Copy data into container instead of mounting volumes.

This helps if Docker/Podman runs as a different user.

Other changes:
* Detect Git commit
* Fixed log levels (stdout/stderr can be used for different purposes)
* Stop container on termination
* Allow to use a prebuilt repository cache
* Migrated to ubi9 where possible

Author: zlogic

Dockerfile

@@ -26,6 +26,12 @@ COPY $BUILD_PATH /opt/mendix/build
 # Use nginx supplied by the base OS
 ENV NGINX_CUSTOM_BIN_PATH=/usr/sbin/nginx
 
+# Set the user ID
+ARG USER_UID=1001
+
+# Copy start scripts
+COPY scripts/startup.py scripts/vcap_application.json /opt/mendix/build/
+
 # Each comment corresponds to the script line:
 # 1. Create cache directory and directory for dependencies which can be shared
 # 2. Set permissions for compilation scripts
@@ -35,45 +41,25 @@ ENV NGINX_CUSTOM_BIN_PATH=/usr/sbin/nginx
 # 6. Create symlink for java prefs used by CF buildpack
 # 7. Update ownership of /opt/mendix so that the app can run as a non-root user
 # 8. Update permissions of /opt/mendix so that the app can run as a non-root user
-RUN mkdir -p /tmp/buildcache /tmp/cf-deps /var/mendix/build /var/mendix/build/.local &&\
-    chmod +rx /opt/mendix/buildpack/compilation.py /opt/mendix/buildpack/git /opt/mendix/buildpack/buildpack/stage.py &&\
+RUN mkdir -p /tmp/buildcache/bust /tmp/cf-deps /var/mendix/build /var/mendix/build/.local &&\
+    chmod +rx /opt/mendix/buildpack/compilation.py /opt/mendix/buildpack/buildpack/stage.py /opt/mendix/build/startup.py &&\
     cd /opt/mendix/buildpack &&\
     ./compilation.py /opt/mendix/build /tmp/buildcache /tmp/cf-deps 0 &&\
-    rm -fr /tmp/buildcache /tmp/javasdk /tmp/opt /tmp/downloads /opt/mendix/buildpack/compilation.py /opt/mendix/buildpack/git &&\
+    rm -fr /tmp/buildcache /tmp/javasdk /tmp/opt /tmp/downloads /opt/mendix/buildpack/compilation.py /var/mendix &&\
     ln -s /opt/mendix/.java /opt/mendix/build &&\
-    chown -R ${USER_UID}:0 /opt/mendix /var/mendix &&\
-    chmod -R g=u /opt/mendix /var/mendix
+    chown -R ${USER_UID}:0 /opt/mendix &&\
+    chmod -R g=u /opt/mendix
 
 FROM ${ROOTFS_IMAGE}
 LABEL Author="Mendix Digital Ecosystems"
 LABEL maintainer="digitalecosystems@mendix.com"
 
-# Set the user ID
-ARG USER_UID=1001
 # Set the home path
 ENV HOME=/opt/mendix/build
 
 # Add the buildpack modules
 ENV PYTHONPATH "/opt/mendix/buildpack/lib/:/opt/mendix/buildpack/:/opt/mendix/buildpack/lib/python3.11/site-packages/"
 
-# Copy start scripts
-COPY scripts/startup.py scripts/vcap_application.json /opt/mendix/build/
-
-# Create vcap home directory for Datadog configuration
-RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\
-    chown -R ${USER_UID}:0 /home/vcap /opt/datadog-agent/run &&\
-    chmod -R g=u /home/vcap /opt/datadog-agent/run
-
-# Each comment corresponds to the script line:
-# 1. Make the startup script executable
-# 2. Update ownership of /opt/mendix so that the app can run as a non-root user
-# 3. Update permissions of /opt/mendix so that the app can run as a non-root user
-# 4. Ensure that running Java 8 as root will still be able to load offline licenses
-RUN chmod +rx /opt/mendix/build/startup.py &&\
-    chown -R ${USER_UID}:0 /opt/mendix &&\
-    chmod -R g=u /opt/mendix &&\
-    ln -s /opt/mendix/.java /root
-
 USER ${USER_UID}
 
 # Copy build artifacts from build container

build.py

@@ -45,24 +45,36 @@ def extract_zip(mda_file):
         zip_file.extractall(temp_dir.name)
     return temp_dir
 
