Dockerfile.jobs

ARG DOCKER_IMAGE=image-registry.apps.silver.devops.gov.bc.ca/e1e498-tools/wps-jobs-base:30-03-2026
# To build locally, point to a local base image you've already built (see wps-jobs-base)
# e.g. : docker build --build-arg DOCKER_IMAGE=wps-jobs-base:my-tag .

# Stage 1: Install Python packages
FROM ${DOCKER_IMAGE} AS builder

# We don't want to run our app as root, so we define a worker user.
ARG USERNAME=worker
ARG USER_UID=1010
ARG USER_GID=1010

# Switch to root
USER 0

# Install uv
COPY --from=ghcr.io/astral-sh/uv:0.9.11 /uv /uvx /bin/

# Create a directory for the jobs to run from, and grant worker access
RUN mkdir /app
RUN chown "$USERNAME" /app
WORKDIR /app

# Switch back to our non-root user
USER $USERNAME

# Copy workspace configuration and package manifests
COPY ./backend/pyproject.toml /app/
COPY ./backend/uv.lock /app/
COPY ./backend/packages/wps-jobs/pyproject.toml /app/packages/wps-jobs/
COPY ./backend/packages/wps-shared/pyproject.toml /app/packages/wps-shared/
COPY ./backend/packages/wps-shared/src /app/packages/wps-shared/src
COPY ./backend/packages/wps-wf1/pyproject.toml /app/packages/wps-wf1/
COPY ./backend/packages/wps-wf1/src /app/packages/wps-wf1/src

# Switch to root to set file permissions
USER 0

# Set configuration files to read-only for security
RUN chmod 444 /app/pyproject.toml /app/uv.lock \
    /app/packages/wps-jobs/pyproject.toml \
    /app/packages/wps-shared/pyproject.toml \
    /app/packages/wps-wf1/pyproject.toml
RUN chmod -R a-w /app/packages/wps-shared/src \
    /app/packages/wps-wf1/src

# Switch back to non-root user
USER $USERNAME

# Install dependencies using uv
RUN uv sync --frozen --no-dev --package wps-jobs

# Install setuptools required for GDAL build
RUN uv pip install setuptools

# Get a python binding for gdal that matches the version of gdal we have installed.
RUN uv pip install --no-build-isolation --no-cache-dir --force-reinstall \
    gdal==$(gdal-config --version)

# Stage 2: Prepare the final image, including copying Python packages from Stage 1.
FROM ${DOCKER_IMAGE}

# We don't want to run our app as root, so we define a worker user.
ARG USERNAME=worker
ARG USER_UID=1010
ARG USER_GID=1010

# Switch to root
USER 0

# Install uv
COPY --from=ghcr.io/astral-sh/uv:0.9.11 /uv /uvx /bin/

# Create a directory for the app to run in, and grant worker access
RUN mkdir /app && chown "$USERNAME" /app
WORKDIR /app

# Copy workspace and package configuration
COPY --from=builder /app/pyproject.toml /app/
COPY --from=builder /app/packages/wps-jobs/pyproject.toml /app/packages/wps-jobs/
COPY --from=builder /app/packages/wps-shared/pyproject.toml /app/packages/wps-shared/
COPY --from=builder /app/packages/wps-wf1/pyproject.toml /app/packages/wps-wf1/

# Switch back to our non-root user
USER $USERNAME

# Copy the jobs from src layout:
COPY ./backend/packages/wps-jobs/src /app
COPY ./backend/packages/wps-shared/src /app/packages/wps-shared/src
COPY ./backend/packages/wps-wf1/src /app/packages/wps-wf1/src

# Copy installed Python packages
COPY --from=builder /app/.venv /app/.venv

# Add .venv to PATH
ENV PATH="/app/.venv/bin:${PATH}"
# Set virtual env location
ENV VIRTUAL_ENV="/app/.venv"

# root user please
USER 0
# Create writable data directory for library caches (e.g., herbie BallTree)
RUN mkdir -p /data && chmod 777 /data
# Remove write permissions from copied configuration and source files for security
RUN chmod -R a-w /app/pyproject.toml /app/packages/wps-jobs/pyproject.toml /app/weather_model_jobs \
    /app/packages/wps-shared/src /app/packages/wps-wf1/src
# We don't know what user uv is going to run as, so we give everyone write access directories
# in the app folder. We need write access for .pyc files to be created. .pyc files are good,
# they speed up python.
RUN chmod a+w /app && chmod a+w $(find /app/weather_model_jobs -type d)

# Openshift runs with a random non-root user, so switching our user to 1001 allows us
# to test locally with similar conditions to what we may find in openshift.
USER 1001