was a centralized solution that could be used not only by my projects but also by others with similar desires.

bd808 updated the task description. (Show Details)Nov 19 2021, 10:59 PM

The major advantage of having this feature in Blubber itself rather than varying the Blubber input spec would be that I could then continue to commit the Blubber generated Dockerfile to the git repo which allows building the container without contacting the Blubber service. The advantage of this over post-processing would be purely technical in that post-processing may have a large number of places to inject the ARG variables, especially in a multi-stage build.

In T296046#7517851, @bd808 wrote:

The major advantage of having this feature in Blubber itself rather than varying the Blubber input spec would be that I could then continue to commit the Blubber generated Dockerfile to the git repo which allows building the container without contacting the Blubber service. The advantage of this over post-processing would be purely technical in that post-processing may have a large number of places to inject the ARG variables, especially in a multi-stage build.

That all sounds reasonable. I wasn't aware that you were tracking the Dockerfile in the repo; It's clearer to me now why you wouldn't want to process it.

I want to think more deeply about the prospect of supporting arguments and how Blubber might be able to do that without breaking its internal validation, but also about your use of Blubber in development with docker-compose and how that use case might be served better. Are you available to discuss sync?

In T296046#7520773, @dduvall wrote:

Are you available to discuss sync?

Yes, I am more than happy to have a meet call or irc chat (or both) to walk through questions, show what I've tried so far, and brainstorm on reasonable solutions. My gcal should be up to date for finding meeting times.

bd808 mentioned this in T295832: Evaluate improving/replacing mkdocs-mdpo-plugin to better support TWN integration.Nov 29 2021, 8:00 PM

Change 749569 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[blubber@master] feature: build-time arguments for lives & runs user config

https://gerrit.wikimedia.org/r/749569

gerritbot added a project: Patch-For-Review.Dec 22 2021, 6:37 PM

Change 749569 merged by jenkins-bot:

[blubber@master] feature: build-time arguments for lives & runs user config

https://gerrit.wikimedia.org/r/749569

Maintenance_bot removed a project: Patch-For-Review.Jan 31 2022, 11:10 PM

I believe this change is why the LibUp pipeline started failing today with:

Step 21/33 : COPY --chown=$LIVES_UID:$LIVES_GID ["pyproject.toml", "poetry.lock", "./"]
unable to convert uid/gid chown string to host mapping: can't find uid for user $LIVES_UID: no such user: $LIVES_UID

ex: https://integration.wikimedia.org/ci/job/libraryupgrader-pipeline-test/108/console

Do I need to change something in my blubber config? See https://gerrit.wikimedia.org/r/plugins/gitiles/labs/libraryupgrader/+/refs/heads/master/.pipeline/blubber.yaml, it's mostly copied directly from Toolhub, but I'm not doing anything specific related to users.

bd808 mentioned this in rGBLBR95dd6f55060e: feature: build-time arguments for lives & runs user config.Feb 1 2022, 3:33 AM

Change 758805 had a related patch set uploaded (by Hashar; author: Hashar):

[operations/deployment-charts@master] Revert \"blubberoid: pipeline bot promote\"

https://gerrit.wikimedia.org/r/758805

gerritbot added a project: Patch-For-Review.Feb 1 2022, 11:56 AM

Change 758805 merged by jenkins-bot:

[operations/deployment-charts@master] Revert \"blubberoid: pipeline bot promote\"

https://gerrit.wikimedia.org/r/758805

Maintenance_bot removed a project: Patch-For-Review.Feb 1 2022, 1:10 PM

In T296046#7666292, @Legoktm wrote:
I believe this change is why the LibUp pipeline started failing today with:
Step 21/33 : COPY --chown=$LIVES_UID:$LIVES_GID ["pyproject.toml", "poetry.lock", "./"]
unable to convert uid/gid chown string to host mapping: can't find uid for user $LIVES_UID: no such user: $LIVES_UID
ex: https://integration.wikimedia.org/ci/job/libraryupgrader-pipeline-test/108/console

Do I need to change something in my blubber config? See https://gerrit.wikimedia.org/r/plugins/gitiles/labs/libraryupgrader/+/refs/heads/master/.pipeline/blubber.yaml, it's mostly copied directly from Toolhub, but I'm not doing anything specific related to users.

The same error was seen for cxserver as well: https://integration.wikimedia.org/ci/job/service-pipeline-test/11082/console

Both builds appear to show the expected ARG LIVES_UID=... and ARG LIVES_GID=... instructions. More investigation is needed to understand if the user is not being added or if the expected values are not being substituted at build time or ...?

Restricted Application added a project: User-bd808. · View Herald TranscriptFeb 1 2022, 3:45 PM

bd808 triaged this task as Medium priority.Feb 1 2022, 3:45 PM

In T296046#7667879, @bd808 wrote:

Both builds appear to show the expected ARG LIVES_UID=... and ARG LIVES_GID=... instructions. More investigation is needed to understand if the user is not being added or if the expected values are not being substituted at build time or ...?

Citation needed, but a StackOverflow comment in a question specifically about the interaction of ARG and COPY says:

Does not appear to expand in a COPY statement's --from argument in a single-stage build (in 19.03.5 or in 18). – Jason Young

--chown is a different argument to COPY, but it could suffer from the same problem. I don't think this is a problem with the scope of the ARG declaration.

I can also say that I have a working Blubber generated Dockerfile locally which uses COPY --chown=$LIVES_UID:$LIVES_GID [".", "."] that builds without issue via Docker version 20.10.12, build e91ed57 on a MacOS host. So it may turn out to be related specifically to COPY and the Docker version used at container build time.

In T296046#7668508, @bd808 wrote:

I can also say that I have a working Blubber generated Dockerfile locally which uses COPY --chown=$LIVES_UID:$LIVES_GID [".", "."] that builds without issue via Docker version 20.10.12, build e91ed57 on a MacOS host. So it may turn out to be related specifically to COPY and the Docker version used at container build time.

