From e04e555abb725b42052dbb8fa896c7260954570c Mon Sep 17 00:00:00 2001
From: kburke <209327+kburke@users.noreply.github.com>
Date: Wed, 29 Oct 2025 16:42:22 -0400
Subject: [PATCH 1/2] Switch to api_base_image 1.2.0, including
 dual-installation of Python 3.13 for uWSGI to use.

---
 docker/entity-api/Dockerfile | 71 +++++++++++++++++++++++-------------
 docker/entity-api/start.sh   |  2 +-
 src/requirements.txt         |  2 +-
 3 files changed, 47 insertions(+), 28 deletions(-)

diff --git a/docker/entity-api/Dockerfile b/docker/entity-api/Dockerfile
index 9d861c54..4e147389 100644
--- a/docker/entity-api/Dockerfile
+++ b/docker/entity-api/Dockerfile
@@ -1,5 +1,5 @@
 # Parent image
-FROM hubmap/api-base-image:1.1.0
+FROM hubmap/api-base-image:1.2.0
 
 LABEL description="HuBMAP Entity API Service"
 
@@ -13,45 +13,64 @@ WORKDIR /usr/src/app
 # Copy from host to image
 COPY . .
 
-# http://nginx.org/en/linux_packages.html#RHEL-CentOS
-# Set up the yum repository to install the latest mainline version of Nginx
-RUN echo $'[nginx-mainline]\n\
-name=nginx mainline repo\n\
-baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/\n\
-gpgcheck=1\n\
-enabled=0\n\
-gpgkey=https://nginx.org/keys/nginx_signing.key\n\
-module_hotfixes=true\n'\
->> /etc/yum.repos.d/nginx.repo
+# Set up the repository file for the mainline version of
+# nginx which dnf should use (in the legacy "yum" location.)
+RUN set -eux && \
+    cat <<'EOF' > /etc/yum.repos.d/nginx.repo
+[nginx-mainline]
+name=nginx mainline repo
+baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
+gpgcheck=1
+enabled=0
+gpgkey=https://nginx.org/keys/nginx_signing.key
+module_hotfixes=true
+EOF
 
 # Reduce the number of layers in image by minimizing the number of separate RUN commands
 # 1 - Install the prerequisites
 # 2 - By default, the repository for stable nginx packages is used. We would like to use mainline nginx packages
-# 3 - Install nginx (using the custom yum repo specified earlier)
+# 3 - Install nginx (using the custom dnf/yum repo specified earlier)
 # 4 - Remove the default nginx config file
 # 5 - Overwrite the nginx.conf with ours to run nginx as non-root
 # 6 - Remove the nginx directory copied from host machine (nginx/conf.d gets mounted to the container)
-# 7 - Upgrade pip (the one installed in base image may be old) and install flask app dependencies (pip3 also works)
+# 7 - Upgrade pip (the one installed in base image may be old) and install service requirements.txt packages
 # 8 - Make the start script executable
-# 9 - Clean all yum cache
-RUN yum install -y yum-utils && \
-    yum-config-manager --enable nginx-mainline && \
-    yum install -y nginx && \
-    rm /etc/nginx/conf.d/default.conf && \
-    mv nginx/nginx.conf /etc/nginx/nginx.conf && \
-    rm -rf nginx && \
-    pip install --upgrade pip -r src/requirements.txt && \
-    chmod +x start.sh && \
-    yum clean all 
+# 9 - Clean the dnf/yum cache and other locations to reduce Docker Image layer size.
+# Assume the base image has upgraded dnf and installed its dnf-plugins-core
+ RUN dnf install --assumeyes dnf-plugins-core && \
+     dnf config-manager --enable nginx-mainline && \
+     dnf install --assumeyes nginx && \
+     # Push aside nginx default.conf files that may exist on the system
+     [ ! -f /etc/nginx/conf.d/default.conf ] || mv /etc/nginx/conf.d/default.conf /tmp/etc_nginx_conf.d_default.conf.ORIGINAL && \
+     [ ! -f /etc/nginx/nginx.conf ] || mv /etc/nginx/nginx.conf /tmp/etc_nginx_nginx.conf.ORIGINAL && \
+     # Install the nginx default.conf file just installed in WORKDIR
+     mv nginx/nginx.conf /etc/nginx/nginx.conf && \
+     # Clean up the nginx install directory in WORKDIR
+     [ ! -d nginx ] || mv nginx /tmp/nginx_from_WORKDIR && \
+     # Push aside the verification file from the base image which will
+     # no longer report correctly once uWSGI is started for the service.
+     [ ! -f /tmp/verify_uwsgi.sh ] || mv /tmp/verify_uwsgi.sh /tmp/verify_uwsgi.sh.ORIGINAL && \
+     # Install the requirements.txt file for the service
+     pip3.13 install --no-cache-dir --upgrade pip -r src/requirements.txt && \
+     # Make the script referenced in the CMD directive below executable.
+     chmod 755 start.sh && \
+     # Clean up artifacts to slim down this layer of the Docker Image
+     dnf clean all && \
+     rm -rf /var/cache/dnf \
+            /var/log/dnf \
+     	     /var/log/yum \
+     	     /root/.cache
 
 # The EXPOSE instruction informs Docker that the container listens on the specified network ports at runtime. 
 # EXPOSE does not make the ports of the container accessible to the host.
 # Here 5000 is for the uwsgi socket, 8080 for nginx
 EXPOSE 5000 8080
 
