From 2dfcc714b41e4e039112248c411afa113fe7ae2e Mon Sep 17 00:00:00 2001 From: MoritzWeber Date: Thu, 13 Feb 2025 10:44:32 +0100 Subject: [PATCH] feat: Load certificates into certifi certificate store Certifi doesn't trust the system certificate store by default. --- base/Dockerfile | 28 +++++++++++++++------------ jupyter-notebook/Dockerfile | 2 +- jupyter-notebook/docker-entrypoint.sh | 14 +++----------- 3 files changed, 20 insertions(+), 24 deletions(-) diff --git a/base/Dockerfile b/base/Dockerfile index e608b64d..a38882ae 100644 --- a/base/Dockerfile +++ b/base/Dockerfile @@ -55,18 +55,22 @@ COPY --chmod=755 hooks/* /opt/git/global-hooks/ WORKDIR /opt/git/global-hooks -RUN ln -s "$(which python3.11)" /usr/bin/python && \ - ln -sf "$(which python3.11)" /usr/bin/python3 && \ - ln -sf "$(which pip3.11)" /usr/local/bin/pip && \ - ln -sf "$(which pip3.11)" /usr/local/bin/pip3 && \ - python -m venv /opt/.venv && \ - # Configure pre-commit - pip install --no-cache-dir pre-commit lxml PyYAML --no-cache-dir && \ - echo "commit-msg post-rewrite pre-commit pre-merge-commit pre-rebase prepare-commit-msg" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-only.sh && \ - echo "pre-push post-checkout post-commit post-merge" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-and-lfs.sh && \ - git config --global core.hooksPath /opt/git/global-hooks && \ - chmod -R 755 /opt/git/global-hooks && \ - chown -R techuser /opt/.venv/bin/ /opt/.venv/lib/python3.11/site-packages +RUN ln -s "$(which python3.11)" /usr/bin/python \ + && ln -sf "$(which python3.11)" /usr/bin/python3 \ + && ln -sf "$(which pip3.11)" /usr/local/bin/pip \ + && ln -sf "$(which pip3.11)" /usr/local/bin/pip3 \ + && python -m venv /opt/.venv \ + && pip install --no-cache-dir \ + pre-commit \ + lxml \ + PyYAML \ + certifi \ + && echo "commit-msg post-rewrite pre-commit pre-merge-commit pre-rebase prepare-commit-msg" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-only.sh \ + && echo "pre-push post-checkout post-commit post-merge" | xargs -n 1 cp /opt/git/global-hooks/+pre-commit-and-lfs.sh \ + && git config --global core.hooksPath /opt/git/global-hooks \ + && chmod -R 755 /opt/git/global-hooks \ + && chown -R techuser /opt/.venv/bin/ /opt/.venv/lib/python3.11/site-packages \ + && cat /etc/ssl/certs/*.pem > "$(python -m certifi)" # Make pre-commit cache persistent ENV PRE_COMMIT_HOME=/workspace/.pre-commit diff --git a/jupyter-notebook/Dockerfile b/jupyter-notebook/Dockerfile index d5d4bee8..a82eed48 100644 --- a/jupyter-notebook/Dockerfile +++ b/jupyter-notebook/Dockerfile @@ -39,7 +39,7 @@ ENV _OLD_VIRTUAL_PATH="$PATH" ENV VIRTUAL_ENV=/home/techuser/.venv ENV PATH="$VIRTUAL_ENV/bin:$PATH" -RUN uv pip install --no-cache -r /etc/skel/requirements_template.txt jupyterlab jupyterlab-git jupyter-collaboration && \ +RUN uv pip install --no-cache -r /etc/skel/requirements_template.txt certifi jupyterlab jupyterlab-git jupyter-collaboration && \ jupyter labextension disable "@jupyterlab/extensionmanager-extension" && \ jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \ mkdir /home/techuser/.jupyter && chown techuser /home/techuser/.jupyter diff --git a/jupyter-notebook/docker-entrypoint.sh b/jupyter-notebook/docker-entrypoint.sh index a317f6f2..c5179c45 100755 --- a/jupyter-notebook/docker-entrypoint.sh +++ b/jupyter-notebook/docker-entrypoint.sh @@ -3,18 +3,8 @@ # SPDX-FileCopyrightText: Copyright DB InfraGO AG and contributors # SPDX-License-Identifier: Apache-2.0 -handle_exit() { - exit_status=$? - if [ $exit_status -ne 0 ]; then - echo "---FAILURE_PREPARE_WORKSPACE---" - fi -} -trap handle_exit EXIT - set -euo pipefail -echo "---START_PREPARE_WORKSPACE---" - mkdir -p "$WORKSPACE_DIR" [[ -z "$JUPYTER_ADDITIONAL_DEPENDENCIES" ]] || uv pip install -U $JUPYTER_ADDITIONAL_DEPENDENCIES 2>&1 | tee -a "$WORKSPACE_DIR/installlog.txt" @@ -28,5 +18,7 @@ fi test -d "$WORKSPACE_DIR/shared" || ln -s /shared "$WORKSPACE_DIR/shared" -echo "---START_SESSION---" +# Patch certifi to find all preloaded certificates +cat /etc/ssl/certs/*.pem > "$(python -m certifi)" + exec /opt/.venv/bin/supervisord