#!/usr/bin/env python3 # Copyright 2017 Google Inc. All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. """Generate a Dockerfile and helper files for a Python application.""" import argparse import collections import collections.abc import functools import io import os import re import sys import yaml import validation_utils # Validate characters for dockerfile image names. # # This roots out obvious mistakes, the full gory details are here: # https://github.com/docker/distribution/blob/master/reference/regexp.go IMAGE_REGEX = re.compile(r"""(?x) ^ [a-zA-Z0-9] # First char must be alphanumeric [a-zA-Z0-9-_./:@+]* # Punctuation allowed after that $ """) # `entrypoint` is specified as free-form text parsed as a unix shell # command line, which limits the sanity checking possible. We # disallow newlines and control characters which would break the # Dockerfile format. PRINTABLE_REGEX = re.compile(r"""^[^\x00-\x1f]*$""") # Map from app.yaml "python_version" to {python_version} in Dockerfile PYTHON_INTERPRETER_VERSION_MAP = { '': '', # == 2.7 '2': '', # == 2.7 '3': '3.6', '3.4': '3.4', '3.5': '3.5', '3.6': '3.6', '3.7': '3.7', } # Name of environment variable potentially set by gcloud GAE_APPLICATION_YAML_PATH = 'GAE_APPLICATION_YAML_PATH' # Validated application configuration AppConfig = collections.namedtuple( 'AppConfig', 'base_image dockerfile_python_version entrypoint has_requirements_txt is_python_compat' ) def get_app_config(raw_config, base_image, config_file, source_dir): """Read and validate the application runtime configuration. We validate the user input for security and better error messages. Consider parsing a yaml file which has a string value where we expected a list. Python will happily use the string as a sequence of individual characters, at least for a while, leading to confusing results when it finally fails. We also try to prevent Dockerfile and Bash injection attacks. For example, specifying entrypoint as "true\\nADD /etc/passwd /pwned" would allow the user to inject arbitrary directives into the Dockerfile, which is a support problem if nothing else. Args: raw_config (dict): deserialized app.yaml base_image (str): Docker image name to build on top of config_file (str): Path to user's app.yaml (might be <service>.yaml) source_dir (str): Directory containing user's source code Returns: AppConfig: valid configuration """ # Examine app.yaml if not isinstance(raw_config, collections.abc.Mapping): raise ValueError( 'Expected {} contents to be a Mapping type, but found type "{}"'. format(config_file, type(raw_config))) # Short circuit for python compat. if validation_utils.get_field_value( raw_config, 'runtime', str) == 'python-compat': return AppConfig( base_image=None, dockerfile_python_version=None, entrypoint=None, has_requirements_txt=None, is_python_compat=True) entrypoint = validation_utils.get_field_value( raw_config, 'entrypoint', str) if not PRINTABLE_REGEX.match(entrypoint): raise ValueError( 'Invalid "entrypoint" value in app.yaml: {!r}'.format(entrypoint)) # Mangle entrypoint in the same way as the Cloud SDK # (googlecloudsdk/third_party/appengine/api/validation.py) # # We could handle both string ("shell form") and list ("exec # form") but it appears that gcloud only handles string form. if entrypoint and not entrypoint.startswith('exec '): entrypoint = 'exec ' + entrypoint raw_runtime_config = validation_utils.get_field_value( raw_config, 'runtime_config', dict) python_version = validation_utils.get_field_value( raw_runtime_config, 'python_version', str) dockerfile_python_version = PYTHON_INTERPRETER_VERSION_MAP.get( python_version) if dockerfile_python_version is None: valid_versions = str(sorted(PYTHON_INTERPRETER_VERSION_MAP.keys())) raise ValueError( 'Invalid "python_version" field in "runtime_config" section ' 'of app.yaml: {!r}. Valid options are: {}'. format(python_version, valid_versions)) # Examine user's files has_requirements_txt = os.path.isfile( os.path.join(source_dir, 'requirements.txt')) return AppConfig( base_image=base_image, dockerfile_python_version=dockerfile_python_version, entrypoint=entrypoint, has_requirements_txt=has_requirements_txt, is_python_compat=False) def get_data(name): """Return the contents of the named data resource These templates are copied from the Google Cloud SDK at google-cloud-sdk/platform/ext-runtime/python/data and the two should be kept in sync. Args: name (str): Name of file, without directory Returns: str: Contents of data file """ filename = os.path.join(os.path.dirname(__file__), 'data', name) with io.open(filename, 'r', encoding='utf8') as template_file: return template_file.read() def generate_files(app_config): """Generate a Dockerfile and helper files for an application. Args: app_config (AppConfig): Validated configuration Returns: dict: Map of filename to desired file contents """ if app_config.has_requirements_txt: optional_requirements_txt = get_data('Dockerfile.requirements_txt') else: optional_requirements_txt = '' if app_config.entrypoint: optional_entrypoint = get_data( 'Dockerfile.entrypoint.template').format( entrypoint=app_config.entrypoint) else: optional_entrypoint = '' if app_config.is_python_compat: dockerfile = get_data('Dockerfile.python_compat') dockerignore = get_data('dockerignore.python_compat') else: dockerfile = ''.join([ get_data('Dockerfile.preamble.template').format( base_image=app_config.base_image), get_data('Dockerfile.virtualenv.template').format( python_version=app_config.dockerfile_python_version), optional_requirements_txt, get_data('Dockerfile.install_app'), optional_entrypoint, ]) dockerignore = get_data('dockerignore') return { 'Dockerfile': dockerfile, '.dockerignore': dockerignore, } def generate_dockerfile_command(base_image, config_file, source_dir): """Write a Dockerfile and helper files for an application. Args: base_image (str): Docker image name to build on top of config_file (str): Path to user's app.yaml (might be <service>.yaml) source_dir (str): Directory container user's source code """ # Read yaml file. Does not currently support multiple services # with configuration filenames besides app.yaml with io.open(config_file, 'r', encoding='utf8') as yaml_config_file: raw_config = yaml.safe_load(yaml_config_file) # Determine complete configuration app_config = get_app_config(raw_config, base_image, config_file, source_dir) # Generate list of filenames and their textual contents files = generate_files(app_config) # Write files for filename, contents in files.items(): full_filename = os.path.join(source_dir, filename) with io.open(full_filename, 'w', encoding='utf8') as outfile: outfile.write(contents) def parse_args(argv): """Parse and validate command line flags""" parser = argparse.ArgumentParser() parser.add_argument( '--base-image', type=functools.partial( validation_utils.validate_arg_regex, flag_regex=IMAGE_REGEX), default='gcr.io/google-appengine/python:latest', help='Name of Docker image to use as base') # In some cases, gcloud sets an environment variable to indicate # the location of the application configuration file, rather than # using the --config flag. The order of precedence from highest # to lowest is: # # 1) --config flag # 2) $GAE_APPLICATION_YAML_PATH environment variable # 3) a file named "app.yaml" in the current working directory parser.add_argument( '--config', type=functools.partial( validation_utils.validate_arg_regex, flag_regex=PRINTABLE_REGEX), default=(os.environ.get(GAE_APPLICATION_YAML_PATH) or 'app.yaml'), help='Path to application configuration file' ) parser.add_argument( '--source-dir', type=functools.partial( validation_utils.validate_arg_regex, flag_regex=PRINTABLE_REGEX), default='.', help=('Application source and output directory')) args = parser.parse_args(argv[1:]) return args def main(): args = parse_args(sys.argv) generate_dockerfile_command(args.base_image, args.config, args.source_dir) if __name__ == '__main__': main()