Using a local build of Blubber I generated a Dockerfile for the "web" variant from @Legoktm's libraryupgrader which failed to build on CI in T296046#7666292:

FROM docker-registry.wikimedia.org/python3-buster:latest AS web
USER 0
ENV HOME="/root"
ENV DEBIAN_FRONTEND="noninteractive"
RUN apt-get update && apt-get install -y "python3-venv" "git" && rm -rf /var/lib/apt/lists/*
RUN python3 "-m" "easy_install" "pip" && python3 "-m" "pip" "install" "-U" "setuptools" "wheel" "tox" "pip"
ENV POETRY_VIRTUALENVS_PATH="/opt/lib/poetry"
RUN python3 "-m" "pip" "install" "-U" "poetry==1.1.4"
ARG LIVES_AS="somebody"
ARG LIVES_UID=65533
ARG LIVES_GID=65533
RUN (getent group "$LIVES_GID" || groupadd -o -g "$LIVES_GID" -r "$LIVES_AS") && (getent passwd "$LIVES_UID" || useradd -l -o -m -d "/home/$LIVES_AS" -r -g "$LIVES_GID" -u "$LIVES_UID" "$LIVES_AS") && mkdir -p "/srv/app" && chown "$LIVES_UID":"$LIVES_GID" "/srv/app" && mkdir -p "/opt/lib" && chown "$LIVES_UID":"$LIVES_GID" "/opt/lib"
ARG RUNS_AS="runuser"
ARG RUNS_UID=900
ARG RUNS_GID=900
RUN (getent group "$RUNS_GID" || groupadd -o -g "$RUNS_GID" -r "$RUNS_AS") && (getent passwd "$RUNS_UID" || useradd -l -o -m -d "/home/$RUNS_AS" -r -g "$RUNS_GID" -u "$RUNS_UID" "$RUNS_AS")
USER $LIVES_UID
ENV HOME="/home/somebody"
WORKDIR "/srv/app"
ENV PIP_DISABLE_PIP_VERSION_CHECK="on" PIP_NO_CACHE_DIR="off" PYTHONBUFFERED="1" PYTHONDONTWRITEBYTECODE="1"
COPY --chown=$LIVES_UID:$LIVES_GID ["pyproject.toml", "poetry.lock", "./"]
RUN mkdir -p "/opt/lib/poetry"
RUN poetry "install" "--no-root" "--no-dev"
COPY --chown=$LIVES_UID:$LIVES_GID [".", "."]
USER $RUNS_UID
ENV HOME="/home/$RUNS_AS"
ENTRYPOINT ["/bin/bash", "-c", "poetry run gunicorn -w 4 -b 0.0.0.0:3002 libup.web:app"]

LABEL blubber.variant="web" blubber.version="0.8.0+95dd6f5"

I then built the container locally with no errors:

$ docker --version
Docker version 20.10.12, build e91ed57
$ docker build .
[+] Building 65.8s (16/16) FINISHED
 => [internal] load build definition from Dockerfile                       0.1s 
 => => transferring dockerfile: 1.67kB                                     0.0s
 => [internal] load .dockerignore                                          0.0s
 => => transferring context: 2B                                            0.0s
 => [internal] load metadata for docker-registry.wikimedia.org/python3-bu  0.0s
 => CACHED [ 1/11] FROM docker-registry.wikimedia.org/python3-buster:late  0.0s
 => [internal] load build context                                          0.2s
 => => transferring context: 1.44MB                                        0.2s
 => [ 2/11] RUN apt-get update && apt-get install -y "python3-venv" "git  14.8s
 => [ 3/11] RUN python3 "-m" "easy_install" "pip" && python3 "-m" "pip"   10.1s
 => [ 4/11] RUN python3 "-m" "pip" "install" "-U" "poetry==1.1.4"         12.5s
 => [ 5/11] RUN (getent group "65533" || groupadd -o -g "65533" -r "someb  0.5s
 => [ 6/11] RUN (getent group "900" || groupadd -o -g "900" -r "runuser")  0.5s
 => [ 7/11] WORKDIR /srv/app                                               0.0s
 => [ 8/11] COPY --chown=65533:65533 [pyproject.toml, poetry.lock, ./]     0.1s
 => [ 9/11] RUN mkdir -p "/opt/lib/poetry"                                 0.4s
 => [10/11] RUN poetry "install" "--no-root" "--no-dev"                   25.2s
 => [11/11] COPY --chown=65533:65533 [., .]                                0.1s
 => exporting to image                                                     1.3s
 => => exporting layers                                                    1.3s
 => => writing image sha256:188c5b80227b6de6fbbb49da299ca5db07b20da99834d  0.0s

Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them

On contint1001 where the CI system was failing to build functionally the same Dockerfile:

$ docker --version
Docker version 18.09.1, build 4c52b90

Based on the SO comment noted in T296046#7668508, this makes it seem likely that somewhere between Docker 19.03.5 and Docker 20.10.12 the COPY command gained support for interpolating ARG values.

Support for interpolating params to COPY --chown=... in buildkit landed in https://github.com/moby/buildkit/commit/024863526913b98ca3fdfc8733a9d589ee7aaf12 back in April 2019. That commit was included in dockerfile/1.1.0 as the first "stable" release following that commit. Docker didn't start using buildkit to power docker build until v19.03, so until at least that is available on CI my awesome feature is a bust. https://pythonspeed.com/articles/docker-buildkit/ has a lot more information about buildkit, how to turn it on, and how to tune the version used when building an image.

Marking this as stalled for now due to the discovery of the need for newer versions of Docker than are currently available in the Foundation's CI systems. Operating system updates or specific work to backport newer Docker debs will eventually unblock the feature. I am also interested in testing Podman's support for this basic functionality now that I am more aware that interpolation of ARG values in all instruction contexts is not necessarily a "core" feature for container build tools.

Change 758907 had a related patch set uploaded (by BryanDavis; author: BryanDavis):

[blubber@master] Revert \"feature: build-time arguments for lives & runs user config\"

https://gerrit.wikimedia.org/r/758907

gerritbot added a project: Patch-For-Review.Feb 1 2022, 8:30 PM

In T296046#7669013, @bd808 wrote:

I am also interested in testing Podman's support for this basic functionality now that I am more aware that interpolation of ARG values in all instruction contexts is not necessarily a "core" feature for container build tools.

Building with podman v3.0.1 from Debian Bullseye and the Dockerfile from T296046#7668655 seems to work as hoped. Debian Bullseye also has docker.io v20.10.5 available via apt, so in theory upgrading the CI hosts that are used to build containers via Pipelinelib to Bullseye would make this feature possible. That also assumes that we are ok with requiring Docker+buildkit or Podman v3 as minimum requirements for building Blubber managed containers. This does not seem like a large burden however to place on users, especially as CI container builds are very likely the majority of Blubber uses.

