Merge pull request #382 from DSD-DBS/certifi-trust-system-certs

feat: Load certificates into certifi certificate store
DSD-DBS · Feb 13, 2025 · 5f3b32d · 5f3b32d
2 parents 6d4950c + 2dfcc71
commit 5f3b32d
Show file tree

Hide file tree

Showing 3 changed files with 20 additions and 24 deletions.
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -55,18 +55,22 @@ COPY --chmod=755 hooks/* /opt/git/global-hooks/
 
 WORKDIR /opt/git/global-hooks
 
-RUN ln -s "$(which python3.11)" /usr/bin/python && \
-    ln -sf "$(which python3.11)" /usr/bin/python3 && \
-    ln -sf "$(which pip3.11)" /usr/local/bin/pip && \
-    ln -sf "$(which pip3.11)" /usr/local/bin/pip3 && \
-    python -m venv /opt/.venv && \
-    # Configure pre-commit
-    pip install --no-cache-dir pre-commit lxml PyYAML --no-cache-dir && \
-    echo "commit-msg post-rewrite pre-commit pre-merge-commit pre-rebase prepare-commit-msg" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-only.sh && \
-    echo "pre-push post-checkout post-commit post-merge" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-and-lfs.sh && \
-    git config --global core.hooksPath /opt/git/global-hooks && \
-    chmod -R 755 /opt/git/global-hooks && \
-    chown -R techuser /opt/.venv/bin/ /opt/.venv/lib/python3.11/site-packages
+RUN ln -s "$(which python3.11)" /usr/bin/python \
+    && ln -sf "$(which python3.11)" /usr/bin/python3 \
+    && ln -sf "$(which pip3.11)" /usr/local/bin/pip \
+    && ln -sf "$(which pip3.11)" /usr/local/bin/pip3 \
+    && python -m venv /opt/.venv \
+    && pip install --no-cache-dir \
+        pre-commit \
+        lxml \
+        PyYAML \
+        certifi \
+    && echo "commit-msg post-rewrite pre-commit pre-merge-commit pre-rebase prepare-commit-msg" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-only.sh \
+    && echo "pre-push post-checkout post-commit post-merge" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-and-lfs.sh \
+    && git config --global core.hooksPath /opt/git/global-hooks \
+    && chmod -R 755 /opt/git/global-hooks \
+    && chown -R techuser /opt/.venv/bin/ /opt/.venv/lib/python3.11/site-packages \
+    && cat /etc/ssl/certs/*.pem > "$(python -m certifi)"
 
 # Make pre-commit cache persistent
 ENV PRE_COMMIT_HOME=/workspace/.pre-commit

diff --git a/jupyter-notebook/Dockerfile b/jupyter-notebook/Dockerfile
@@ -39,7 +39,7 @@ ENV _OLD_VIRTUAL_PATH="$PATH"
 ENV VIRTUAL_ENV=/home/techuser/.venv
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
-RUN uv pip install --no-cache -r /etc/skel/requirements_template.txt jupyterlab jupyterlab-git jupyter-collaboration && \
+RUN uv pip install --no-cache -r /etc/skel/requirements_template.txt certifi jupyterlab jupyterlab-git jupyter-collaboration && \
     jupyter labextension disable "@jupyterlab/extensionmanager-extension" && \
     jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
     mkdir /home/techuser/.jupyter && chown techuser /home/techuser/.jupyter

diff --git a/jupyter-notebook/docker-entrypoint.sh b/jupyter-notebook/docker-entrypoint.sh
@@ -3,18 +3,8 @@
 # SPDX-FileCopyrightText: Copyright DB InfraGO AG and contributors
 # SPDX-License-Identifier: Apache-2.0
 
-handle_exit() {
-    exit_status=$?
-    if [ $exit_status -ne 0 ]; then
-        echo "---FAILURE_PREPARE_WORKSPACE---"
-    fi
-}
-trap handle_exit EXIT
-
 set -euo pipefail
 
-echo "---START_PREPARE_WORKSPACE---"
-
 mkdir -p "$WORKSPACE_DIR"
 
 [[ -z "$JUPYTER_ADDITIONAL_DEPENDENCIES" ]] || uv pip install -U $JUPYTER_ADDITIONAL_DEPENDENCIES 2>&1 | tee -a "$WORKSPACE_DIR/installlog.txt"
@@ -28,5 +18,7 @@ fi
 
 test -d "$WORKSPACE_DIR/shared" || ln -s /shared "$WORKSPACE_DIR/shared"
 
-echo "---START_SESSION---"
+# Patch certifi to find all preloaded certificates
+cat /etc/ssl/certs/*.pem > "$(python -m certifi)"
+
 exec /opt/.venv/bin/supervisord