feat: DEV-3031: Add uwsgi and nginx (#2868)

Author: farioas

.dockerignore

@@ -3,10 +3,12 @@
 
 # Except:
 !deploy/docker-entrypoint.d/**
+!deploy/nginx/**
 !deploy/docker-entrypoint.sh
 !deploy/requirements-mw.txt
 !deploy/requirements.txt
 !deploy/heroku_run.sh
+!deploy/uwsgi.ini
 !label_studio/**
 !setup.py
 !README.md

Dockerfile

@@ -1,25 +1,26 @@
 # syntax=docker/dockerfile:1.3
 FROM node:14 AS frontend-builder
 
-ENV NPM_CACHE_LOCATION=/root/.npm \
+ENV NPM_CACHE_LOCATION=$HOME/.npm \
     PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
 
 WORKDIR /label-studio/label_studio/frontend
 
-COPY label_studio/frontend .
-COPY label_studio/__init__.py /label-studio/label_studio/__init__.py
+COPY --chown=1001:0 label_studio/frontend .
+COPY --chown=1001:0 label_studio/__init__.py /label-studio/label_studio/__init__.py
 
-RUN --mount=type=cache,target=$NPM_CACHE_LOCATION \
+RUN --mount=type=cache,target=$NPM_CACHE_LOCATION,uid=1001,gid=0 \
     npm ci \
  && npm run build:production
 
 FROM ubuntu:20.04
 
 ENV DEBIAN_FRONTEND=noninteractive \
     LS_DIR=/label-studio \
-    PIP_CACHE_DIR=/.cache \
+    PIP_CACHE_DIR=$HOME/.cache \
     DJANGO_SETTINGS_MODULE=core.settings.label_studio \
     LABEL_STUDIO_BASE_DATA_DIR=/label-studio/data \
+    OPT_DIR=/opt/heartex/instance-data/etc \
     SETUPTOOLS_USE_DISTUTILS=stdlib
 
 WORKDIR $LS_DIR
@@ -29,26 +30,46 @@ RUN set -eux \
  && apt-get update \
  && apt-get install --no-install-recommends --no-install-suggests -y \
     build-essential postgresql-client libmysqlclient-dev mysql-client python3.8 python3-pip python3.8-dev \
-    git libxml2-dev libxslt-dev zlib1g-dev
+    git libxml2-dev libxslt-dev zlib1g-dev gnupg curl lsb-release && \
+    apt-get purge --assume-yes --auto-remove --option APT::AutoRemove::RecommendsImportant=false \
+     --option APT::AutoRemove::SuggestsImportant=false && rm -rf /var/lib/apt/lists/* /tmp/*
+
+RUN --mount=type=cache,target=$PIP_CACHE_DIR,uid=1001,gid=0 \
+    pip3 install --upgrade pip setuptools && pip3 install uwsgi uwsgitop
+
+# incapsulate nginx install & configure to a single layer
+RUN set -eux; \
+    curl -sSL https://nginx.org/keys/nginx_signing.key | apt-key add - && \
+    echo "deb https://nginx.org/packages/mainline/ubuntu/ $(lsb_release -cs) nginx" >> /etc/apt/sources.list && \
+    apt-get update && apt-get install nginx && \
+    apt-get purge --assume-yes --auto-remove --option APT::AutoRemove::RecommendsImportant=false \
+     --option APT::AutoRemove::SuggestsImportant=false && rm -rf /var/lib/apt/lists/* /tmp/* && \
+    nginx -v
 
 # Copy and install middleware dependencies
-COPY deploy/requirements-mw.txt .
-RUN --mount=type=cache,target=$PIP_CACHE_DIR \
+COPY --chown=1001:0 deploy/requirements-mw.txt .
+RUN --mount=type=cache,target=$PIP_CACHE_DIR,uid=1001,gid=0 \
     pip3 install -r requirements-mw.txt
 
 # Copy and install requirements.txt first for caching
-COPY deploy/requirements.txt .
-RUN --mount=type=cache,target=$PIP_CACHE_DIR \
+COPY --chown=1001:0 deploy/requirements.txt .
+RUN --mount=type=cache,target=$PIP_CACHE_DIR,uid=1001,gid=0 \
     pip3 install -r requirements.txt
 
-COPY . .
-RUN --mount=type=cache,target=$PIP_CACHE_DIR \
-    pip3 install -e .
+COPY --chown=1001:0 . .
+RUN --mount=type=cache,target=$PIP_CACHE_DIR,uid=1001,gid=0 \
+    pip3 install -e . && \
+    chown -R 1001:0 $LS_DIR && \
+    chmod -R g=u $LS_DIR
 
 RUN rm -rf ./label_studio/frontend
-COPY --from=frontend-builder /label-studio/label_studio/frontend/dist ./label_studio/frontend/dist
+COPY --chown=1001:0 --from=frontend-builder /label-studio/label_studio/frontend/dist ./label_studio/frontend/dist
+
+RUN python3 label_studio/manage.py collectstatic --no-input && \
+    chown -R 1001:0 $LS_DIR && \
+    chmod -R g=u $LS_DIR
 