$ podman --version
podman version 3.0.1
$ sudo podman build --tag libup .
STEP 1: FROM docker-registry.wikimedia.org/python3-buster:latest AS web
Getting image source signatures
Copying blob 2427ba68d25e done
Copying blob 5339a9d66073 done
Copying config 4fbe043b03 done
Writing manifest to image destination
Storing signatures
STEP 2: USER 0
--> f8af06958bc
STEP 3: ENV HOME="/root"
--> 29b2f1e3d6d
STEP 4: ENV DEBIAN_FRONTEND="noninteractive"
--> 8d67dd8a49e
STEP 5: RUN apt-get update && apt-get install -y "python3-venv" "git" && rm -rf /var/lib/apt/lists/*
Get:1 http://apt.wikimedia.org/wikimedia buster-wikimedia InRelease [127 kB]
Get:2 http://security.debian.org buster/updates InRelease [65.4 kB]
Get:3 http://mirrors.wikimedia.org/debian buster InRelease [122 kB]
Get:4 http://mirrors.wikimedia.org/debian buster-updates InRelease [51.9 kB]
Get:5 http://mirrors.wikimedia.org/debian buster-backports InRelease [46.7 kB]
Get:6 http://security.debian.org buster/updates/main amd64 Packages [314 kB]
Get:7 http://mirrors.wikimedia.org/debian buster/main amd64 Packages [7906 kB]
Get:8 http://mirrors.wikimedia.org/debian buster-updates/main amd64 Packages [8792 B]
Get:9 http://apt.wikimedia.org/wikimedia buster-wikimedia/main amd64 Packages [80.0 kB]
Get:10 http://mirrors.wikimedia.org/debian buster-backports/contrib amd64 Packages [9092 B]
Get:11 http://mirrors.wikimedia.org/debian buster-backports/main amd64 Packages [486 kB]
Fetched 9217 kB in 2s (6133 kB/s)
Reading package lists...
Reading package lists...
Building dependency tree...
Reading state information...
The following additional packages will be installed:
  ca-certificates git-man libcurl3-gnutls liberror-perl libgdbm-compat4
  libgdbm6 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 libldap-2.4-2 libldap-common libnghttp2-14 libpcre2-8-0
  libperl5.28 libpsl5 librtmp1 libsasl2-2 libsasl2-modules-db libssh2-1
  openssl perl perl-modules-5.28 python-pip-whl python3.7-venv
Suggested packages:
  gettext-base git-daemon-run | git-daemon-sysvinit git-doc git-el git-email
  git-gui gitk gitweb git-cvs git-mediawiki git-svn gdbm-l10n krb5-doc
  krb5-user sensible-utils perl-doc libterm-readline-gnu-perl
  | libterm-readline-perl-perl make libb-debug-perl liblocale-codes-perl
Recommended packages:
  patch less ssh-client krb5-locales publicsuffix libsasl2-modules netbase
The following NEW packages will be installed:
  ca-certificates git git-man libcurl3-gnutls liberror-perl libgdbm-compat4
  libgdbm6 libgssapi-krb5-2 libk5crypto3 libkeyutils1 libkrb5-3
  libkrb5support0 libldap-2.4-2 libldap-common libnghttp2-14 libpcre2-8-0
  libperl5.28 libpsl5 librtmp1 libsasl2-2 libsasl2-modules-db libssh2-1
  openssl perl perl-modules-5.28 python-pip-whl python3-venv python3.7-venv
0 upgraded, 28 newly installed, 0 to remove and 0 not upgraded.
Need to get 19.1 MB of archives.
After this operation, 94.1 MB of additional disk space will be used.
Get:1 http://mirrors.wikimedia.org/debian buster/main amd64 perl-modules-5.28 all 5.28.1-6+deb10u1 [2873 kB]
Get:2 http://mirrors.wikimedia.org/debian buster/main amd64 libgdbm6 amd64 1.18.1-4 [64.7 kB]
Get:3 http://mirrors.wikimedia.org/debian buster/main amd64 libgdbm-compat4 amd64 1.18.1-4 [44.1 kB]
Get:4 http://mirrors.wikimedia.org/debian buster/main amd64 libperl5.28 amd64 5.28.1-6+deb10u1 [3894 kB]
Get:5 http://mirrors.wikimedia.org/debian buster/main amd64 perl amd64 5.28.1-6+deb10u1 [204 kB]
Get:6 http://mirrors.wikimedia.org/debian buster/main amd64 openssl amd64 1.1.1d-0+deb10u7 [845 kB]
Get:7 http://mirrors.wikimedia.org/debian buster/main amd64 ca-certificates all 20200601~deb10u2 [166 kB]
Get:8 http://mirrors.wikimedia.org/debian buster/main amd64 libkeyutils1 amd64 1.6-6 [15.0 kB]
Get:9 http://mirrors.wikimedia.org/debian buster/main amd64 libkrb5support0 amd64 1.17-3+deb10u3 [65.8 kB]
Get:10 http://mirrors.wikimedia.org/debian buster/main amd64 libk5crypto3 amd64 1.17-3+deb10u3 [122 kB]
Get:11 http://mirrors.wikimedia.org/debian buster/main amd64 libkrb5-3 amd64 1.17-3+deb10u3 [370 kB]
Get:12 http://mirrors.wikimedia.org/debian buster/main amd64 libgssapi-krb5-2 amd64 1.17-3+deb10u3 [158 kB]
Get:13 http://mirrors.wikimedia.org/debian buster/main amd64 libsasl2-modules-db amd64 2.1.27+dfsg-1+deb10u1 [69.1 kB]
Get:14 http://mirrors.wikimedia.org/debian buster/main amd64 libsasl2-2 amd64 2.1.27+dfsg-1+deb10u1 [106 kB]