+BUILDER_PROCESS = None
+def stop_processes():
+    if BUILDER_PROCESS is not None:
+        proc = BUILDER_PROCESS
+        proc.terminate()
+        proc.communicate()
+        proc.wait()
+
 def container_call(args):
     build_executables = ['podman', 'docker']
     build_executable = None
+    logger_stdout = None
+    logger_stderr = None
     for builder in build_executables:
-        builder = shutil.which(builder)
-        if builder is not None:
-            build_executable = builder
+        build_executable = shutil.which(builder)
+        if build_executable is not None:
+            logger_stderr = logging.getLogger(builder + '-stderr')
+            logger_stdout = logging.getLogger(builder + '-stdout')
             break
     if build_executable is None:
         raise Exception('Cannot find Podman or Docker executable')
     proc = subprocess.Popen([build_executable] + args, stdout=subprocess.PIPE, stderr=subprocess.PIPE, universal_newlines=True)
+    BUILDER_PROCESS = proc
 
     sel = selectors.DefaultSelector()
     sel.register(proc.stdout, selectors.EVENT_READ)
     sel.register(proc.stderr, selectors.EVENT_READ)
-    logger = logging.getLogger(build_executable)
 
-    last_line = None
+    last_line_stdout = None
+    last_line_stderr = None
     stderr_open, stderr_open = True, True
     while stderr_open or stderr_open:
         for key, _ in sel.select():
@@ -75,67 +87,137 @@ def container_call(args):
                 continue
             data = data.rstrip()
             if key.fileobj is proc.stdout:
-                last_line = data
-                logger.info(data)
+                last_line_stdout = data
+                logger_stdout.info(data)
             elif key.fileobj is proc.stderr:
-                logger.error(data)
+                last_line_stderr = data
+                # stderr is mostly used for progress notifications, not errors
+                logger_stderr.info(data)
 
     sel.close()
+    BUILDER_PROCESS = None
     if proc.wait() != 0:
-        raise Exception('Builder returned with error')
-    return last_line
+        raise Exception(f"Builder returned with error: {last_line_stderr}")
+    return last_line_stdout
+
+def pull_image(image_url):
+    try:
+        container_call(['image', 'pull', image_url])
+        return image_url
+    except:
+        return None
+
+def delete_container(container_id):
+    try:
+        container_call(['container', 'rm', '--force', container_id])
+    except Exception as e:
+        logging.warning('Failed to delete container {}: {}'.format(container_id, e))
+
+def build_mpr_builder(mx_version, dotnet, artifacts_repository=None):
+    builder_image_tag = f"mxbuild-{mx_version}-{dotnet}-{platform.machine()}"
+    builder_image_url = None
+    if artifacts_repository is not None:
+        builder_image_url = f"{artifacts_repository}:{builder_image_tag}"
+        image_hash = pull_image(builder_image_url)
+        if image_hash is not None:
+            return builder_image_url
 
-def build_mpr_builder(mx_version, dotnet):
     prefix = ''
     if platform.machine() == 'arm64' and dotnet == 'dotnet':
         prefix = 'arm64-'
 
     mxbuild_filename = f"{prefix}mxbuild-{mx_version}.tar.gz"
     mxbuild_url = f"https://download.mendix.com/runtimes/{mxbuild_filename}"
 
