Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Install ca-certificates in docker and use pipefail #6208

Merged
merged 2 commits into from
Aug 19, 2024

Conversation

konstin
Copy link
Member

@konstin konstin commented Aug 19, 2024

A dockerfile using ubuntu instead of python as base image currently silently fails to install.

FROM ubuntu
RUN apt-get update && apt-get install -y curl --no-install-recommends
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
RUN uv --version
$ docker buildx build --progress plain --no-cache .
[...]
#6 [3/4] RUN curl -LsSf https://astral.sh/uv/install.sh | sh
#6 0.144 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt
#6 DONE 0.2s

#7 [4/4] RUN uv --version
#7 0.113 /bin/sh: 1: uv: not found
#7 ERROR: process "/bin/sh -c uv --version" did not complete successfully: exit code: 127

There's two underlying problems: Pipefail, and missing ca-certificates.

In most shells, the source of a pipe erroring doesn't fail the entire command, so curl -LsSf https://astral.sh/uv/install.sh | sh passes even if the curl part fails. In bash, you can prefix the command with set -o pipefail && to change this behavior. But in the ubuntu docker container, dash is the default shell, not bash. dash doesn't have a pipefail option (in the version in ubuntu), so the best practice is RUN ["/bin/bash", "-c", "set -o pipefail && curl -LsSf https://astral.sh/uv/install.sh | sh"]. That's not very readable, so i'm going for RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh instead.

FROM ubuntu
RUN apt-get update && apt-get install -y curl --no-install-recommends
RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh \
RUN uv --version
$ docker buildx build --progress plain --no-cache .
[...]
#6 [3/3] RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version
#6 0.179 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt
#6 ERROR: process "/bin/sh -c curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version" did not complete successfully: exit code: 77

The source for this error is ca-certificates missing, which is a recommended package. We need to drop --no-install-recommends and the installation passes again.

use pipefail

A dockerfile using `ubuntu` instead of `python` as base image currently silently fails to install.

```dockerfile
FROM ubuntu
RUN apt-get update && apt-get install -y curl --no-install-recommends
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
RUN uv --version
```

```console
$ docker buildx build --progress plain --no-cache .
[...]
#6 [3/4] RUN curl -LsSf https://astral.sh/uv/install.sh | sh
#6 0.144 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt
#6 DONE 0.2s

#7 [4/4] RUN uv --version
#7 0.113 /bin/sh: 1: uv: not found
#7 ERROR: process "/bin/sh -c uv --version" did not complete successfully: exit code: 127
```

There's two underlying problems: Pipefail, and missing `ca-certificates`.

In most shells, the source of a pipe erroring doesn't fail the entire command, so `curl -LsSf https://astral.sh/uv/install.sh | sh` passes even if the curl part fails. In bash, you can prefix the command with `set -o pipefail &&` to change this behavior. But in the `ubuntu` docker container, dash is the default shell, not bash. dash doesn't have a pipefail option (in the version in ubuntu), so the [best practice](https://docs.docker.com/build/building/best-practices/#using-pipes) is `RUN ["/bin/bash", "-c", "set -o pipefail && curl -LsSf https://astral.sh/uv/install.sh | sh"]`. That's not very readable, so i'm going for `RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh` instead.

```dockerfile
FROM ubuntu
RUN apt-get update && apt-get install -y curl --no-install-recommends
RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh \
RUN uv --version
```

```console
$ docker buildx build --progress plain --no-cache .
[...]
#6 [3/3] RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version
#6 0.179 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt
#6 ERROR: process "/bin/sh -c curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version" did not complete successfully: exit code: 77
```

The source for this error is `ca-certificates` missing, which is a recommended package. We need to drop `--no-install-recommends` and the installation passes again.
@konstin konstin added the documentation Improvements or additions to documentation label Aug 19, 2024
@zanieb
Copy link
Member

zanieb commented Aug 19, 2024

Should we just actually request the packages we need alongside curl instead of installing all recommended packages?

@charliermarsh
Copy link
Member

Yeah I think --no-install-recommends is a best practice in Docker.

RUN apt-get update && apt-get install -y curl --no-install-recommends
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
RUN apt-get update && apt-get install -y curl
RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we just ADD the file from the remote URL if we're doing this? Does that even require curl?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried that, but cargo-dist requires curl or wget to download the uv archive.