Get:15 http://mirrors.wikimedia.org/debian buster/main amd64 libldap-common all 2.4.47+dfsg-3+deb10u6 [90.0 kB]
Get:16 http://mirrors.wikimedia.org/debian buster/main amd64 libldap-2.4-2 amd64 2.4.47+dfsg-3+deb10u6 [224 kB]
Get:17 http://mirrors.wikimedia.org/debian buster/main amd64 libnghttp2-14 amd64 1.36.0-2+deb10u1 [85.0 kB]
Get:18 http://mirrors.wikimedia.org/debian buster/main amd64 libpsl5 amd64 0.20.2-2 [53.7 kB]
Get:19 http://mirrors.wikimedia.org/debian buster/main amd64 librtmp1 amd64 2.4+20151223.gitfa8646d.1-2 [60.5 kB]
Get:20 http://mirrors.wikimedia.org/debian buster/main amd64 libssh2-1 amd64 1.8.0-2.1 [140 kB]
Get:21 http://mirrors.wikimedia.org/debian buster/main amd64 libcurl3-gnutls amd64 7.64.0-4+deb10u2 [330 kB]
Get:22 http://mirrors.wikimedia.org/debian buster/main amd64 libpcre2-8-0 amd64 10.32-5 [213 kB]
Get:23 http://mirrors.wikimedia.org/debian buster/main amd64 liberror-perl all 0.17027-2 [30.9 kB]
Get:24 http://mirrors.wikimedia.org/debian buster/main amd64 git-man all 1:2.20.1-2+deb10u3 [1620 kB]
Get:25 http://mirrors.wikimedia.org/debian buster/main amd64 git amd64 1:2.20.1-2+deb10u3 [5633 kB]
Get:26 http://mirrors.wikimedia.org/debian buster/main amd64 python-pip-whl all 18.1-5 [1591 kB]
Get:27 http://mirrors.wikimedia.org/debian buster/main amd64 python3.7-venv amd64 3.7.3-2+deb10u3 [6148 B]
Get:28 http://mirrors.wikimedia.org/debian buster/main amd64 python3-venv amd64 3.7.3-1 [1180 B]
debconf: delaying package configuration, since apt-utils is not installed
Fetched 19.1 MB in 0s (105 MB/s)
Selecting previously unselected package perl-modules-5.28.
(Reading database ... 7478 files and directories currently installed.)
Preparing to unpack .../00-perl-modules-5.28_5.28.1-6+deb10u1_all.deb ...
Unpacking perl-modules-5.28 (5.28.1-6+deb10u1) ...
Selecting previously unselected package libgdbm6:amd64.
Preparing to unpack .../01-libgdbm6_1.18.1-4_amd64.deb ...
Unpacking libgdbm6:amd64 (1.18.1-4) ...
Selecting previously unselected package libgdbm-compat4:amd64.
Preparing to unpack .../02-libgdbm-compat4_1.18.1-4_amd64.deb ...
Unpacking libgdbm-compat4:amd64 (1.18.1-4) ...
Selecting previously unselected package libperl5.28:amd64.
Preparing to unpack .../03-libperl5.28_5.28.1-6+deb10u1_amd64.deb ...
Unpacking libperl5.28:amd64 (5.28.1-6+deb10u1) ...
Selecting previously unselected package perl.
Preparing to unpack .../04-perl_5.28.1-6+deb10u1_amd64.deb ...
Unpacking perl (5.28.1-6+deb10u1) ...
Selecting previously unselected package openssl.
Preparing to unpack .../05-openssl_1.1.1d-0+deb10u7_amd64.deb ...
Unpacking openssl (1.1.1d-0+deb10u7) ...
Selecting previously unselected package ca-certificates.
Preparing to unpack .../06-ca-certificates_20200601~deb10u2_all.deb ...
Unpacking ca-certificates (20200601~deb10u2) ...
Selecting previously unselected package libkeyutils1:amd64.
Preparing to unpack .../07-libkeyutils1_1.6-6_amd64.deb ...
Unpacking libkeyutils1:amd64 (1.6-6) ...
Selecting previously unselected package libkrb5support0:amd64.
Preparing to unpack .../08-libkrb5support0_1.17-3+deb10u3_amd64.deb ...
Unpacking libkrb5support0:amd64 (1.17-3+deb10u3) ...
Selecting previously unselected package libk5crypto3:amd64.
Preparing to unpack .../09-libk5crypto3_1.17-3+deb10u3_amd64.deb ...
Unpacking libk5crypto3:amd64 (1.17-3+deb10u3) ...
Selecting previously unselected package libkrb5-3:amd64.
Preparing to unpack .../10-libkrb5-3_1.17-3+deb10u3_amd64.deb ...
Unpacking libkrb5-3:amd64 (1.17-3+deb10u3) ...
Selecting previously unselected package libgssapi-krb5-2:amd64.
Preparing to unpack .../11-libgssapi-krb5-2_1.17-3+deb10u3_amd64.deb ...
Unpacking libgssapi-krb5-2:amd64 (1.17-3+deb10u3) ...
Selecting previously unselected package libsasl2-modules-db:amd64.
Preparing to unpack .../12-libsasl2-modules-db_2.1.27+dfsg-1+deb10u1_amd64.deb ...
Unpacking libsasl2-modules-db:amd64 (2.1.27+dfsg-1+deb10u1) ...
Selecting previously unselected package libsasl2-2:amd64.
Preparing to unpack .../13-libsasl2-2_2.1.27+dfsg-1+deb10u1_amd64.deb ...
Unpacking libsasl2-2:amd64 (2.1.27+dfsg-1+deb10u1) ...
Selecting previously unselected package libldap-common.
Preparing to unpack .../14-libldap-common_2.4.47+dfsg-3+deb10u6_all.deb ...
Unpacking libldap-common (2.4.47+dfsg-3+deb10u6) ...
Selecting previously unselected package libldap-2.4-2:amd64.
Preparing to unpack .../15-libldap-2.4-2_2.4.47+dfsg-3+deb10u6_amd64.deb ...