-RUN python3 label_studio/manage.py collectstatic --no-input
+ENV HOME=/label-studio
 
 EXPOSE 8080
 

Dockerfile.redhat

@@ -18,13 +18,23 @@ FROM registry.access.redhat.com/ubi8/python-39
 ENV LS_DIR=/label-studio \
     PIP_CACHE_DIR=$HOME/.cache \
     DJANGO_SETTINGS_MODULE=core.settings.label_studio \
-    LABEL_STUDIO_BASE_DATA_DIR=/label-studio/data
+    LABEL_STUDIO_BASE_DATA_DIR=/label-studio/data \
+    OPT_DIR=/opt/heartex/instance-data/etc \
+    SETUPTOOLS_USE_DISTUTILS=stdlib
+
+USER 0
+RUN dnf -y install nginx && \
+    mkdir -p $OPT_DIR && \
+    chown -R 1001:0 $OPT_DIR /etc/nginx/nginx.conf && \
+    chmod -R g=u $OPT_DIR /etc/nginx/nginx.conf
+USER 1001
 
 WORKDIR $LS_DIR
 
 # Copy and install middleware dependencies
 COPY --chown=1001:0 deploy/requirements-mw.txt .
 RUN --mount=type=cache,target=$PIP_CACHE_DIR,uid=1001,gid=0 \
+    pip3 install uwsgi uwsgitop && \
     pip3 install -r requirements-mw.txt
 
 # Copy and install requirements.txt first for caching
@@ -53,6 +63,7 @@ LABEL name="LabelStudio" \
 
 COPY --chown=1001:0 licenses/ /licenses
 RUN cp $LS_DIR/LICENSE /licenses
+ENV HOME=/label-studio
 
 ENTRYPOINT ["./deploy/docker-entrypoint.sh"]
 CMD ["label-studio"]

deploy/docker-entrypoint.d/10-copy-static-data.sh

@@ -1,9 +1,72 @@
-#!/bin/sh
+#!/bin/bash
+
 set -e ${DEBUG:+-x}
 
-if [ -n "${POSTGRE_HOST:-}" ]; then
+function copy_and_export() {
+  dest_dir=$OPT_DIR/_pg_ssl_certs
+  mkdir -p $dest_dir
+  local src_path=$1
+  if [[ -f "$src_path" ]]; then
+    src_filename=$(basename -- $src_path)
+    cp $src_path $dest_dir/
+    chmod 600 $dest_dir/$src_filename
+    echo "$dest_dir/$src_filename"
+  fi
+}
+
+function save_and_export() {
+  local key=$1
+  local value=$2
+  export "$key"="$value"
+  echo "export $1=$2" >>"$OPT_DIR"/config_env
+}
+
+function postgres_ssl_setup() {
+  # workaround to deal with immutable k8s secrets
+  if [[ ${POSTGRE_SSL_MODE:-} == 'verify-ca' || ${POSTGRE_SSL_MODE:-} == 'verify-full' ]]; then
+    if [[ -z ${POSTGRE_SSLROOTCERT:-} ]]; then
+      echo >&3 "=>POSTGRE_SSLROOTCERT is required"
+      exit 1
+    else
+      save_and_export PGSSLMODE "$POSTGRE_SSL_MODE"
+      save_and_export PGSSLROOTCERT "$(copy_and_export $POSTGRE_SSLROOTCERT)"
+    fi
+    if [[ ${POSTGRE_SSL_MODE:-} == 'verify-full' ]]; then
+      if [[ -z ${POSTGRE_SSLCERT:-} || -z ${POSTGRE_SSLKEY:-} ]]; then
+        echo >&3 "=> One of required variables POSTGRE_SSLCERT or POSTGRE_SSLKEY were not set"
+        exit 1
+      fi
+    fi
+    if [[ -n ${POSTGRE_SSLCERT:-} ]]; then
+      save_and_export PGSSLCERT "$(copy_and_export $POSTGRE_SSLCERT)"
+    fi
+    if [[ -n ${POSTGRE_SSLKEY:-} ]]; then
+      save_and_export PGSSLKEY "$(copy_and_export $POSTGRE_SSLKEY)"
+    fi
+  elif [[ ${POSTGRE_SSL_MODE:-} == 'disable' || ${POSTGRE_SSL_MODE:-} == 'allow' || ${POSTGRE_SSL_MODE:-} == 'prefer' || ${POSTGRE_SSL_MODE:-} == 'require' ]]; then
+    save_and_export PGSSLMODE "$POSTGRE_SSL_MODE"
+  fi
+}
+
+function postgres_ready(){
+python3 << END
+import sys
+import os
+import psycopg2
+try:
+    conn = psycopg2.connect(dbname=os.getenv('POSTGRE_NAME', 'root'), user=os.getenv('POSTGRE_USER'), password=os.getenv('POSTGRE_PASSWORD'), host=os.getenv('POSTGRE_HOST'), port=os.getenv('POSTGRE_PORT'), sslmode=os.getenv('PGSSLMODE'), sslrootcert=os.getenv('PGSSLROOTCERT'), sslcert=os.getenv('PGSSLCERT'), sslkey=os.getenv('PGSSLKEY'))
+except psycopg2.OperationalError as e:
+    print(e)
+    sys.exit(-1)
+sys.exit(0)
+END
+}
+
+
+if [[ -n "${POSTGRE_HOST:-}" ]]; then
+  postgres_ssl_setup
   echo >&3 "=> Waiting for postgres..."
-  until PGPASSWORD=$POSTGRE_PASSWORD psql -h "$POSTGRE_HOST" -p $POSTGRE_PORT -U "$POSTGRE_USER" -d "${POSTGRE_NAME:=root}" -c '\q'; do
+  until postgres_ready; do
     echo >&3 "==> Postgres is unavailable - sleeping..."
     sleep 1
   done

deploy/docker-entrypoint.d/20-wait-for-db.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
 set -e ${DEBUG:+-x}
 
-if [ -n "${POSTGRE_HOST:-}" ] || [ -n "${MYSQL_HOST:-}" ]; then
+if [ -n "${POSTGRE_HOST:-}" ] || [ -n "${MYSQL_HOST:-}" ] && [ "${SKIP_DB_MIGRATIONS:-}" != "true" ]; then
   echo >&3 "=> Do database migrations..."
   python3 /label-studio/label_studio/manage.py migrate >&3
   echo >&3 "=> Migrations completed."

deploy/docker-entrypoint.d/30-run-db-migrations.sh

@@ -1,32 +1,55 @@
 #!/bin/sh
 
-set -e
+set -e ${DEBUG:+-x}
 
 # Redirect all scripts output + leaving stdout to container payload.
 exec 3>&1
 
-if [ "$1" = "label-studio" ]; then
-    if /usr/bin/find "/label-studio/deploy/docker-entrypoint.d/" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
-        echo >&3 "$0: Looking for init scripts in /label-studio/deploy/docker-entrypoint.d/"
-        find "/label-studio/deploy/docker-entrypoint.d/" -follow -type f -print | sort -V | while read -r f; do
-            case "$f" in
-                *.sh)
-                    if [ -x "$f" ]; then
-                        echo >&3 "$0: Launching $f";
-                        "$f"
-                    else
-                        # warn on shell scripts without exec bit
-                        echo >&3 "$0: Ignoring $f, not executable";
-                    fi
-                    ;;
-                *) echo >&3 "$0: Ignoring $f";;
-            esac
-        done
+ENTRYPOINT_PATH=/label-studio/deploy
 
-        echo >&3 "$0: Configuration complete; ready for start up"
-    else
-        echo >&3 "$0: No init scripts found in /label-studio/deploy/docker-entrypoint.d/, skipping configuration"
+uid_entrypoint() {
+  if ! whoami 2>/dev/null; then
+    if [ -w /etc/passwd ]; then
+      echo "labelstudio::$(id -u):0:labelstudio user:${HOME}:/bin/bash" >>/etc/passwd
     fi
-fi
+  fi
+}
 
-exec "$@"
+exec_entrypoint() {
+  if /usr/bin/find -L "$1" -mindepth 1 -maxdepth 1 -type f -print -quit 2>/dev/null | read v; then
+    echo >&3 "$0: Looking for init scripts in $1"
+    find "$1" -follow -type f -print | sort -V | while read -r f; do
+      case "$f" in
+      *.sh)
+        if [ -x "$f" ]; then
+          echo >&3 "$0: Launching $f"
+          "$f"
+        else
+          # warn on shell scripts without exec bit
+          echo >&3 "$0: Ignoring $f, not executable"
+        fi
+        ;;
+      *) echo >&3 "$0: Ignoring $f" ;;
+      esac
+    done
+    if [ -f $OPT_DIR/config_env ]; then
+      . $OPT_DIR/config_env
+    fi
+    echo >&3 "$0: Configuration complete; ready for start up"
+  else
+    echo >&3 "$0: No init scripts found in $1, skipping configuration"
+  fi
+}
+
+uid_entrypoint
+
+if [ "$1" = "nginx" ]; then
+  exec_entrypoint "$ENTRYPOINT_PATH/nginx/scripts/"
+  exec nginx -c /etc/nginx/nginx.conf
+elif [ "$1" = "label-studio-uwsgi" ]; then
+  exec_entrypoint "$ENTRYPOINT_PATH/docker-entrypoint.d/"
+  exec uwsgi --ini /label-studio/deploy/uwsgi.ini
+else
+  exec_entrypoint "$ENTRYPOINT_PATH/docker-entrypoint.d/"
+  exec "$@"
+fi