-# Set an entrypoint
-COPY entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN chmod +x /usr/local/bin/entrypoint.sh
+# Set an entrypoint by moving the file copied into the WORKDIR to
+# the location referenced by the ENTRYPOINT directive below, and
+# make it executable.
+RUN mv entrypoint.sh /usr/local/bin/entrypoint.sh && \
+    chmod 755 /usr/local/bin/entrypoint.sh
 
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
 
diff --git a/docker/entity-api/start.sh b/docker/entity-api/start.sh
index 71410ad9..839c251e 100755
--- a/docker/entity-api/start.sh
+++ b/docker/entity-api/start.sh
@@ -5,4 +5,4 @@
 nginx -g 'daemon off;' &
 
 # Start uwsgi and keep it running in foreground
-uwsgi --ini /usr/src/app/src/uwsgi.ini
\ No newline at end of file
+/usr/local/python3.13/bin/uwsgi --ini /usr/src/app/src/uwsgi.ini
diff --git a/src/requirements.txt b/src/requirements.txt
index ae3fa02e..6e110fec 100644
--- a/src/requirements.txt
+++ b/src/requirements.txt
@@ -12,7 +12,7 @@ nested-lookup==0.2.22
 
 # The commons package requires requests>=2.22.0 and PyYAML>=5.3.1
 requests==2.32.3
-PyYAML==5.4.1
+PyYAML==6.0.3
 
 # Use the published package from PyPI as default
 # Use the branch name of commons from github for testing new changes made in commons from different branch

From 3dbdc157a5f5b2565ed910cab3186cfb59ca16fa Mon Sep 17 00:00:00 2001
From: kburke <209327+kburke@users.noreply.github.com>
Date: Thu, 30 Oct 2025 14:19:30 -0400
Subject: [PATCH 2/2] Switch to nginx-stable release, turn off cache during
 build

---
 docker/docker-development.sh |  2 +-
 docker/entity-api/Dockerfile | 20 +++++++++-----------
 2 files changed, 10 insertions(+), 12 deletions(-)

diff --git a/docker/docker-development.sh b/docker/docker-development.sh
index 05febd50..d28334e1 100755
--- a/docker/docker-development.sh
+++ b/docker/docker-development.sh
@@ -106,7 +106,7 @@ else
         cp ../VERSION entity-api
         cp ../BUILD entity-api
 
-	docker compose -f docker-compose.yml -f docker-compose.development.yml -p entity-api build
+	docker compose -f docker-compose.yml -f docker-compose.development.yml -p entity-api build --no-cache
     elif [ "$1" = "start" ]; then
 	docker compose -f docker-compose.yml -f docker-compose.development.yml -p entity-api up -d
     elif [ "$1" = "stop" ]; then
diff --git a/docker/entity-api/Dockerfile b/docker/entity-api/Dockerfile
index 4e147389..9ab08a92 100644
--- a/docker/entity-api/Dockerfile
+++ b/docker/entity-api/Dockerfile
@@ -13,22 +13,22 @@ WORKDIR /usr/src/app
 # Copy from host to image
 COPY . .
 
-# Set up the repository file for the mainline version of
+# Set up the repository file for the stable version of
 # nginx which dnf should use (in the legacy "yum" location.)
 RUN set -eux && \
     cat <<'EOF' > /etc/yum.repos.d/nginx.repo
-[nginx-mainline]
-name=nginx mainline repo
-baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
+[nginx-stable]
+name=nginx stable repo
+baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
 gpgcheck=1
-enabled=0
+enabled=1
 gpgkey=https://nginx.org/keys/nginx_signing.key
 module_hotfixes=true
 EOF
 
 # Reduce the number of layers in image by minimizing the number of separate RUN commands
 # 1 - Install the prerequisites
-# 2 - By default, the repository for stable nginx packages is used. We would like to use mainline nginx packages
+# 2 - By default, the repository for stable nginx packages is used.
 # 3 - Install nginx (using the custom dnf/yum repo specified earlier)
 # 4 - Remove the default nginx config file
 # 5 - Overwrite the nginx.conf with ours to run nginx as non-root
@@ -37,9 +37,7 @@ EOF
 # 8 - Make the start script executable
 # 9 - Clean the dnf/yum cache and other locations to reduce Docker Image layer size.
 # Assume the base image has upgraded dnf and installed its dnf-plugins-core
- RUN dnf install --assumeyes dnf-plugins-core && \
-     dnf config-manager --enable nginx-mainline && \
-     dnf install --assumeyes nginx && \
+ RUN dnf install --assumeyes nginx && \
      # Push aside nginx default.conf files that may exist on the system
      [ ! -f /etc/nginx/conf.d/default.conf ] || mv /etc/nginx/conf.d/default.conf /tmp/etc_nginx_conf.d_default.conf.ORIGINAL && \
      [ ! -f /etc/nginx/nginx.conf ] || mv /etc/nginx/nginx.conf /tmp/etc_nginx_nginx.conf.ORIGINAL && \
@@ -53,7 +51,7 @@ EOF
      # Install the requirements.txt file for the service
      pip3.13 install --no-cache-dir --upgrade pip -r src/requirements.txt && \
      # Make the script referenced in the CMD directive below executable.
-     chmod 755 start.sh && \
+     chmod a+x start.sh && \
      # Clean up artifacts to slim down this layer of the Docker Image
      dnf clean all && \
      rm -rf /var/cache/dnf \
@@ -70,7 +68,7 @@ EXPOSE 5000 8080
 # the location referenced by the ENTRYPOINT directive below, and
 # make it executable.
 RUN mv entrypoint.sh /usr/local/bin/entrypoint.sh && \
-    chmod 755 /usr/local/bin/entrypoint.sh
+    chmod a+x /usr/local/bin/entrypoint.sh
 
 ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]