From 90720bc2c50fc6c6ace637ea819239732113fed6 Mon Sep 17 00:00:00 2001
From: "Mitch Harding (the weird one)" <mitchell.harding@hpe.com>
Date: Sat, 15 Feb 2025 21:59:12 -0500
Subject: [PATCH] CASMCMS-9282: Bump Alpine version from 3.15 to 3.21; use
 Python venv

---
 CHANGELOG.md |  2 ++
 Dockerfile   | 24 ++++++++++++++----------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 37e4200..8fc7cfe 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Dependencies
 - CASMCMS-9288: Use centralized requests_retry_session
+- CASMCMS-9282: Bump Alpine version from 3.15 to 3.21, because 3.15 no longer receives security patches;
+  Use Python venv inside Docker image.
 
 ## [1.25.0] - 01/31/2025
 ### Changed
diff --git a/Dockerfile b/Dockerfile
index 7ebc0e5..1f12205 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,7 +22,7 @@
 # OTHER DEALINGS IN THE SOFTWARE.
 #
 # Generate API
-FROM openapitools/openapi-generator-cli:v7.8.0 as codegen
+FROM openapitools/openapi-generator-cli:v7.8.0 AS codegen
 WORKDIR /app
 COPY api/openapi.yaml api/openapi.yaml
 COPY config/autogen-server.json config/autogen-server.json
@@ -34,25 +34,29 @@ RUN /usr/local/bin/docker-entrypoint.sh generate \
     -c config/autogen-server.json
 
 # Base image
-FROM artifactory.algol60.net/csm-docker/stable/docker.io/library/alpine:3.15 as base
+FROM artifactory.algol60.net/csm-docker/stable/docker.io/library/alpine:3.21 AS base
 WORKDIR /app
+ENV VIRTUAL_ENV=/app/venv
 COPY --from=codegen /app .
 COPY constraints.txt requirements.txt ./
+RUN apk add --upgrade --no-cache apk-tools &&  \
+    apk update && \
+    apk add --no-cache gcc python3 python3-dev py3-pip musl-dev libffi-dev openssl-dev git && \
+    apk -U upgrade --no-cache && \
+    python3 -m venv $VIRTUAL_ENV
+ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 # The openapi-generator creates a requirements file that specifies exactly Flask==2.1.1
 # However, using Flask 2.2.5 is also compatible, and resolves a CVE.
 # Accordingly, we relax their requirements file.
 RUN --mount=type=secret,id=netrc,target=/root/.netrc \
     cat lib/server/requirements.txt && \
     sed -i 's/Flask == 2\(.*\)$/Flask >= 2\1\nFlask < 3/' lib/server/requirements.txt && \
-    cat lib/server/requirements.txt && \
-    apk add --upgrade --no-cache apk-tools &&  \
-	apk update && \
-	apk add --no-cache gcc python3-dev py3-pip musl-dev libffi-dev openssl-dev git && \
-	apk -U upgrade --no-cache && \
+    cat lib/server/requirements.txt && \    
     pip3 list --format freeze && \
-    pip3 install --no-cache-dir -U pip && \
+    pip3 install --no-cache-dir -U pip -c constraints.txt && \
+    pip3 install --no-cache-dir --disable-pip-version-check -U setuptools wheel -c constraints.txt && \
     pip3 list --format freeze && \
-    pip3 install --no-cache-dir -r requirements.txt && \
+    pip3 install --no-cache-dir --disable-pip-version-check -r requirements.txt && \
     pip3 list --format freeze
 COPY src/server/cray/cfs/__init__.py     lib/server/cray/cfs
 COPY src/server/cray/cfs/api/controllers lib/server/cray/cfs/api/controllers
@@ -67,7 +71,7 @@ COPY src/server/cray/cfs/api/__main__.py \
 COPY src/server/cray/cfs/utils           lib/server/cray/cfs/utils
 
 # Application Image
-FROM base as application
+FROM base AS application
 ENV PYTHONPATH "/app/lib/server"
 WORKDIR /app/
 EXPOSE 9000