-    # TODO: build image only if it doesn't exist yet
-    return container_call(['build',
-                                    '--build-arg', f"MXBUILD_DOWNLOAD_URL={mxbuild_url}",\
-                                    '--file', f"mxbuild/rootfs-mxbuild-{dotnet}.dockerfile",
-                                    'mxbuild'])
-
-def build_mpr(source_dir, mpr_file):
-    print(f"MPR file {mpr_file}")
+    build_args = ['--build-arg', f"MXBUILD_DOWNLOAD_URL={mxbuild_url}",
+                  '--file', f"mxbuild/{dotnet}.dockerfile"]
+    if artifacts_repository is not None:
+        build_args += ['--tag', builder_image_url]
+
+    image_id = container_call(['image', 'build'] + build_args + ['mxbuild'])
+    if artifacts_repository is not None:
+        try:
+            container_call(['image', 'push', builder_image_url])
+        except Exception as e:
+            logging.warning('Failed to push mxbuild into artifacts repository: {}; continuing with the build'.format(e))
+    return image_id
+
+def get_git_commit(source_dir):
+    git_head = os.path.join(source_dir, '.git', 'HEAD')
+    if not os.path.isfile(git_head):
+        return None
+    with open(git_head) as git_head:
+        git_head_line = git_head.readline().split()
+        if len(git_head_line) == 1:
+            # Detached commit
+            return git_head_line[0]
+        if len(git_head_line) > 2:
+            return Exception(f"Unsupported Git HEAD format {git_head_line}")
+        git_branch = git_head_line[1].split('/')
+        git_branch_file = os.path.join(*([source_dir, '.git'] + git_branch))
+        if not os.path.isfile(git_branch_file):
+            return Exception('Git branch file doesn\'t exist')
+        with open(git_branch_file) as git_branch_file:
+            return git_branch_file.readline()
+
+
+def build_mpr(source_dir, mpr_file, destination, artifacts_repository=None):
     cursor = sqlite3.connect(mpr_file).cursor()
     cursor.execute("SELECT _ProductVersion FROM _MetaData LIMIT 1")
     mx_version = cursor.fetchone()[0]
     mx_version_value = parse_version(mx_version)
-    logging.debug("Detected Mendix version {}".format(mx_version_value))
-    if mx_version_value >= (10, 0, 0, 0):
-        builder_image = build_mpr_builder(mx_version, 'dotnet')
-        build_result = container_call(['run', '--volume', os.path.abspath(source_dir)+':/workdir/project:rw', builder_image])
-    else:
-        builder_image = build_mpr_builder(mx_version, 'mono')
-        build_result = container_call(['run', '--volume', os.path.abspath(source_dir)+':/workdir/project:rw', builder_image])
-    raise Exception('TODO')
+    logging.debug('Detected Mendix version {}'.format('.'.join(map(str,mx_version_value))))
+    dotnet = 'dotnet' if mx_version_value >= (10, 0, 0, 0) else 'mono'
+    builder_image = build_mpr_builder(mx_version, dotnet, artifacts_repository)
+    model_version = get_git_commit(source_dir)
+    model_version = 'unversioned' if model_version is None else model_version
+
+    container_id = container_call(['container', 'create', builder_image, os.path.basename(mpr_file), model_version])
+    atexit.register(delete_container, container_id)
+    container_call(['container', 'cp', os.path.abspath(source_dir)+'/.', f"{container_id}:/workdir/project"])
+    build_result = container_call(['start', '--attach', '--interactive', container_id])
+
+    temp_dir = tempfile.TemporaryDirectory(prefix='mendix-docker-buildpack')
+    container_call(['container', 'cp', f"{container_id}:/workdir/output.mda", temp_dir.name])
+    with zipfile.ZipFile(os.path.join(temp_dir.name, 'output.mda')) as zip_file:
+        zip_file.extractall(destination)
 
 def parse_version(version):
     return tuple([ int(n) for n in version.split('.') ])
 
-def prepare_mda(source_dir):
-    mpk_file = find_default_file(source_dir, '.mpk')
+def prepare_destination(destination_path):
+    with os.scandir(destination_path) as entries:
+        for entry in entries:
+            if entry.is_dir() and not entry.is_symlink():
+                shutil.rmtree(entry.path)
+            else:
+                os.remove(entry.path)
+    project_path = os.path.join(destination_path, 'project')
+    os.mkdir(project_path, 0o755)
+    shutil.copytree('scripts', os.path.join(destination_path, 'scripts'))
+    shutil.copyfile('Dockerfile', os.path.join(destination_path, 'Dockerfile'))
+    return project_path
+
+def prepare_mda(source_path, destination_path, artifacts_repository=None):
+    destination_path = prepare_destination(destination_path)
+    mpk_file = find_default_file(source_path, '.mpk')
     extracted_dir = None
     if mpk_file is not None:
         extracted_dir = extract_zip(mpk_file)
-        source_dir = extracted_dir.name
-    mpr_file = find_default_file(source_dir, '.mpr')
+        source_path = extracted_dir.name
+    mpr_file = find_default_file(source_path, '.mpr')
     if mpr_file is not None:
-        return build_mpr(source_dir, mpr_file)
-    mda_file = find_default_file(source_dir, '.mda')
+        source_path = os.path.abspath(os.path.join(mpr_file, os.pardir))
+        return build_mpr(source_path, mpr_file, destination_path, artifacts_repository)
+    mda_file = find_default_file(source_path, '.mda')
     if mda_file is not None:
-        extracted_dir = extract_zip(mda_file)
-        source_dir = extracted_dir.name
-    extracted_mda_file = get_metadata_value(source_dir)
-    # TODO: pre-download MxRuntime & place into CF Buildpack's cache dir
+        with zipfile.ZipFile(mda_file) as zip_file:
+            zip_file.extractall(project_path)
+    extracted_mda_file = get_metadata_value(destination_path)
     if extracted_mda_file is not None:
-        return source_dir
+        return destination_path
     else:
-        raise Exception('No supported files found in source dir')
+        raise Exception('No supported files found in source path')
 
