Change python baseOS img to integration-python2.2.0

Moved setting PYTHONPATH and PATH to Dockerfile as thats where python version is defined (baseOS image) Switched hardcoded python3.8 to python3. psycopg is recommended to be built from source for production use, yet CI environment does not have the dependencies to build it. To circumvent that, requirements were split into: - requirements-common.txt that should be included for each environment - requirements-docker.txt that force building of psycopg in docker - requirements.txt that use psycopg-binary for ci purposes Benefits from switching over: * minimal {java11,python} images maintained by integration team * using currently "blessed by seccom" versions (:latest tag used) * should limit spread of legal issues across layers * integration images will be the first to have automated compliance documentation * should limit spread of base layers (contributing to deployment footprint - more base layers = more to download, more to store etc...) Issue-ID: INT-1864 Issue-ID: DCAEGEN2-2420 Signed-off-by: Alexander Mazuruk <a.mazuruk@samsung.com> Change-Id: I77be2fd9dd53613a1a6ad26f8f0b506073f1cca6
author: Alexander Mazuruk <a.mazuruk@samsung.com> 2021-02-18 17:24:44 +0100
committer: Alexander Mazuruk <a.mazuruk@samsung.com> 2021-05-11 01:27:00 +0200
commit: e22e10e5aa858fe36db2580e072e5b53957117e9 (patch)
tree: 1560e4dc52ecf9835b34a10bc1f4415b68b2934f
parent: 031694bad1802a75918b9b97d5c34faac729f0c6 (diff)
11 files changed, 82 insertions, 103 deletions
diff --git a/Changelog.md b/Changelog.md
index 2256c28..fa33c15 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -4,4 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/)
 and this project adheres to [Semantic Versioning](http://semver.org/).
 
-## [2.1.1.] - 03/02/2021      
-\ No newline at end of file
+## [2.2.0.] - 07/04/2021
+### Changed
+- Switched to currently recommended version of docker integration-python:8.0.0.
+- Fix issues preventing running with py3.9
+- Bumped tested python versions to 3.8,3.9.
+### Security
+- Due to dependency update following were fixed:
+  - CVE-2020-14343 (PyYAML)
+  - CWE-93 (httplib2)
+  - CVE-2018-18074 (requests)
+
+## [2.1.1.] - 03/02/2021
diff --git a/Dockerfile b/Dockerfile
index fee54d1..2ff1e7a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,57 +1,51 @@
-FROM python:3.8.2-alpine3.11
-MAINTAINER gs244f@att.com
+FROM nexus3.onap.org:10001/onap/integration-python:8.0.0
+LABEL maintainer="gs244f@att.com"
 
-ARG user=onap
-ARG group=onap
+ARG user=heartbeat
+ARG group=heartbeat
 
+USER root
 RUN addgroup -S $group && adduser -S -D -h /home/$user $user $group && \
     chown -R $user:$group /home/$user &&  \
-    mkdir /var/log/$user && \
+    mkdir -p /var/log/$user && \
     chown -R $user:$group /var/log/$user && \
-    mkdir /app && \
+    mkdir -p /app && \
     chown -R $user:$group /app
-	
-WORKDIR /app
 
