-
Notifications
You must be signed in to change notification settings - Fork 753
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install ca-certificates
in docker and use pipefail
#6208
Conversation
use pipefail A dockerfile using `ubuntu` instead of `python` as base image currently silently fails to install. ```dockerfile FROM ubuntu RUN apt-get update && apt-get install -y curl --no-install-recommends RUN curl -LsSf https://astral.sh/uv/install.sh | sh RUN uv --version ``` ```console $ docker buildx build --progress plain --no-cache . [...] #6 [3/4] RUN curl -LsSf https://astral.sh/uv/install.sh | sh #6 0.144 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt #6 DONE 0.2s #7 [4/4] RUN uv --version #7 0.113 /bin/sh: 1: uv: not found #7 ERROR: process "/bin/sh -c uv --version" did not complete successfully: exit code: 127 ``` There's two underlying problems: Pipefail, and missing `ca-certificates`. In most shells, the source of a pipe erroring doesn't fail the entire command, so `curl -LsSf https://astral.sh/uv/install.sh | sh` passes even if the curl part fails. In bash, you can prefix the command with `set -o pipefail &&` to change this behavior. But in the `ubuntu` docker container, dash is the default shell, not bash. dash doesn't have a pipefail option (in the version in ubuntu), so the [best practice](https://docs.docker.com/build/building/best-practices/#using-pipes) is `RUN ["/bin/bash", "-c", "set -o pipefail && curl -LsSf https://astral.sh/uv/install.sh | sh"]`. That's not very readable, so i'm going for `RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh` instead. ```dockerfile FROM ubuntu RUN apt-get update && apt-get install -y curl --no-install-recommends RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh \ RUN uv --version ``` ```console $ docker buildx build --progress plain --no-cache . [...] #6 [3/3] RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version #6 0.179 curl: (77) error setting certificate file: /etc/ssl/certs/ca-certificates.crt #6 ERROR: process "/bin/sh -c curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh RUN uv --version" did not complete successfully: exit code: 77 ``` The source for this error is `ca-certificates` missing, which is a recommended package. We need to drop `--no-install-recommends` and the installation passes again.
Should we just actually request the packages we need alongside |
Yeah I think |
RUN apt-get update && apt-get install -y curl --no-install-recommends | ||
RUN curl -LsSf https://astral.sh/uv/install.sh | sh | ||
RUN apt-get update && apt-get install -y curl | ||
RUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we just ADD
the file from the remote URL if we're doing this? Does that even require curl
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tried that, but cargo-dist requires curl or wget to download the uv archive.
Do we know what the packages we're unselecting and do we know that unlike |
I mean... as described the image works fine — you changed the base image and it failed. I agree we could do better though.
|
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [astral-sh/uv](https://github.com/astral-sh/uv) | minor | `0.2.37` -> `0.3.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>astral-sh/uv (astral-sh/uv)</summary> ### [`v0.3.0`](https://github.com/astral-sh/uv/blob/HEAD/CHANGELOG.md#030) [Compare Source](astral-sh/uv@0.2.37...0.3.0) This release introduces the uv [project](https://docs.astral.sh/uv/guides/projects/), [tool](https://docs.astral.sh/uv/guides/tools/), [script](https://docs.astral.sh/uv/guides/scripts/), and [python](https://docs.astral.sh/uv/guides/install-python/) interfaces. If you've been following uv's development, you've probably seen these new commands behind a preview flag. Now, the interfaces are stable and ready for production-use. These features are all documented in [new, comprehensive documentation](https://docs.astral.sh/uv/). This release also stabilizes preview functionality in `uv venv`: - `uv venv --python <version>` will [automatically download](https://docs.astral.sh/uv/concepts/python-versions/#requesting-a-version) the Python version if required - `uv venv` will read the required Python version from the `.python-version` file or `pyproject.toml` The `uv pip` interface should not be affected by any breaking changes. Note the following changelog entries does not include all the new features since they were added incrementally as preview features. See the [feature page](https://docs.astral.sh/uv/getting-started/features/) in the documentation for a comprehensive listing, or read the [blog post](https://astral.sh/blog/uv-unified-python-packaging) for more context on the new features. ##### Breaking changes - Migrate to XDG and Linux strategy for macOS directories ([#​5806](astral-sh/uv#5806)) - Move concurrency settings to top-level ([#​4257](astral-sh/uv#4257)) - Apply system Python filtering to executable name requests ([#​4309](astral-sh/uv#4309)) - Remove `--legacy-setup-py` command-line argument ([#​4255](astral-sh/uv#4255)) - Stabilize preview features ([#​6166](astral-sh/uv#6166)) ##### Enhancements - Add 32-bit Windows target ([#​6252](astral-sh/uv#6252)) - Add support for `python_version in ...