 def build_image(mda_dir):
     # TODO: build the full image, or just copy MDA into destination?
@@ -144,15 +226,22 @@ def build_image(mda_dir):
     mx_version = mda_metadata['RuntimeVersion']
     java_version = mda_metadata.get('JavaVersion', 11)
     print(mda_metadata['RuntimeVersion'])
+    print(mda_metadata['JavaVersion'])
 
 if __name__ == '__main__':
-    parser = argparse.ArgumentParser(description='Build a Docker image of a Mendix app')
-    parser.add_argument('source_dir',  metavar='source_dir', type=pathlib.Path, help='Path to source Mendix app (MDA file, MPK file, MPR directory or extracted MDA directory)')
-
-    # TODO: allow to specify Podman args and replace URLs
+    parser = argparse.ArgumentParser(description='Build a Mendix app')
+    parser.add_argument('--source', metavar='source', required=True, nargs='?', type=pathlib.Path, help='Path to source Mendix app (MDA file, MPK file, MPR directory or extracted MDA directory)')
+    parser.add_argument('--destination', metavar='destination', required=True, nargs='?', type=pathlib.Path, help='Destination for MDA')
+    parser.add_argument('--artifacts-repository', required=False, nargs='?', metavar='artifacts_repository', type=str, help='Repository to use for caching build images')
+    parser.add_argument('action', metavar='action', choices=['build-mda'], help='Action to perform')
 
     args = parser.parse_args()
 
-    mda_dir = prepare_mda(args.source_dir)
-    build_image(mda_dir)
+    atexit.register(stop_processes)
+    try:
+        prepare_mda(args.source, args.destination, args.artifacts_repository)
+    except KeyboardInterrupt:
+        stop_processes()
+        raise
+    # build_image(args.destination)
 

mxbuild/build

@@ -1,5 +1,7 @@
 #!/bin/sh
 set -e
+MPR_FILENAME=$1
+MODEL_VERSION=$2
 
 # Required to allow using deprecated checksums
 export OPENSSL_ENABLE_SHA1_SIGNATURES=1
@@ -16,7 +18,7 @@ cd /workdir
 if [ -f /workdir/project ]; then
     JAVA_VERSION=$(cat java-version)
 elif [ -f /opt/mendix/modeler/mx ]; then
-    JAVA_VERSION=$(/opt/mendix/modeler/mx dump-mpr --unit-type 'Settings$ProjectSettings' /workdir/project/*.mpr | \
+    JAVA_VERSION=$(/opt/mendix/modeler/mx dump-mpr --unit-type 'Settings$ProjectSettings' /workdir/project/${MPR_FILENAME} | \
          jq -r '.units[] | select(.["$Type"]=="Settings$ProjectSettings") | .["settingsParts"][] | select(.["$Type"]=="Settings$RuntimeSettings").javaVersion | if (. == null or . == "null") then "Java11" else . end')
 else
     JAVA_VERSION=11
@@ -31,4 +33,4 @@ $MXBUILD_COMMAND \
     --target=package \
     --java-home=${JDK_HOME} --java-exe-path=${JDK_HOME}/bin/java \
     --model-version=${MODEL_VERSION} \
-    --output=/workdir/output.mda /workdir/project/*.mpr
+    --output=/workdir/output.mda /workdir/project/${MPR_FILENAME}

mxbuild/rootfs-mxbuild-dotnet.dockerfile mxbuild/dotnet.dockerfilemxbuild/rootfs-mxbuild-dotnet.dockerfile renamed to mxbuild/dotnet.dockerfile