@konstin
Copy link
Member Author

konstin commented Aug 19, 2024

Do we know what the packages we're unselecting and do we know that unlike ca-certificates, we don't need them? I've also checked with https://docs.docker.com/build/building/best-practices/#apt-get and they don't feature --no-install-recommends (but do add && rm -rf /var/lib/apt/lists/* which we're missing).

@zanieb
Copy link
Member

zanieb commented Aug 19, 2024

I mean... as described the image works fine — you changed the base image and it failed. I agree we could do better though.

--no-install-recommends is included in Hadolint: https://github.com/hadolint/hadolint/wiki/DL3015

@konstin konstin requested a review from zanieb August 19, 2024 16:31
@zanieb zanieb added the preview Experimental behavior label Aug 19, 2024
@zanieb zanieb merged commit c410d0d into main Aug 19, 2024
46 checks passed
@zanieb zanieb deleted the konsti/install-recommends branch August 19, 2024 17:14
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Aug 21, 2024
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [astral-sh/uv](https://github.com/astral-sh/uv) | minor | `0.2.37` -> `0.3.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>astral-sh/uv (astral-sh/uv)</summary>

### [`v0.3.0`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#030)

[Compare Source](astral-sh/uv@0.2.37...0.3.0)

This release introduces the uv [project](https://docs.astral.sh/uv/guides/projects/),
[tool](https://docs.astral.sh/uv/guides/tools/),
[script](https://docs.astral.sh/uv/guides/scripts/), and
[python](https://docs.astral.sh/uv/guides/install-python/) interfaces. If you've been following
uv's development, you've probably seen these new commands behind a preview flag. Now, the
interfaces are stable and ready for production-use.

These features are all documented in [new, comprehensive
documentation](https://docs.astral.sh/uv/).

This release also stabilizes preview functionality in `uv venv`:

-   `uv venv --python <version>` will [automatically
    download](https://docs.astral.sh/uv/concepts/python-versions/#requesting-a-version) the Python
    version if required
-   `uv venv` will read the required Python version from the `.python-version` file or
    `pyproject.toml`

The `uv pip` interface should not be affected by any breaking changes.

Note the following changelog entries does not include all the new features since they were added
incrementally as preview features. See the
[feature page](https://docs.astral.sh/uv/getting-started/features/) in the documentation for a
comprehensive listing, or read the [blog post](https://astral.sh/blog/uv-unified-python-packaging)
for more context on the new features.

##### Breaking changes

-   Migrate to XDG and Linux strategy for macOS directories ([#&#8203;5806](astral-sh/uv#5806))
-   Move concurrency settings to top-level ([#&#8203;4257](astral-sh/uv#4257))
-   Apply system Python filtering to executable name requests ([#&#8203;4309](astral-sh/uv#4309))
-   Remove `--legacy-setup-py` command-line argument ([#&#8203;4255](astral-sh/uv#4255))
-   Stabilize preview features ([#&#8203;6166](astral-sh/uv#6166))

##### Enhancements

-   Add 32-bit Windows target ([#&#8203;6252](astral-sh/uv#6252))
-   Add support for `python_version in ...` markers ([#&#8203;6172](astral-sh/uv#6172))
-   Allow user to constrain supported lock environments ([#&#8203;6210](astral-sh/uv#6210))
-   Lift requirement that .egg-info filenames must include version ([#&#8203;6179](astral-sh/uv#6179))
-   Change "any of" to "all of" in error messages ([#&#8203;6222](astral-sh/uv#6222))
-   Collapse redundant dependency clauses enumerating available versions ([#&#8203;6160](astral-sh/uv#6160))
-   Collapse unavailable packages in resolver errors ([#&#8203;6154](astral-sh/uv#6154))
-   Fix messages for unavailable packages when range is plural ([#&#8203;6221](astral-sh/uv#6221))
-   Improve resolver error messages when `--offline` is used ([#&#8203;6156](astral-sh/uv#6156))
-   Avoid overwriting dependencies with different markers in `uv add` ([#&#8203;6010](astral-sh/uv#6010))
-   Simplify available package version ranges when the name includes markers or extras ([#&#8203;6162](astral-sh/uv#6162))
-   Simplify version ranges reported for unavailable packages ([#&#8203;6155](astral-sh/uv#6155))
-   Rename `environment-markers` to `resolution-markers` ([#&#8203;6240](astral-sh/uv#6240))
-   Support `uv add -r requirements.txt` ([#&#8203;6005](astral-sh/uv#6005))