` markers ([#​6172](astral-sh/uv#6172)) - Allow user to constrain supported lock environments ([#​6210](astral-sh/uv#6210)) - Lift requirement that .egg-info filenames must include version ([#​6179](astral-sh/uv#6179)) - Change "any of" to "all of" in error messages ([#​6222](astral-sh/uv#6222)) - Collapse redundant dependency clauses enumerating available versions ([#​6160](astral-sh/uv#6160)) - Collapse unavailable packages in resolver errors ([#​6154](astral-sh/uv#6154)) - Fix messages for unavailable packages when range is plural ([#​6221](astral-sh/uv#6221)) - Improve resolver error messages when `--offline` is used ([#​6156](astral-sh/uv#6156)) - Avoid overwriting dependencies with different markers in `uv add` ([#​6010](astral-sh/uv#6010)) - Simplify available package version ranges when the name includes markers or extras ([#​6162](astral-sh/uv#6162)) - Simplify version ranges reported for unavailable packages ([#​6155](astral-sh/uv#6155)) - Rename `environment-markers` to `resolution-markers` ([#​6240](astral-sh/uv#6240)) - Support `uv add -r requirements.txt` ([#​6005](astral-sh/uv#6005)) ##### CLI - Hide global options in `uv generate-shell-completion` ([#​6170](astral-sh/uv#6170)) - Show generate-shell-completion command in `uv help` ([#​6180](astral-sh/uv#6180)) - Special-case reinstalls in environment update summaries ([#​6243](astral-sh/uv#6243)) - Add output when `uv add` and `uv remove` update scripts ([#​6231](astral-sh/uv#6231)) - Add support for `package@latest` in `tool run` ([#​6138](astral-sh/uv#6138)) - Show `python find` output with `-q` ([#​6256](astral-sh/uv#6256)) - Warn when `--upgrade` is passed to `tool run` ([#​6140](astral-sh/uv#6140)) ##### Configuration - Allow customizing the tool install directory with `UV_TOOL_BIN_DIR` ([#​6207](astral-sh/uv#6207)) ##### Performance - Use `FxHash` in `uv-auth` ([#​6149](astral-sh/uv#6149)) ##### Bug fixes - Avoid panicking when the resolver thread encounters a closed channel ([#​6182](astral-sh/uv#6182)) - Respect release-only semantics of `python_full_version` when constructing markers ([#​6171](astral-sh/uv#6171)) - Tolerate missing `[project]` table in `uv venv` ([#​6178](astral-sh/uv#6178)) - Avoid using workspace `lock_path` as relative root ([#​6157](astral-sh/uv#6157)) ##### Documentation - Preview changes are now included in the standard changelog ([#​6259](astral-sh/uv#6259)) - Document dynamic metadata behavior for cache ([#​5993](astral-sh/uv#5993)) - Document the effect of ordering on package priority ([#​6211](astral-sh/uv#6211)) - Make some edits to the workspace concept documentation ([#​6223](astral-sh/uv#6223)) - Update environment variables doc ([#​5994](astral-sh/uv#5994)) - Disable collapsible navigation in the documentation ([#​5674](astral-sh/uv#5674)) - Document `uv add` and `uv remove` behavior with markers ([#​6163](astral-sh/uv#6163)) - Document the Python installation directory ([#​6227](astral-sh/uv#6227)) - Document the `uv.pip` section semantics ([#​6225](astral-sh/uv#6225)) - Document the cache directory ([#​6229](astral-sh/uv#6229)) - Document the tools directory ([#​6228](astral-sh/uv#6228)) - Document yanked packages caveat during sync ([#​6219](astral-sh/uv#6219)) - Link to persistent configuration options in Python versions document ([#​6226](astral-sh/uv#6226)) - Link to the projects concept from the dependencies concept ([#​6224](astral-sh/uv#6224)) - Improvements to the Docker installation guide ([#​6216](astral-sh/uv#6216)) - Increase the size of navigation entries ([#​6233](astral-sh/uv#6233)) - Install `ca-certificates` in docker and use pipefail ([#​6208](astral-sh/uv#6208)) - Add script support to feature highlights in index ([#​6251](astral-sh/uv#6251)) - Show `uv generate-shell-completion` in CLI documentation reference ([#​6146](astral-sh/uv#6146)) - Update Docker guide for projects ([#​6217](astral-sh/uv#6217)) - Use `uv add --script` in guide ([#​6215](astral-sh/uv#6215)) - Show pinned version example on in GitHub Actions integration guide ([#​6234](astral-sh/uv#6234)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy40NDAuNyIsInVwZGF0ZWRJblZlciI6IjM3LjQ0MC43IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
A dockerfile using
ubuntu
instead ofpython
as base image currently silently fails to install.There's two underlying problems: Pipefail, and missing
ca-certificates
.In most shells, the source of a pipe erroring doesn't fail the entire command, so
curl -LsSf https://astral.sh/uv/install.sh | sh
passes even if the curl part fails. In bash, you can prefix the command withset -o pipefail &&
to change this behavior. But in theubuntu
docker container, dash is the default shell, not bash. dash doesn't have a pipefail option (in the version in ubuntu), so the best practice isRUN ["/bin/bash", "-c", "set -o pipefail && curl -LsSf https://astral.sh/uv/install.sh | sh"]
. That's not very readable, so i'm going forRUN curl -LsSf https://astral.sh/uv/install.sh > /tmp/uv-installer.sh && sh /tmp/uv-installer.sh && rm /tmp/uv-installer.sh
instead.The source for this error is
ca-certificates
missing, which is a recommended package. We need to drop--no-install-recommends
and the installation passes again.