Unpacking libldap-2.4-2:amd64 (2.4.47+dfsg-3+deb10u6) ...
Selecting previously unselected package libnghttp2-14:amd64.
Preparing to unpack .../16-libnghttp2-14_1.36.0-2+deb10u1_amd64.deb ...
Unpacking libnghttp2-14:amd64 (1.36.0-2+deb10u1) ...
Selecting previously unselected package libpsl5:amd64.
Preparing to unpack .../17-libpsl5_0.20.2-2_amd64.deb ...
Unpacking libpsl5:amd64 (0.20.2-2) ...
Selecting previously unselected package librtmp1:amd64.
Preparing to unpack .../18-librtmp1_2.4+20151223.gitfa8646d.1-2_amd64.deb ...
Unpacking librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2) ...
Selecting previously unselected package libssh2-1:amd64.
Preparing to unpack .../19-libssh2-1_1.8.0-2.1_amd64.deb ...
Unpacking libssh2-1:amd64 (1.8.0-2.1) ...
Selecting previously unselected package libcurl3-gnutls:amd64.
Preparing to unpack .../20-libcurl3-gnutls_7.64.0-4+deb10u2_amd64.deb ...
Unpacking libcurl3-gnutls:amd64 (7.64.0-4+deb10u2) ...
Selecting previously unselected package libpcre2-8-0:amd64.
Preparing to unpack .../21-libpcre2-8-0_10.32-5_amd64.deb ...
Unpacking libpcre2-8-0:amd64 (10.32-5) ...
Selecting previously unselected package liberror-perl.
Preparing to unpack .../22-liberror-perl_0.17027-2_all.deb ...
Unpacking liberror-perl (0.17027-2) ...
Selecting previously unselected package git-man.
Preparing to unpack .../23-git-man_1%3a2.20.1-2+deb10u3_all.deb ...
Unpacking git-man (1:2.20.1-2+deb10u3) ...
Selecting previously unselected package git.
Preparing to unpack .../24-git_1%3a2.20.1-2+deb10u3_amd64.deb ...
Unpacking git (1:2.20.1-2+deb10u3) ...
Selecting previously unselected package python-pip-whl.
Preparing to unpack .../25-python-pip-whl_18.1-5_all.deb ...
Unpacking python-pip-whl (18.1-5) ...
Selecting previously unselected package python3.7-venv.
Preparing to unpack .../26-python3.7-venv_3.7.3-2+deb10u3_amd64.deb ...
Unpacking python3.7-venv (3.7.3-2+deb10u3) ...
Selecting previously unselected package python3-venv.
Preparing to unpack .../27-python3-venv_3.7.3-1_amd64.deb ...
Unpacking python3-venv (3.7.3-1) ...
Setting up perl-modules-5.28 (5.28.1-6+deb10u1) ...
Setting up libkeyutils1:amd64 (1.6-6) ...
Setting up libpsl5:amd64 (0.20.2-2) ...
Setting up libnghttp2-14:amd64 (1.36.0-2+deb10u1) ...
Setting up libldap-common (2.4.47+dfsg-3+deb10u6) ...
Setting up libkrb5support0:amd64 (1.17-3+deb10u3) ...
Setting up libsasl2-modules-db:amd64 (2.1.27+dfsg-1+deb10u1) ...
Setting up librtmp1:amd64 (2.4+20151223.gitfa8646d.1-2) ...
Setting up libpcre2-8-0:amd64 (10.32-5) ...
Setting up libk5crypto3:amd64 (1.17-3+deb10u3) ...
Setting up libsasl2-2:amd64 (2.1.27+dfsg-1+deb10u1) ...
Setting up git-man (1:2.20.1-2+deb10u3) ...
Setting up libssh2-1:amd64 (1.8.0-2.1) ...
Setting up libkrb5-3:amd64 (1.17-3+deb10u3) ...
Setting up openssl (1.1.1d-0+deb10u7) ...
Setting up libgdbm6:amd64 (1.18.1-4) ...
Setting up libldap-2.4-2:amd64 (2.4.47+dfsg-3+deb10u6) ...
Setting up ca-certificates (20200601~deb10u2) ...
Updating certificates in /etc/ssl/certs...
137 added, 0 removed; done.
Setting up libgssapi-krb5-2:amd64 (1.17-3+deb10u3) ...
Setting up libgdbm-compat4:amd64 (1.18.1-4) ...
Setting up libperl5.28:amd64 (5.28.1-6+deb10u1) ...
Setting up python-pip-whl (18.1-5) ...
Setting up libcurl3-gnutls:amd64 (7.64.0-4+deb10u2) ...
Setting up python3.7-venv (3.7.3-2+deb10u3) ...
Setting up perl (5.28.1-6+deb10u1) ...
Setting up python3-venv (3.7.3-1) ...
Setting up liberror-perl (0.17027-2) ...
Setting up git (1:2.20.1-2+deb10u3) ...
Processing triggers for libc-bin (2.28-10) ...
Processing triggers for ca-certificates (20200601~deb10u2) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.
--> 1c1c793589b
STEP 6: RUN python3 "-m" "easy_install" "pip" && python3 "-m" "pip" "install" "-U" "setuptools" "wheel" "tox" "pip"
Searching for pip
Reading https://pypi.org/simple/pip/
Downloading https://files.pythonhosted.org/packages/83/b5/df8640236faa5a3cb80bfafd68e9fb4b22578208b8398c032ccff803f9e0/pip-22.0.2-py3-none-any.whl#sha256=682eabc4716bfce606aca8dab488e9c7b58b0737e9001004eb858cdafcd8dbdd
Best match: pip 22.0.2
Processing pip-22.0.2-py3-none-any.whl
Installing pip-22.0.2-py3-none-any.whl to /usr/local/lib/python3.7/dist-packages
Adding pip 22.0.2 to easy-install.pth file
Installing pip script to /usr/local/bin
Installing pip3 script to /usr/local/bin
Installing pip3.9 script to /usr/local/bin

Installed /usr/local/lib/python3.7/dist-packages/pip-22.0.2-py3.7.egg
Processing dependencies for pip
Finished processing dependencies for pip
Requirement already satisfied: setuptools in /usr/lib/python3/dist-packages (40.8.0)
Collecting setuptools
  Downloading setuptools-60.6.0-py3-none-any.whl (953 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 953.8/953.8 KB 39.3 MB/s eta 0:00:00
Collecting wheel
  Downloading wheel-0.37.1-py2.py3-none-any.whl (35 kB)
Collecting tox
  Downloading tox-3.24.5-py2.py3-none-any.whl (85 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 85.6/85.6 KB 10.5 MB/s eta 0:00:00
Requirement already satisfied: pip in /usr/local/lib/python3.7/dist-packages/pip-22.0.2-py3.7.egg (22.0.2)
Collecting py>=1.4.17
  Downloading py-1.11.0-py2.py3-none-any.whl (98 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.7/98.7 KB 13.2 MB/s eta 0:00:00
Collecting pluggy>=0.12.0
  Downloading pluggy-1.0.0-py2.py3-none-any.whl (13 kB)
Collecting packaging>=14
  Downloading packaging-21.3-py3-none-any.whl (40 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.8/40.8 KB 3.6 MB/s eta 0:00:00
Collecting toml>=0.9.4
  Downloading toml-0.10.2-py2.py3-none-any.whl (16 kB)
Collecting importlib-metadata>=0.12
  Downloading importlib_metadata-4.10.1-py3-none-any.whl (17 kB)
Collecting filelock>=3.0.0
  Downloading filelock-3.4.2-py3-none-any.whl (9.9 kB)
Collecting virtualenv!=20.0.0,!=20.0.1,!=20.0.2,!=20.0.3,!=20.0.4,!=20.0.5,!=20.0.6,!=20.0.7,>=16.0.0
  Downloading virtualenv-20.13.0-py2.py3-none-any.whl (6.5 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 6.5/6.5 MB 75.9 MB/s eta 0:00:00
Collecting six>=1.14.0
  Downloading six-1.16.0-py2.py3-none-any.whl (11 kB)
Collecting zipp>=0.5
  Downloading zipp-3.7.0-py3-none-any.whl (5.3 kB)
Collecting typing-extensions>=3.6.4
  Downloading typing_extensions-4.0.1-py3-none-any.whl (22 kB)
Collecting pyparsing!=3.0.5,>=2.0.2
  Downloading pyparsing-3.0.7-py3-none-any.whl (98 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 98.0/98.0 KB 13.1 MB/s eta 0:00:00
Collecting platformdirs<3,>=2
  Downloading platformdirs-2.4.1-py3-none-any.whl (14 kB)
Collecting distlib<1,>=0.3.1
  Downloading distlib-0.3.4-py2.py3-none-any.whl (461 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 461.2/461.2 KB 40.3 MB/s eta 0:00:00
Installing collected packages: distlib, zipp, wheel, typing-extensions, toml, six, setuptools, pyparsing, py, platformdirs, filelock, packaging, importlib-metadata, virtualenv, pluggy, tox
  Attempting uninstall: setuptools
    Found existing installation: setuptools 40.8.0
    Uninstalling setuptools-40.8.0:
      Successfully uninstalled setuptools-40.8.0
Successfully installed distlib-0.3.4 filelock-3.4.2 importlib-metadata-4.10.1 packaging-21.3 platformdirs-2.4.1 pluggy-1.0.0 py-1.11.0 pyparsing-3.0.7 setuptools-60.6.0 six-1.16.0 toml-0.10.2 tox-3.24.5 typing-extensions-4.0.1 virtualenv-20.13.0 wheel-0.37.1 zipp-3.7.0
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
--> 9479bed3d74
STEP 7: ENV POETRY_VIRTUALENVS_PATH="/opt/lib/poetry"
--> cb6b2d1f212
STEP 8: RUN python3 "-m" "pip" "install" "-U" "poetry==1.1.4"
Collecting poetry==1.1.4
  Downloading poetry-1.1.4-py2.py3-none-any.whl (171 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 171.6/171.6 KB 13.0 MB/s eta 0:00:00
Collecting pexpect<5.0.0,>=4.7.0
  Downloading pexpect-4.8.0-py2.py3-none-any.whl (59 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 59.0/59.0 KB 8.5 MB/s eta 0:00:00
Collecting shellingham<2.0,>=1.1
  Downloading shellingham-1.4.0-py2.py3-none-any.whl (9.4 kB)
Collecting cachecontrol[filecache]<0.13.0,>=0.12.4
  Downloading CacheControl-0.12.10-py2.py3-none-any.whl (20 kB)
Collecting cachy<0.4.0,>=0.3.0
  Downloading cachy-0.3.0-py2.py3-none-any.whl (20 kB)
Collecting requests<3.0,>=2.18
  Downloading requests-2.27.1-py2.py3-none-any.whl (63 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 63.1/63.1 KB 7.7 MB/s eta 0:00:00
Collecting requests-toolbelt<0.10.0,>=0.9.1
  Downloading requests_toolbelt-0.9.1-py2.py3-none-any.whl (54 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 54.3/54.3 KB 8.0 MB/s eta 0:00:00
Collecting importlib-metadata<2.0.0,>=1.6.0
  Downloading importlib_metadata-1.7.0-py2.py3-none-any.whl (31 kB)
Collecting tomlkit<1.0.0,>=0.7.0
  Downloading tomlkit-0.9.0-py3-none-any.whl (32 kB)
Collecting html5lib<2.0,>=1.0
  Downloading html5lib-1.1-py2.py3-none-any.whl (112 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 112.2/112.2 KB 15.4 MB/s eta 0:00:00
Requirement already satisfied: virtualenv<21.0.0,>=20.0.26 in /usr/local/lib/python3.7/dist-packages (from poetry==1.1.4) (20.13.0)
Collecting cleo<0.9.0,>=0.8.1
  Downloading cleo-0.8.1-py2.py3-none-any.whl (21 kB)
Collecting pkginfo<2.0,>=1.4
  Downloading pkginfo-1.8.2-py2.py3-none-any.whl (26 kB)
Collecting packaging<21.0,>=20.4
  Downloading packaging-20.9-py2.py3-none-any.whl (40 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 40.9/40.9 KB 5.6 MB/s eta 0:00:00
Collecting keyring<22.0.0,>=21.2.0
  Downloading keyring-21.8.0-py3-none-any.whl (32 kB)
Collecting poetry-core<2.0.0,>=1.0.0
  Downloading poetry_core-1.0.7-py2.py3-none-any.whl (424 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 424.8/424.8 KB 28.2 MB/s eta 0:00:00
Collecting crashtest<0.4.0,>=0.3.0
  Downloading crashtest-0.3.1-py3-none-any.whl (7.0 kB)
Collecting clikit<0.7.0,>=0.6.2
  Downloading clikit-0.6.2-py2.py3-none-any.whl (91 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 91.8/91.8 KB 14.1 MB/s eta 0:00:00
Collecting msgpack>=0.5.2
  Downloading msgpack-1.0.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl (299 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 299.4/299.4 KB 27.8 MB/s eta 0:00:00