##### CLI

-   Hide global options in `uv generate-shell-completion` ([#&#8203;6170](astral-sh/uv#6170))
-   Show generate-shell-completion command in `uv help` ([#&#8203;6180](astral-sh/uv#6180))
-   Special-case reinstalls in environment update summaries ([#&#8203;6243](astral-sh/uv#6243))
-   Add output when `uv add` and `uv remove` update scripts ([#&#8203;6231](astral-sh/uv#6231))
-   Add support for `package@latest` in `tool run` ([#&#8203;6138](astral-sh/uv#6138))
-   Show `python find` output with `-q` ([#&#8203;6256](astral-sh/uv#6256))
-   Warn when `--upgrade` is passed to `tool run` ([#&#8203;6140](astral-sh/uv#6140))

##### Configuration

-   Allow customizing the tool install directory with `UV_TOOL_BIN_DIR` ([#&#8203;6207](astral-sh/uv#6207))

##### Performance

-   Use `FxHash` in `uv-auth` ([#&#8203;6149](astral-sh/uv#6149))

##### Bug fixes

-   Avoid panicking when the resolver thread encounters a closed channel ([#&#8203;6182](astral-sh/uv#6182))
-   Respect release-only semantics of `python_full_version` when constructing markers ([#&#8203;6171](astral-sh/uv#6171))
-   Tolerate missing `[project]` table in `uv venv` ([#&#8203;6178](astral-sh/uv#6178))
-   Avoid using workspace `lock_path` as relative root ([#&#8203;6157](astral-sh/uv#6157))

##### Documentation

-   Preview changes are now included in the standard changelog ([#&#8203;6259](astral-sh/uv#6259))
-   Document dynamic metadata behavior for cache ([#&#8203;5993](astral-sh/uv#5993))
-   Document the effect of ordering on package priority ([#&#8203;6211](astral-sh/uv#6211))
-   Make some edits to the workspace concept documentation ([#&#8203;6223](astral-sh/uv#6223))
-   Update environment variables doc ([#&#8203;5994](astral-sh/uv#5994))
-   Disable collapsible navigation in the documentation ([#&#8203;5674](astral-sh/uv#5674))
-   Document `uv add` and `uv remove` behavior with markers ([#&#8203;6163](astral-sh/uv#6163))
-   Document the Python installation directory ([#&#8203;6227](astral-sh/uv#6227))
-   Document the `uv.pip` section semantics ([#&#8203;6225](astral-sh/uv#6225))
-   Document the cache directory ([#&#8203;6229](astral-sh/uv#6229))
-   Document the tools directory ([#&#8203;6228](astral-sh/uv#6228))
-   Document yanked packages caveat during sync ([#&#8203;6219](astral-sh/uv#6219))
-   Link to persistent configuration options in Python versions document ([#&#8203;6226](astral-sh/uv#6226))
-   Link to the projects concept from the dependencies concept ([#&#8203;6224](astral-sh/uv#6224))
-   Improvements to the Docker installation guide ([#&#8203;6216](astral-sh/uv#6216))
-   Increase the size of navigation entries ([#&#8203;6233](astral-sh/uv#6233))
-   Install `ca-certificates` in docker and use pipefail ([#&#8203;6208](astral-sh/uv#6208))
-   Add script support to feature highlights in index ([#&#8203;6251](astral-sh/uv#6251))
-   Show `uv generate-shell-completion` in CLI documentation reference ([#&#8203;6146](astral-sh/uv#6146))
-   Update Docker guide for projects ([#&#8203;6217](astral-sh/uv#6217))
-   Use `uv add --script` in guide ([#&#8203;6215](astral-sh/uv#6215))
-   Show pinned version example on in GitHub Actions integration guide ([#&#8203;6234](astral-sh/uv#6234))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation Improvements or additions to documentation preview Experimental behavior
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants