Updates the Docker configuration to use the gunicorn server with gevent
workers by default. Adds `waitress` to the docker container, so that if
no server is specified, we will fall back to that rather than `wsgiref`.
Making this happen brought a few other issues to light, which are also
addressed here.
- Docker log output not immediately being flushed to stdout (#358):
resolved by setting the `PYTHONUNBUFFERED` env var to `t` in the
docker container
- When the WSGIRef server is selected, its access logs are written
directly to stderr, rather than going through the logging machinery:
resolved by adding a new `WsgiHandler` class and passing in to
bottle's `run()` method when running the wsgi server. This required a
new `ServerCheck` class to determine whether the wsgi server is
selected when the `auto` option is used
- When using `gunicorn` along with the watchdog cache, package uplaods
were not being picked up by the watcher. Updated the `add_package`
and `remove_package` methods on the `CachingFileBackend` to bust the
cache
* Docker improvements
This addresses much of what was brought up in #359. Specifically, it:
- Significantly improves testing for the Docker image, adding a
`docker/test_docker.py` file using the regular pytest machinery to
set up and run docker images for testing
- Hopefully addresses a variety of permissions issues, by being explicit
about what access pypiserver needs and asking for it, only erroring
if that access is not available
- Requires RX permissions on `/data` (R to read files, X to list files
and to be able to cd into the directory. This is important since
`/data` is the `WORKDIR`)
- Requires RWX permissions on `/data/packages`, so that we can list
packages, write packages, and read packages.
- When running in the default configuration (as root on Linux or
as the pypiserver-named rootish user on Mac), with no volumes
mounted, these requirements are all satisfied
- Volume mounts still must be readable by the pypiserver user (UID
9898) in order for the container to run. However, we now error early
if this is not the case, and direct users to a useful issue.
- If the container is run as a non-root, non-pypiserver user (e.g.
because someone ran `docker run --user=<user_id>`, we try to run
pypiserver as that user). Provided that user has access to the
necessary directories, it should run fine.
- Fixes issues with running help and similar commands
- Updates the Docker image to use `PYPISERVER_PORT` for port
specification, while still falling back to `PORT` for backwards
compatibility
- Moves some docker-related things into a `/docker` directory
- Adds a `Makefile` for building a test fixture package sdist and wheel,
so that test code can call `make mypkg` and not need to worry about it
potentially building multiple times
The only issue #359 raises that's not addressed here is the one of
running pypiserver in the Docker container using some non-default server
for performance. I would like to do some benchmarking before deciding on
what to do there.
@stephen-dexda pointed out in #341 that our update in #330 changed
the `chown` operation to apply to the entire `/data` directory,
rather than just `/data/packages`. For anyone who was previously
relying on a workflow like mounting a read-only secrets directory
into `/data` to host authentication information, this broke their
workflow.
This fix sets `entrypoint.sh` to only `chown` `/data/packages`, which
should ensure that the permissions issues resolved by #330 (e.g. #309)
remain fixed, while also fixing the issue in #341.
Resolves#264
Generally, pip doesn't need to be available for `pypiserver` to work
correctly, but the `-U` command to update packages requires it to be
importable. This ensures the `pip` module will be available in the final
image.
Thanks for your PR! I was wondering why everyone kept complaining about
`bcrypt`, when my local tests were succeeding just fine, so I spent
some time making the docker test script replicate the error.
Turns out the `.htpasswd` files I was generating were using md5, so they
were not triggering the error. The htpasswd file in this update does
use bcrypt encryption, so it triggers a 500 error on the previous
version of the Dockerfile.
I also updated the test to be a bit more thorough, validating an
authenticated upload in addition to just making sure the server is
running.
The only other change I made was to move `requirements.txt` into a more
specific `docker-requirements.txt` file, just to make it clear that its
intention is to be a part of the docker build and not the normal install
process.
