build our own singleuser-sample image

- start from python:3.9-bullseye-slim
- uses pip-compile, just like hub
- consolidate pip-compile refreeze into `ci/refreeze` (simplifies workflows, reduces duplication, and allows local calls)
- get tini from apt

Author: minrk

.github/workflows/watch-dependencies.yaml

@@ -4,9 +4,9 @@
 # - Watch multiple images tags referenced in values.yaml to match the latest
 #   image tag.
 #
-# - Watch the jupyterhub pinning in images/hub/requirements.in to match the
+# - Watch the jupyterhub pinning in images/*/requirements.in to match the
 #   latest jupyterhub version available on PyPI, and if doing this, also
-#   refreeze images/hub/requirements.txt.
+#   refreeze images/*/requirements.txt.
 #
 # About environment: watch-dependencies
 #
@@ -20,9 +20,7 @@ name: Watch dependencies
 on:
   push:
     paths:
-      - "images/hub/Dockerfile"
-      - "images/hub/requirements.in"
-      - "images/hub/requirements.txt"
+      - "images/*/requirements.in"
       - ".github/workflows/watch-dependencies.yaml"
     branches: ["main"]
   schedule:
@@ -167,25 +165,14 @@ jobs:
       - name: Update pinned version of jupyterhub
         if: steps.local.outputs.version != steps.latest.outputs.version
         run: |
-          sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/hub/requirements.in
-          sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/singleuser-sample/requirements.txt
+          for img in hub singleuser-sample; do
+            sed --in-place 's/jupyterhub==${{ steps.local.outputs.version }}/jupyterhub==${{ steps.latest.outputs.version }}/g' images/$img/requirements.in
+          done
           sed --in-place 's/appVersion: "${{ steps.local.outputs.version }}"/appVersion: "${{ steps.latest.outputs.version }}"/g' jupyterhub/Chart.yaml
 
-      - name: Refreeze images/hub/requirements.txt based on images/hub/requirements.in
+      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
         if: steps.local.outputs.version != steps.latest.outputs.version
-        # IMPORTANT: This run segment is duplicated in this workflow file across
-        #            two separate jobs, any update here should be made in the
-        #            other job as well.
-        #
-        run: |
-          cd images/hub
-          docker run --rm \
-              --env=CUSTOM_COMPILE_COMMAND='Use the "Run workflow" button at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml' \
-              --volume=$PWD:/io \
-              --workdir=/io \
-              --user=root \
-              python:3.9-bullseye \
-              sh -c 'pip install pip-tools==6.* && pip-compile --upgrade'
+        run: ci/refreeze
 
       - name: git diff
         if: steps.local.outputs.version != steps.latest.outputs.version
@@ -219,28 +206,8 @@ jobs:
     steps:
       - uses: actions/checkout@v3
 
-      - name: Refreeze images/hub/requirements.txt based on images/hub/requirements.in
-        # Because `pip-compile` resolves `requirements.txt` with the current
-        # Python for the current platform, it should be run on the same Python
-        # version and platform as our Dockerfile.
-        #
-        # Note that as of 2022-05-29, `pip-compile` has issues with `pycurl`,
-        # but we workaround them by by omitting the `-slim` part from the image
-        # in the command below.
-        #
-        # IMPORTANT: This run segment is duplicated in this workflow file across
-        #            two separate jobs, any update here should be made in the
-        #            other job as well.
-        #
-        run: |
-          cd images/hub
-          docker run --rm \
-              --env=CUSTOM_COMPILE_COMMAND='Use the "Run workflow" button at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml' \
-              --volume=$PWD:/io \
-              --workdir=/io \
-              --user=root \
-              python:3.9-bullseye \
-              sh -c 'pip install pip-tools==6.* && pip-compile --upgrade'
+      - name: Refreeze images/*/requirements.txt based on images/*/requirements.in
+        run: ci/refreeze
 
       - name: git diff
         run: git --no-pager diff --color=always

ci/refreeze

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -xeuo pipefail
+IMAGES=${1:-images/hub images/singleuser-sample}
+
+# Because `pip-compile` resolves `requirements.txt` with the current
+# Python for the current platform, it should be run on the same Python
+# version and platform as our Dockerfile.
+
+for img in ${IMAGES}; do
+    pushd "$img"
+    docker run --rm \
+        --env=CUSTOM_COMPILE_COMMAND='Use the "Run workflow" button at https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml' \
+        --volume="$PWD:/io" \
+        --workdir=/io \
+        --user=root \
+        python:3.9-bullseye \
+        sh -c 'pip install pip-tools==6.* && pip-compile --upgrade'
+    popd
+done

images/hub/Dockerfile

@@ -54,13 +54,9 @@ RUN apt-get update && \
         libcurl4 \
         # requirement for using a local sqlite database
         sqlite3 \
+        tini \
  && rm -rf /var/lib/apt/lists/*
 
