Merge pull request #674 from lidofinance/develop

Master merge

Author: F4ever

.dockerignore

@@ -1,22 +1,169 @@
-__pycache__
-*.pyc
-*.pyo
-*.pyd
+### Python template
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
 .Python
-env
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
 pip-log.txt
 pip-delete-this-directory.txt
-.tox
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
 .coverage
 .coverage.*
 .cache
 nosetests.xml
 coverage.xml
 *.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
 *.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+env
+.venv
+venv/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+.idea/
+
+# Project-specific
+*.pyo
+*.pyd
+.tox
 .git
-.mypy_cache
-.pytest_cache
 .hypothesis
 tests/*
 fixtures/*
+Makefile
+*.md
+docs

.github/workflows/docker_build_reproducibility.yml

@@ -0,0 +1,111 @@
+---
+name: Test Docker image reproducibility
+
+"on":
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build1:
+    runs-on: ubuntu-latest
+    outputs:
+      sha256: ${{ steps.hash.outputs.sha256 }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build image
+        id: build
+        uses: docker/build-push-action@v6.15.0
+        with:
+          push: false
+          load: true
+          outputs: type=docker,dest=image.tar,rewrite-timestamp=true
+          provenance: false
+        env:
+          SOURCE_DATE_EPOCH: 0
+
+      - name: Compute SHA256
+        id: hash
+        run: echo "sha256=$(sha256sum image.tar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+
+      - name: Report image hash
+        run: |
+          echo "Hash from the second image build: ${{ steps.hash.outputs.sha256 }}"
+
+  build2:
+    runs-on: ubuntu-latest
+    outputs:
+      sha256: ${{ steps.hash.outputs.sha256 }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          persist-credentials: false
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build image
+        id: build
+        uses: docker/build-push-action@v6
+        with:
+          push: false
+          load: true
+          outputs: type=docker,dest=image.tar,rewrite-timestamp=true
+          provenance: false
+        env:
+          SOURCE_DATE_EPOCH: 0
+
+      - name: Compute SHA256
+        id: hash
+        run: echo "sha256=$(sha256sum image.tar | cut -d' ' -f1)" >> "$GITHUB_OUTPUT"
+
+      - name: Report image hash
+        run: |
+          echo "Hash from the second image build: ${{ steps.hash.outputs.sha256 }}"
+
+  reproducibility:
+    runs-on: ubuntu-latest
+    needs:
+      - build1
+      - build2
+    steps:
+      - name: Fail if empty
+        if: ${{ needs.build1.outputs.sha256 == '' }}
+        run: |
+          echo needs.build1.outputs.sha256 is ${{ needs.build1.outputs.sha256 }}
+          exit 1
+      - name: Report image Hash
+        run: |
+          echo "Hash from the first image build: ${{ needs.build1.outputs.sha256 }}"
+          echo "Hash from the second image build: ${{ needs.build2.outputs.sha256 }}"
+
+      - name: Check if match
+        if: ${{ needs.build1.outputs.sha256 != needs.build2.outputs.sha256 }}
+        run: |
+          echo ${{ needs.build1.outputs.sha256 }} != ${{ needs.build2.outputs.sha256 }}
+          exit 1

Dockerfile

@@ -1,11 +1,15 @@
-FROM python:3.12.4-slim as base
+FROM python:3.12.4-slim AS base
+
+ARG SOURCE_DATE_EPOCH
 
 RUN apt-get update && apt-get install -y --no-install-recommends -qq \
     libffi-dev=3.4.4-1 \
     g++=4:12.2.0-3 \
     curl=7.88.1-10+deb12u12 \
  && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+ && rm -rf /var/lib/apt/lists/* \
+ && rm -rf /var/cache/* \
+ && rm -rf /var/log/*
 
 ENV PYTHONUNBUFFERED=1 \
     PYTHONDONTWRITEBYTECODE=1 \
@@ -14,30 +18,38 @@ ENV PYTHONUNBUFFERED=1 \
     PIP_DEFAULT_TIMEOUT=100 \
     POETRY_VIRTUALENVS_IN_PROJECT=true \
     POETRY_NO_INTERACTION=1 \
-    VENV_PATH="/.venv"
+    VENV_PATH="/.venv" \
+    CFLAGS="-g0 -O2 -ffile-prefix-map=/src=."
 
 ENV PATH="$VENV_PATH/bin:$PATH"
 
-FROM base as builder
+FROM base AS builder
 
 ENV POETRY_VERSION=1.3.2
 RUN pip install --no-cache-dir poetry==$POETRY_VERSION
 
 WORKDIR /
 COPY pyproject.toml poetry.lock ./
-RUN poetry install --only main --no-root
+
+# Building lru-dict from source for reproducible .so files by enforcing consistent CFLAGS across builds
+RUN poetry config --local installer.no-binary lru-dict && \
+    poetry install --only main --no-root --no-cache && \
+    find "$VENV_PATH" -type d -name '.git' -exec rm -rf {} + && \
+    find "$VENV_PATH" -name '*.dist-info' -exec rm -rf {}/RECORD \; && \
+    find "$VENV_PATH" -name '*.dist-info' -exec rm -rf {}/WHEEL \; && \
+    find "$VENV_PATH" -name '__pycache__' -exec rm -rf {} +
 
 
-FROM base as production
+FROM base AS production
 
 COPY --from=builder $VENV_PATH $VENV_PATH
 WORKDIR /app
 COPY . .
 
 RUN apt-get clean && find /var/lib/apt/lists/ -type f -delete && chown -R www-data /app/
 
-ENV PROMETHEUS_PORT 9000
-ENV HEALTHCHECK_SERVER_PORT 9010
+ENV PROMETHEUS_PORT=9000
+ENV HEALTHCHECK_SERVER_PORT=9010
 
 EXPOSE $PROMETHEUS_PORT
 USER www-data

Makefile

@@ -0,0 +1,13 @@
+reproducible-build-oracle:
+	docker buildx rm oracle-buildkit || true
+	docker volume rm $(shell docker volume ls -q --filter name=buildx_buildkit_oracle-buildkit) || true
+	docker buildx create --name oracle-buildkit --use || true
+	docker buildx use oracle-buildkit
+	docker buildx build \
+		--platform linux/amd64 \
+		--build-arg SOURCE_DATE_EPOCH=0 \
+		--no-cache \
+		--output type=docker,name=oracle-reproducible-container:local,rewrite-timestamp=true \
+		-t oracle-reproducible-container:local \
+		.
+	docker image inspect oracle-reproducible-container:local --format 'Image hash: {{.Id}}'