@@ -26,8 +26,7 @@ COPY --chown=0:0 --chmod=0755 build /opt/mendix/build
 
 # Prepare build context
 ENV HOME /workdir
-RUN mkdir -p /workdir/project &&\
-    mkdir -p /workdir/.local/share/Mendix &&\
+RUN mkdir -p /workdir/project /workdir/output /workdir/.local/share/Mendix &&\
     chown -R ${USER_UID}:${USER_UID} /workdir &&\
     chmod -R 755 /workdir
 

mxbuild/rootfs-mxbuild-mono.dockerfile mxbuild/mono.dockerfilemxbuild/rootfs-mxbuild-mono.dockerfile renamed to mxbuild/mono.dockerfile

@@ -27,8 +27,7 @@ COPY --chown=0:0 --chmod=0755 build /opt/mendix/build
 
 # Prepare build context
 ENV HOME /workdir
-RUN mkdir -p /workdir/project &&\
-    mkdir -p /workdir/.local/share/Mendix &&\
+RUN mkdir -p /workdir/project /workdir/output /workdir/.local/share/Mendix &&\
     chown -R ${USER_UID}:${USER_UID} /workdir &&\
     chmod -R 755 /workdir
 

rootfs-app.dockerfile

@@ -1,6 +1,6 @@
 # Dockerfile to create a Mendix Docker image based on either the source code or
 # Mendix Deployment Archive (aka mda file)
-FROM --platform=linux/amd64 registry.access.redhat.com/ubi8/ubi-minimal:latest
+FROM registry.access.redhat.com/ubi9/ubi-minimal:latest
 #This version does a full build originating from the Ubuntu Docker images
 LABEL Author="Mendix Digital Ecosystems"
 LABEL maintainer="digitalecosystems@mendix.com"
@@ -11,20 +11,34 @@ ENV LC_ALL C.UTF-8
 
 # install dependencies & remove package lists
 RUN microdnf update -y && \
-    microdnf module enable nginx:1.20 -y && \
+    microdnf module enable nginx:1.24 -y && \
     microdnf install -y glibc-langpack-en python311 openssl nginx nginx-mod-stream java-11-openjdk-headless java-17-openjdk-headless java-21-openjdk-headless tzdata-java fontconfig binutils && \
     microdnf clean all && rm -rf /var/cache/yum
 
+# Set the user ID
+ARG USER_UID=1001
+
 # Set nginx permissions
 RUN touch /run/nginx.pid && \
-    chown -R 1001:0 /var/log/nginx /var/lib/nginx /run &&\
+    chown -R ${USER_UID}:0 /var/log/nginx /var/lib/nginx /run &&\
     chmod -R g=u /var/log/nginx /var/lib/nginx /run
 
-# Set python alias to python3 (required for Datadog)
-RUN alternatives --set python /usr/bin/python3
+# Set python alias to Python 3.11 to avoid using Java version
+RUN if [ -f /usr/bin/python ] ; then rm /usr/bin/python; fi &&\
+    if [ -f /usr/bin/python3 ] ; then rm /usr/bin/python3 ; fi &&\
+    ln -s /usr/bin/python3.11 /usr/bin/python3 &&\
+    ln -s /usr/bin/python3.11 /usr/bin/python
 
-# Set the user ID
-ARG USER_UID=1001
+# Create vcap home directory for Datadog configuration
+RUN mkdir -p /home/vcap /opt/datadog-agent/run &&\
+    chown -R ${USER_UID}:0 /home/vcap /opt/datadog-agent/run &&\
+    chmod -R g=u /home/vcap /opt/datadog-agent/run
+
+# Prepare home directory and set permissions
+RUN mkdir -p /opt/mendix &&\
+    chown -R ${USER_UID}:0 /opt/mendix &&\
+    chmod -R g=u /opt/mendix &&\
+    ln -s /opt/mendix/.java /root
 
 # Create user (for non-OpenShift clusters)
 RUN echo "mendix:x:${USER_UID}:${USER_UID}:mendix user:/opt/mendix/build:/sbin/nologin" >> /etc/passwd