-RUN if [ "$(uname -m)" = x86_64 ]; then ARCH=amd64; fi; \
-    if [ "$(uname -m)" = aarch64 ]; then ARCH=arm64; fi; \
-    curl -sSLo /tini "https://github.com/krallin/tini/releases/download/v0.19.0/tini-$ARCH" \
- && chmod +x /tini
-
 COPY --from=build-stage /build-stage/*.whl /tmp/pre-built-wheels/
 COPY requirements.txt /tmp/requirements.txt
 RUN pip install --no-cache-dir \
@@ -72,5 +68,5 @@ RUN chown ${NB_USER}:${NB_USER} /srv/jupyterhub
 USER ${NB_USER}
 
 EXPOSE 8081
-ENTRYPOINT ["/tini", "--"]
+ENTRYPOINT ["tini", "--"]
 CMD ["jupyterhub", "--config", "/usr/local/etc/jupyterhub/jupyterhub_config.py"]

images/hub/requirements.txt

@@ -58,7 +58,7 @@ jinja2==3.1.2
     # via
     #   jupyterhub
     #   jupyterhub-kubespawner
-jsonschema==4.9.1
+jsonschema==4.11.0
     # via
     #   jupyter-telemetry
     #   oauthenticator
@@ -90,7 +90,7 @@ jupyterhub-nativeauthenticator==1.0.5
     # via -r requirements.in
 jupyterhub-tmpauthenticator==0.6
     # via -r requirements.in
-kubernetes-asyncio==24.2.0
+kubernetes-asyncio==24.2.1
     # via jupyterhub-kubespawner
 ldap3==2.9.1
     # via jupyterhub-ldapauthenticator

images/singleuser-sample/Dockerfile

@@ -1,26 +1,61 @@
-FROM jupyter/base-notebook:latest
-# Built from... https://hub.docker.com/r/jupyter/base-notebook/
-#               https://github.com/jupyter/docker-stacks/blob/HEAD/base-notebook/Dockerfile
-# Built from... Ubuntu 20.04
+# The build stage
+# ---------------
+FROM python:3.9-bullseye as build-stage
 
-# VULN_SCAN_TIME=2022-08-08_07:54:05
+# VULN_SCAN_TIME=
+
+WORKDIR /build-stage
+
+# Build wheels for packages that require gcc or other build dependencies and
+# lack wheels either for amd64 or aarch64.
+COPY requirements.txt requirements.txt
+RUN pip wheel -r requirements.txt
+
+# The final stage
+# ---------------
+FROM python:3.9-slim-bullseye
+
+# VULN_SCAN_TIME=
+
+ENV DEBIAN_FRONTEND=noninteractive \
+    LANG=en_US.UTF-8 \
+    LC_ALL=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8 \
+    NB_USER=jovyan \
+    NB_UID=1000 \
+    HOME=/home/jovyan
 
 USER root
 RUN apt-get update \
  && apt-get upgrade -y \
  && apt-get install -y --no-install-recommends \
+        ca-certificates \
         dnsutils \
         git \
+        locales \
         iputils-ping \
- && rm -rf /var/lib/apt/lists/*
-USER $NB_USER
+        tini \
+ && apt-get clean \
+ && rm -rf /var/lib/apt/lists/* \
+ && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen \
+ && locale-gen
 
-COPY requirements.txt /tmp/requirements.txt
-RUN pip install --no-cache-dir \
-        -r /tmp/requirements.txt
+COPY --from=build-stage /build-stage/*.whl /tmp/pre-built-wheels/
+RUN pip install --no-cache-dir /tmp/pre-built-wheels/*.whl
 
 # nbgitpuller is installed in requirements.txt for demo purposes, and this
 # enables it to function.
 RUN jupyter serverextension enable --py nbgitpuller --sys-prefix
 
 # conda/pip/apt install additional packages here, if desired.
+
+RUN adduser --disabled-password \
+        --gecos "Default user" \
+        --uid ${NB_UID} \
+        --home ${HOME} \
+        --force-badname \
+        ${NB_USER}
+
+USER $NB_USER
+
+ENTRYPOINT ["tini", "--"]

images/singleuser-sample/requirements.in

@@ -0,0 +1,18 @@
+# This file is the input to requirements.txt,
+# which is a frozen version of this. To update
+# requirements.txt, use the "Run workflow" button at
+# https://github.com/jupyterhub/zero-to-jupyterhub-k8s/actions/workflows/watch-dependencies.yaml
+# that will also update the jupyterhub version if needed.
+# README.md file.
+
+# JupyterHub itself, update this version pinning by running the workflow
+# mentioned above.
+jupyterhub==3.0.0b1
+
+# UI
+jupyterlab
+nbclassic
+retrolab
+
+# plugins
+nbgitpuller