Add python3 basecontainer

.github/workflows/build-python3.yaml

@@ -0,0 +1,50 @@
+---
+name: Build the Python3 container
+
+on:
+  push:
+    paths:
+      - "python3/**"
+      - ".github/workflows/build-python3.yaml"
+  schedule:
+    - cron: '0 7 * * *'
+  workflow_dispatch:
+
+jobs:
+  build-push-python3:
+    runs-on: "ubuntu-22.04"
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: "linux/amd64,linux/arm64"
+          # The latest version will lead to segmentation fault.
+          image: "tonistiigi/binfmt:qemu-v7.0.0-28"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: "./python3"
+          platforms: "linux/amd64,linux/arm64"
+          # only push the latest tag on the main branch
+          push: "${{ github.ref == 'refs/heads/main' }}"
+          tags: |
+            ghcr.io/openconext/openconext-basecontainers/python3:latest
+            ghcr.io/openconext/openconext-basecontainers/python3:${{ github.sha }}
+          cache-from: type=gha
+          cache-to: type=gha

python3/Dockerfile

@@ -0,0 +1,35 @@
+FROM docker.io/library/python:3.11-slim-bookworm
+
+# Do an initial clean up and general upgrade of the distribution
+ENV DEBIAN_FRONTEND=noninteractive
+RUN \
+    apt-get update                                    && \
+    apt-get -y dist-upgrade                           && \
+    apt-get -y install                                   \
+        build-essential                                  \
+        bzip2                                            \
+        curl                                             \
+        default-libmysqlclient-dev                       \
+        git                                              \
+        libxmlsec1-dev                                   \
+        pkgconf                                          \
+        python3-dev                                      \
+        util-linux                                       \
+        xz-utils                                         \
+        && \
+    apt-get -y autoremove                             && \
+    rm -rf /var/lib/apt/lists/* /var/cache/apt/*
+
+# if specified, drop privileges to this uid and gid
+ARG RUNAS_UID
+ARG RUNAS_GID
+
+# Copy the startup script
+RUN mkdir /container-init /container-init-post
+COPY --chmod=0755 ./bin/entrypoint.sh /entrypoint.sh
+
+# Set the default workdir
+WORKDIR /opt
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["python3"]

python3/bin/entrypoint.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+set -e
+
+# handle privilege dropping
+if [ $UID -ne 0 ]
+then
+    echo "This container need to run as root"
+    echo "Use USER/GROUP environment variables to specify the uid/gid to run as"
+
+    exit 1
+fi
+
+# run custom scripts before dropping privileges
+echo "Running custom scripts in /container-init as root"
+if [ -d "/container-init" ]
+then
+    # run all scripts using run-parts
+    run-parts --verbose --regex '.*' "/container-init"
+fi
+
+# set up privilege dropping to user and group
+PRIVDROP=
+if [ -n "$RUNAS_UID" ]
+then
+    if [ -n "$RUNAS_GID" ]
+    then
+        echo "Switching to user $RUNAS_UID and group $RUNAS_GID"
+        groupadd -g $RUNAS_GID openconext
+        useradd -M -u $RUNAS_UID -g $RUNAS_GID openconext
+        PRIVDROP="setpriv --reuid=openconext --regid=openconext --reset-env --clear-groups"
+    else
+        echo "Switching to user $RUNAS_UID"
+        useradd -M -u $RUNAS_UID openconext
+        PRIVDROP="setpriv --reuid=openconext --reset-env --clear-groups"
+fi
+    echo "Dropping privileges to $($PRIVDROP id -u):$($PRIVDROP id -g)"
+
+    # run custom scripts after dropping privileges
+    echo "Running custom scripts in /container-init-post as $RUNAS_UID"
+    if  [ -d "/container-init-post" ]
+    then
+        # run all scripts using run-parts
+        ${PRIVDROP} run-parts --verbose --regex '.*' "/container-init-post"
+    fi
+else
+    echo "Warning: not dropping privileges"
+    if [ -d "/container-init-post" ] && ! find /container-init-post/ -maxdepth 0 -empty
+    then
+        echo "Warning: not running scripts in /container-init-post as no user is specified"
+    fi
+fi
+
+# Hand off to the CMD
+exec ${PRIVDROP} "$@"