-#ADD . /tmp
-#RUN mkdir /tmp/config
+WORKDIR /app
 
 EXPOSE 10002
 
-COPY ./miss_htbt_service/ ./bin/
-COPY ./etc/ ./etc/
-COPY requirements.txt ./
-COPY setup.py ./
-
-#need pip > 8 to have internal pypi repo in requirements.txt
-#do the install
-RUN apk add build-base libffi-dev postgresql-dev && \
+COPY --chown=$user:$group ./miss_htbt_service/ ./bin/
+COPY --chown=$user:$group ./etc/ ./etc/
+COPY --chown=$user:$group requirements-common.txt ./
+COPY --chown=$user:$group requirements-docker.txt ./
+COPY --chown=$user:$group setup.py ./
+
+# install build dependencies for python packages,
+# install python packages
+# remove build dependencies
+RUN apk add --no-cache --virtual build-deps \
+    build-base libffi-dev postgresql-dev \
+    openssl-dev musl-dev python3-dev curl && \
+    apk add --no-cache libpq && \
+    curl https://sh.rustup.rs -sSf | sh -s -- -y && \
+    export PATH="$HOME/.cargo/bin/:$PATH" && \
+    source $HOME/.cargo/env && \
     pip install --upgrade pip && \
-    pip install pyyaml --upgrade && \
-    pip install -r requirements.txt && \
-    pip install -e .
-
-RUN mkdir -p data \
- && mkdir -p logs \
- && mkdir -p tmp \
- && chown -R $user:$group . \
- && chmod a+w data \
- && chmod a+w logs \
- && chmod a+w tmp \
- && chmod a+w etc \
- && chmod 500 bin/*.py \
- && chmod 500 bin/*.sh \
- && chmod 500 bin/*/*.py
+    pip install -r requirements-docker.txt && \
+    mkdir -p data logs tmp && \
+    chown -R $user:$group . && \
+    chmod g+w data logs tmp etc && \
+    chmod -R 500 bin/*.py && \
+    chmod 500 bin/*.sh && \
+    apk del build-deps && \
+    rustup self uninstall -y
 
 USER $user
 VOLUME logs
 
 CMD ["./bin/misshtbt.sh"]
 
-#ENV PYTHONPATH="/usr/local/lib/python3.6:/usr/local/lib/python3.6/site-packages:${PATH}"
-#ENV PYTHONPATH="/usr/local/lib/python3.6/site-packages:/usr/local/lib/python3.6"
-#ENV PYTHONPATH=/usr/local/lib/python3.6/site-packages:.
-#ENTRYPOINT ["/bin/python", "./bin/run.py"]
-#ENTRYPOINT ["/usr/bin/python","./bin/run.py" ]
-#ENTRYPOINT ["/usr/local/bin/python","./bin/misshtbtd.py" ]
-#ENTRYPOINT ["/bin/ls","-lR", "."]
+ENV PYTHONPATH="$PYTHONPATH:/usr/local/lib/python3.9/site-packages:/app/bin:/app/bin/mod"
+ENV PATH="$PATH:/app/bin:/app/bin/mod"
diff --git a/miss_htbt_service/misshtbt.sh b/miss_htbt_service/misshtbt.sh
index c93da98..150eb4f 100644
--- a/miss_htbt_service/misshtbt.sh
+++ b/miss_htbt_service/misshtbt.sh
@@ -19,13 +19,7 @@
 # ============LICENSE_END=========================================================
 
 # get to where we are supposed to be for startup
-cd /app/bin
-
-# include path to 3.6+ version of python that has required dependencies included
-export PATH=/usr/local/lib/python3.8/bin:$PATH:/app/bin
-
-# expand search for python modules to include ./mod in runtime dir
-export PYTHONPATH=/usr/local/lib/python3.8/site-packages:./mod:./:$PYTHONPATH:/app/bin
+cd /app/bin || (echo "Failed to cd to /app/bin" && exit 1)
 
 # set location of SSL certificates
 export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
@@ -40,14 +34,14 @@ export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt
 #export CBS_HTBT_JSON=../etc/config.json
 
 # want tracing?  Use this:
-# python -m trace --trackcalls misshtbtd.py -v
+# python3 -m trace --trackcalls misshtbtd.py -v
 
 # want verbose logging?  Use this:
-# python misshtbtd.py -v
+# misshtbtd.py -v
 
 # standard startup?  Use this:
-# python misshtbtd.py
+# misshtbtd.py
 
 # unbuffered io for logs and verbose logging? Use this:
-python -u misshtbtd.py -v
+python3 -u misshtbtd.py -v
 
diff --git a/miss_htbt_service/misshtbtd.py b/miss_htbt_service/misshtbtd.py
index f131cd1..1223308 100644
--- a/miss_htbt_service/misshtbtd.py
+++ b/miss_htbt_service/misshtbtd.py
@@ -50,18 +50,7 @@ from mod.trapd_exit import cleanup_and_exit
 from mod.trapd_http_session import init_session_obj
 