Collecting lockfile>=0.9
  Downloading lockfile-0.12.2-py2.py3-none-any.whl (13 kB)
Collecting pastel<0.3.0,>=0.2.0
  Downloading pastel-0.2.1-py2.py3-none-any.whl (6.0 kB)
Collecting pylev<2.0,>=1.3
  Downloading pylev-1.4.0-py2.py3-none-any.whl (6.1 kB)
Collecting webencodings
  Downloading webencodings-0.5.1-py2.py3-none-any.whl (11 kB)
Requirement already satisfied: six>=1.9 in /usr/local/lib/python3.7/dist-packages (from html5lib<2.0,>=1.0->poetry==1.1.4) (1.16.0)
Requirement already satisfied: zipp>=0.5 in /usr/local/lib/python3.7/dist-packages (from importlib-metadata<2.0.0,>=1.6.0->poetry==1.1.4) (3.7.0)
Collecting SecretStorage>=3.2
  Downloading SecretStorage-3.3.1-py3-none-any.whl (15 kB)
Collecting jeepney>=0.4.2
  Downloading jeepney-0.7.1-py3-none-any.whl (54 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 54.1/54.1 KB 7.6 MB/s eta 0:00:00
Requirement already satisfied: pyparsing>=2.0.2 in /usr/local/lib/python3.7/dist-packages (from packaging<21.0,>=20.4->poetry==1.1.4) (3.0.7)
Collecting ptyprocess>=0.5
  Downloading ptyprocess-0.7.0-py2.py3-none-any.whl (13 kB)
Collecting urllib3<1.27,>=1.21.1
  Downloading urllib3-1.26.8-py2.py3-none-any.whl (138 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 138.7/138.7 KB 17.7 MB/s eta 0:00:00
Collecting charset-normalizer~=2.0.0
  Downloading charset_normalizer-2.0.11-py3-none-any.whl (39 kB)
Collecting certifi>=2017.4.17
  Downloading certifi-2021.10.8-py2.py3-none-any.whl (149 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 149.2/149.2 KB 16.8 MB/s eta 0:00:00
Collecting idna<4,>=2.5
  Downloading idna-3.3-py3-none-any.whl (61 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 61.2/61.2 KB 9.5 MB/s eta 0:00:00
Requirement already satisfied: filelock<4,>=3.2 in /usr/local/lib/python3.7/dist-packages (from virtualenv<21.0.0,>=20.0.26->poetry==1.1.4) (3.4.2)
Requirement already satisfied: platformdirs<3,>=2 in /usr/local/lib/python3.7/dist-packages (from virtualenv<21.0.0,>=20.0.26->poetry==1.1.4) (2.4.1)
Requirement already satisfied: distlib<1,>=0.3.1 in /usr/local/lib/python3.7/dist-packages (from virtualenv<21.0.0,>=20.0.26->poetry==1.1.4) (0.3.4)
Collecting cryptography>=2.0
  Downloading cryptography-36.0.1-cp36-abi3-manylinux_2_24_x86_64.whl (3.6 MB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.6/3.6 MB 56.7 MB/s eta 0:00:00
Collecting cffi>=1.12
  Downloading cffi-1.15.0-cp37-cp37m-manylinux_2_12_x86_64.manylinux2010_x86_64.whl (427 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 427.1/427.1 KB 37.8 MB/s eta 0:00:00
Collecting pycparser
  Downloading pycparser-2.21-py2.py3-none-any.whl (118 kB)
     ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 118.7/118.7 KB 14.7 MB/s eta 0:00:00
Installing collected packages: webencodings, pylev, ptyprocess, pkginfo, msgpack, lockfile, certifi, urllib3, tomlkit, shellingham, pycparser, pexpect, pastel, packaging, jeepney, importlib-metadata, idna, html5lib, crashtest, charset-normalizer, cachy, requests, poetry-core, clikit, cffi, requests-toolbelt, cryptography, cleo, cachecontrol, SecretStorage, keyring, poetry
  Attempting uninstall: packaging
    Found existing installation: packaging 21.3
    Uninstalling packaging-21.3:
      Successfully uninstalled packaging-21.3
  Attempting uninstall: importlib-metadata
    Found existing installation: importlib-metadata 4.10.1
    Uninstalling importlib-metadata-4.10.1:
      Successfully uninstalled importlib-metadata-4.10.1
Successfully installed SecretStorage-3.3.1 cachecontrol-0.12.10 cachy-0.3.0 certifi-2021.10.8 cffi-1.15.0 charset-normalizer-2.0.11 cleo-0.8.1 clikit-0.6.2 crashtest-0.3.1 cryptography-36.0.1 html5lib-1.1 idna-3.3 importlib-metadata-1.7.0 jeepney-0.7.1 keyring-21.8.0 lockfile-0.12.2 msgpack-1.0.3 packaging-20.9 pastel-0.2.1 pexpect-4.8.0 pkginfo-1.8.2 poetry-1.1.4 poetry-core-1.0.7 ptyprocess-0.7.0 pycparser-2.21 pylev-1.4.0 requests-2.27.1 requests-toolbelt-0.9.1 shellingham-1.4.0 tomlkit-0.9.0 urllib3-1.26.8 webencodings-0.5.1
WARNING: Running pip as the 'root' user can result in broken permissions and conflicting behaviour with the system package manager. It is recommended to use a virtual environment instead: https://pip.pypa.io/warnings/venv
--> 207b7c8717f
STEP 9: ARG LIVES_AS="somebody"
--> fb7f0d8333d
STEP 10: ARG LIVES_UID=65533
--> 836bcca4b17
STEP 11: ARG LIVES_GID=65533
--> e7aeb915f0c
STEP 12: RUN (getent group "$LIVES_GID" || groupadd -o -g "$LIVES_GID" -r "$LIVES_AS") && (getent passwd "$LIVES_UID" || useradd -l -o -m -d "/home/$LIVES_AS" -r -g "$LIVES_GID" -u "$LIVES_UID" "$LIVES_AS") && mkdir -p "/srv/app" && chown "$LIVES_UID":"$LIVES_GID" "/srv/app" && mkdir -p "/opt/lib" && chown "$LIVES_UID":"$LIVES_GID" "/opt/lib"
--> 6ef0f30b676
STEP 13: ARG RUNS_AS="runuser"
--> 39986ca147a
STEP 14: ARG RUNS_UID=900
--> 12106c9425e
STEP 15: ARG RUNS_GID=900
--> 8adea5c69cd
STEP 16: RUN (getent group "$RUNS_GID" || groupadd -o -g "$RUNS_GID" -r "$RUNS_AS") && (getent passwd "$RUNS_UID" || useradd -l -o -m -d "/home/$RUNS_AS" -r -g "$RUNS_GID" -u "$RUNS_UID" "$RUNS_AS")
--> 006b911a8fe
STEP 17: USER $LIVES_UID
--> 93035ad9039
STEP 18: ENV HOME="/home/somebody"
--> a3726c3120c
STEP 19: WORKDIR "/srv/app"
--> 69a18f901ca
STEP 20: ENV PIP_DISABLE_PIP_VERSION_CHECK="on" PIP_NO_CACHE_DIR="off" PYTHONBUFFERED="1" PYTHONDONTWRITEBYTECODE="1"
--> efd74429f87
STEP 21: COPY --chown=$LIVES_UID:$LIVES_GID ["pyproject.toml", "poetry.lock", "./"]
--> a119b5605fc
STEP 22: RUN mkdir -p "/opt/lib/poetry"
--> 78bbdf8b6b3
STEP 23: RUN poetry "install" "--no-root" "--no-dev"
Creating virtualenv libup-2uZo5AhP-py3.7 in /opt/lib/poetry
Installing dependencies from lock file

