Try to head off file ownership issues

[mogul]

See #2090 (comment)

I think this will work, but I'm not working directly with your build pipeline locally.🤞

cc @burnettk

Summary by CodeRabbit

• Chores
  • Updated the Dockerfile to improve the build process and resolve dependency issues.
  • Configured Git to avoid file ownership issues in the deployment stage.
  • Changed Poetry version to 1.6.1 for better compatibility with PEP 517 builds.
  • Added necessary development libraries for Python dependencies.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes primarily involve updates to the Dockerfile for the spiffworkflow-backend. Key modifications include the addition of a command to configure Git for safe directory handling, an upgrade of Poetry to version 1.6.1, the creation of a new user _gunicorn, and the installation of several development libraries. The COPY command has been adjusted to optimize caching by including pyproject.toml and poetry.lock files prior to running poetry install twice. The command to start the server remains unchanged.

Changes

File	Change Summary
spiffworkflow-backend/Dockerfile	- Added Git configuration to avoid host-container file ownership issues.
	- Upgraded Poetry from version 1.4 to 1.6.1.
	- Created a new user _gunicorn without a home directory.
	- Installed development libraries: gcc, libssl-dev, libpq-dev, default-libmysqlclient-dev, pkg-config, libffi-dev.
	- Modified COPY command to include pyproject.toml and poetry.lock before poetry install.
	- CMD instruction remains unchanged.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Outside diff range and nitpick comments (1)

spiffworkflow-backend/Dockerfile (1)

Development libraries are included in the final image.

The development libraries (gcc, libssl-dev, libpq-dev, default-libmysqlclient-dev, pkg-config, libffi-dev) are present in the final Docker image. Consider removing these libraries in the final stage to reduce image size.

🔗 Analysis chain

Line range hint 57-58: Approved: Addition of development libraries for Python dependencies.

The inclusion of these development libraries is necessary for building certain Python packages. However, ensure that these libraries are not carried over to the final image to keep it lean.

Let's verify if these development libraries are present in the final image:

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if development libraries are present in the final image

# Test: Search for the installation of development libraries in the final stage
rg --type dockerfile 'apt-get install.*gcc|libssl-dev|libpq-dev|default-libmysqlclient-dev|pkg-config|libffi-dev' spiffworkflow-backend/Dockerfile

Length of output: 183

---

Script:

#!/bin/bash
# Description: Check if development libraries are present in the final image

# Test: Search for the installation of development libraries in the final stage
rg --type Dockerfile 'apt-get install.*gcc|libssl-dev|libpq-dev|default-libmysqlclient-dev|pkg-config|libffi-dev' spiffworkflow-backend/Dockerfile

Length of output: 183

---

Script:

#!/bin/bash
# Description: Check if development libraries are present in the final image

# Test: Search for the installation of development libraries in the Dockerfile
rg 'apt-get install.*(gcc|libssl-dev|libpq-dev|default-libmysqlclient-dev|pkg-config|libffi-dev)' spiffworkflow-backend/Dockerfile

Length of output: 233

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 459aec9 and dd9716b.

📒 Files selected for processing (1)

• spiffworkflow-backend/Dockerfile (1 hunks)

🔇 Additional comments (3)

spiffworkflow-backend/Dockerfile (3)

Line range hint 1-78: Overall approval: Changes address file ownership issues and improve build process.

The modifications in this Dockerfile effectively address the PR objectives by configuring Git to handle file ownership issues and updating dependencies. The changes are well-structured and appropriate for the different build stages. Consider the suggestions for comment updates and verifications to further improve the Dockerfile.

---

34-35: Approved: Git configuration addresses file ownership issues.

This change aligns with the PR objective of heading off file ownership issues. However, setting safe.directory to * could potentially have security implications if not carefully managed.

To ensure this change doesn't introduce unintended side effects, let's verify if there are any other Git configurations in the repository:

✅ Verification successful

Verified: No additional Git configurations found in the repository.

The Git configuration change to set safe.directory to * addresses the file ownership issues without introducing other Git configurations.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check for other Git configurations in the repository

# Test: Search for Git config files or commands
rg --type-add 'dockerfile:*.Dockerfile' --type dockerfile --type yaml 'git config'

Length of output: 151

---

Script:

#!/bin/bash
# Description: Re-attempt to search for Git configurations in the repository without relying on poetry.

# Test: Search for 'git config' in Dockerfile and YAML files
rg --type-add 'dockerfile:*.Dockerfile' --type dockerfile --type yaml 'git config'

Length of output: 146

---

Line range hint 46-51: Update or remove the outdated comment about Poetry version.

The comment refers to issues with Poetry 1.4, but the version has been updated to 1.6.1. Consider updating or removing this comment if the issues are no longer relevant.

Let's verify if the mentioned issues are resolved with Poetry 1.6.1:

[burnettk]

Not at computer to test, but we know it works for the dev Dockerfile, so there’s a strong chance it fixes the current issue.

[mogul]

Unfortunately this does not successfully enable RUN_AS to work, because the RUN_AS user does not have permission to create the SQLite DB on the Docker-managed DB volume that's mounted into the backend container, which has root:root permissions.😞

I'm noodling on how that can be resolved, since this seems like it must be a pretty common situation with a well-understood solution. An alternative is to introduce a Postgresql container that uses that volume, and have the backend use Postgres instead of SQLite. I think this change would better reflect actual deployment scenarios, while being incidental to the local "docker compose up" workflow we're trying to make better here. What do you think?

[burnettk]

definitely true that mysql and postgres are the right targets for real deployed environments. https://github.com/sartography/arena-compose-postgres has a compose file using postgres.

[mogul]

A WILD SOLUTION APPEARS! This looks like The Right Way, being both clever and straightforward at the same time. It's something I can easily test locally; will do that, then make a PR if it works.

[burnettk]

:D

[mogul]

#2099