Package operations: 42 installs, 0 updates, 0 removals

  • Installing typing-extensions (4.0.1)
  • Installing zipp (3.7.0)
  • Installing importlib-metadata (4.10.1)
  • Installing markupsafe (2.0.1)
  • Installing vine (5.0.0)
  • Installing wcwidth (0.2.5)
  • Installing amqp (5.0.9)
  • Installing cached-property (1.5.2)
  • Installing certifi (2021.10.8)
  • Installing charset-normalizer (2.0.11)
  • Installing click (8.0.3)
  • Installing greenlet (1.1.2)
  • Installing idna (3.3)
  • Installing itsdangerous (2.0.1)
  • Installing jinja2 (3.0.3)
  • Installing prompt-toolkit (3.0.26)
  • Installing six (1.16.0)
  • Installing urllib3 (1.26.8)
  • Installing werkzeug (2.0.2)
  • Installing billiard (3.6.4.0)
  • Installing click-didyoumean (0.3.0)
  • Installing click-plugins (1.1.1)
  • Installing click-repl (0.2.0)
  • Installing flask (2.0.2)
  • Installing importlib-resources (5.4.0)
  • Installing kombu (5.2.3)
  • Installing mako (1.1.6)
  • Installing pymysql (1.0.2)
  • Installing pytz (2021.3)
  • Installing pyyaml (6.0)
  • Installing requests (2.27.1)
  • Installing sqlalchemy (1.4.31)
  • Installing alembic (1.7.5)
  • Installing celery (5.2.3)
  • Installing flask-sqlalchemy (2.5.1)
  • Installing gunicorn (20.1.0)
  • Installing markdown (3.3.6)
  • Installing phabricator (0.8.1)
  • Installing poetry-semver (0.1.0)
  • Installing toml (0.10.2)
  • Installing toolforge (5.0.0)
  • Installing wikimediaci-utils (1.1.0)
--> 2dec5fe1aa6
STEP 24: COPY --chown=$LIVES_UID:$LIVES_GID [".", "."]
--> f877f6ce269
STEP 25: USER $RUNS_UID
--> 3bd856e09cb
STEP 26: ENV HOME="/home/$RUNS_AS"
--> 209e6ca040d
STEP 27: ENTRYPOINT ["/bin/bash", "-c", "poetry run gunicorn -w 4 -b 0.0.0.0:3002 libup.web:app"]
--> ee7b2441b97
STEP 28: LABEL blubber.variant="web" blubber.version="0.8.0+95dd6f5"
STEP 29: COMMIT libup
--> dc65e3f64b4
dc65e3f64b43edbd82b37b1591f6c713d1271c4e01a6e9e899dd6e02c50903ca
$ sudo podman run -it --entrypoint=/bin/sh localhost/libup -c 'ls -alh /srv/app'
total 232K
drwxr-xr-x 1 somebody somebody 4.0K Feb  1 20:39 .
drwxr-xr-x 1 root     root     4.0K Feb  1 20:39 ..
drwxrwxr-x 8 somebody somebody 4.0K Feb  1 20:37 .git
-rw-rw-r-- 1 somebody somebody  150 Feb  1 20:37 .gitignore
-rw-rw-r-- 1 somebody somebody  104 Feb  1 20:37 .gitreview
drwxrwxr-x 2 somebody somebody 4.0K Feb  1 20:37 .pipeline
-rw-rw-r-- 1 somebody somebody  34K Feb  1 20:37 COPYING
-rw-rw-r-- 1 somebody somebody 1.6K Feb  1 20:38 Dockerfile
-rw-rw-r-- 1 somebody somebody   31 Feb  1 20:37 MANIFEST.in
-rw-rw-r-- 1 somebody somebody  526 Feb  1 20:37 README.md
drwxrwxr-x 3 somebody somebody 4.0K Feb  1 20:37 alembic
-rw-rw-r-- 1 somebody somebody 2.0K Feb  1 20:37 alembic.ini
-rwxrwxr-x 1 somebody somebody  106 Feb  1 20:37 build.sh
drwxrwxr-x 5 somebody somebody 4.0K Feb  1 20:37 data
drwxrwxr-x 5 somebody somebody 4.0K Feb  1 20:37 diff-libraries
-rwxrwxr-x 1 somebody somebody  368 Feb  1 20:37 dump-reqs.sh
drwxrwxr-x 2 somebody somebody 4.0K Feb  1 20:37 etc
drwxrwxr-x 2 somebody somebody 4.0K Feb  1 20:37 files
drwxrwxr-x 3 somebody somebody 4.0K Feb  1 20:37 libup
-rw-rw-r-- 1 somebody somebody  79K Feb  1 20:37 poetry.lock
-rw-rw-r-- 1 somebody somebody  775 Feb  1 20:37 pyproject.toml
-rw-rw-r-- 1 somebody somebody 5.7K Feb  1 20:37 requirements-dev.txt
-rw-rw-r-- 1 somebody somebody 4.5K Feb  1 20:37 requirements.txt
-rwxrwxr-x 1 somebody somebody   39 Feb  1 20:37 reset.sh
drwxrwxr-x 4 somebody somebody 4.0K Feb  1 20:37 runner
-rw-rw-r-- 1 somebody somebody   15 Feb  1 20:37 rustfmt.toml
-rw-rw-r-- 1 somebody somebody  557 Feb  1 20:37 setup.py
drwxrwxr-x 2 somebody somebody 4.0K Feb  1 20:37 tests
-rw-rw-r-- 1 somebody somebody  643 Feb  1 20:37 tox.ini

Change 758907 merged by jenkins-bot:

[blubber@master] Revert \"feature: build-time arguments for lives & runs user config\"

https://gerrit.wikimedia.org/r/758907

bd808 mentioned this in rGBLBRa49259784cc3: Revert "feature: build-time arguments for lives & runs user config".Feb 1 2022, 10:41 PM

Maintenance_bot removed a project: Patch-For-Review.Feb 1 2022, 11:10 PM

dduvall mentioned this in T300682: contint1001 and contint2001 need a newer version of Docker installed.Feb 1 2022, 11:26 PM

In T296046#7669169, @bd808 wrote:

That also assumes that we are ok with requiring Docker+buildkit or Podman v3 as minimum requirements for building Blubber managed containers. This does not seem like a large burden however to place on users, especially as CI container builds are very likely the majority of Blubber uses.

This seems reasonable to me. Fedora 34 has podman 3.4.2.

Thank you all for the quick revert and investigation!

Legoktm unsubscribed.Feb 2 2022, 4:25 AM

bd808 moved this task from To Do to Needs Review/Feedback on the User-bd808 board.Mar 9 2022, 7:08 PM

Dzahn closed subtask T300682: contint1001 and contint2001 need a newer version of Docker installed as Resolved.May 5 2022, 6:57 PM

No longer stalled with T300682: contint1001 and contint2001 need a newer version of Docker installed resolved. Next step is to attempt to revert the revert.

Change 789950 had a related patch set uploaded (by BryanDavis; author: BryanDavis):

[blubber@master] Revert "Revert "feature: build-time arguments for lives & runs user config""

https://gerrit.wikimedia.org/r/789950

gerritbot added a project: Patch-For-Review.May 8 2022, 5:49 PM

dduvall added a project: User-dduvall.Jun 28 2022, 11:50 PM

Change 789950 merged by jenkins-bot:

[blubber@master] Revert "Revert "feature: build-time arguments for lives & runs user config""

https://gerrit.wikimedia.org/r/789950

Maintenance_bot removed a project: Patch-For-Review.Jun 29 2022, 4:30 PM

Deployed

bd808 mentioned this in rGBLBR6331215531de: Revert "Revert "feature: build-time arguments for lives & runs user config"".Jun 29 2022, 7:36 PM

I'm going to reopen this so I can use the same task as a prompt to write documentation on how and why this might be used.

The open and assigned task nag script has complained that I haven't closed this task, so whatever it is closed now. Maybe someday I'll write up the reasons I added this feature to blubber. :shrug:

Allow build time control of effective UID/GID for runtime in Blubber generated DockerfileClosed, ResolvedPublicFeatureActions

Description

Details

Related ObjectsSearch...

Event Timeline

Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile
Closed, ResolvedPublicFeature
Actions

Related Objects
Search...