 hb_properties_file =  path.abspath(path.join(__file__, "../config/hbproperties.yaml"))
-ip_address = "localhost"
-port_num = 5432
-user_name = "postgres"
-password = "postgres"
-db_name = "hb_vnf"
-cbs_polling_required = "true"
-cbs_polling_interval = 300
-mr_url = None
-pol_url = None
-update_db = 0
-jsfile='empty'
-import sys
+
 ABSOLUTE_PATH1 = path.abspath(path.join(__file__, "../htbtworker.py"))
 ABSOLUTE_PATH2 = path.abspath(path.join(__file__, "../db_monitoring.py"))
 ABSOLUTE_PATH3 = path.abspath(path.join(__file__, "../check_health.py"))
@@ -69,7 +58,6 @@ ABSOLUTE_PATH4 = path.abspath(path.join(__file__, "../cbs_polling.py"))
 
 def create_database(update_db, jsfile, ip_address, port_num, user_name, password, db_name):
     from psycopg2 import connect
-    import sys
     try:
         con = connect(user=user_name, host = ip_address, password = password)
         database_name = db_name
@@ -196,30 +184,18 @@ def create_update_vnf_table_1(jsfile,update_db,connection_db):
     _logger.info("MSHBT:Updated vnf_table_1 as per the json configuration file")
 
 def hb_cbs_polling_process(pid_current):
-        my_file = Path("./miss_htbt_service/cbs_polling.py")
-#        if my_file.is_file():
-        subprocess.call(["python3.8",ABSOLUTE_PATH4 , str(pid_current) ])
-#        else:
-#          subprocess.call(["python3.8",ABSOLUTE_PATH4 , str(pid_current) ])
+        subprocess.call([ABSOLUTE_PATH4 , str(pid_current) ])
         sys.stdout.flush()
         _logger.info("MSHBT:Creaated CBS polling process")
         return
 def hb_worker_process(config_file_path):
-        my_file = Path("./miss_htbt_service/htbtworker.py")
-#        if my_file.is_file():
-        subprocess.call(["python3.8",ABSOLUTE_PATH1 , config_file_path ])
-#        else:
-#          subprocess.call(["python3.8",ABSOLUTE_PATH1 , config_file_path ])
+        subprocess.call([ABSOLUTE_PATH1 , config_file_path ])
         sys.stdout.flush()
         _logger.info("MSHBT:Creaated Heartbeat worker process")
         return
 
 def db_monitoring_process(current_pid,jsfile):
-        my_file = Path("./miss_htbt_service/db_monitoring.py")
-#        if my_file.is_file():
-        subprocess.call(["python3.8",ABSOLUTE_PATH2 , str(current_pid),jsfile])
-#        else:
-#          subprocess.call(["python3.8",ABSOLUTE_PATH2 , str(current_pid),jsfile])
+        subprocess.call([ABSOLUTE_PATH2 , str(current_pid),jsfile])
         sys.stdout.flush()
         _logger.info("MSHBT:Creaated DB Monitoring process")
         return
@@ -341,7 +317,7 @@ _logger = get_logger.get_logger(__name__)
 
 def main():
     try:
-        p = subprocess.Popen(['python3.8',ABSOLUTE_PATH3],stdout=subprocess.PIPE,stderr=subprocess.STDOUT)
+        subprocess.Popen([ABSOLUTE_PATH3], stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
         _logger.info("MSHBD:Execution Started")
         job_list = []
         pid_current = os.getpid()
diff --git a/pom.xml b/pom.xml
index 8a688c3..85ce88b 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2,6 +2,7 @@
 <!--
 ================================================================================
 Copyright (c) 2017 AT&T Intellectual Property. All rights reserved.
+Copyright (c) 2021 Samsung Electronics. All rights reserved.
 ================================================================================
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -36,7 +37,7 @@ limitations under the License.
   <groupId>org.onap.dcaegen2.services</groupId>
   <artifactId>heartbeat</artifactId>
   <name>dcaegen2-services-heartbeat</name>
-  <version>2.1.1</version>
+  <version>2.2.0</version>
   <properties>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
     <sonar.sources>.</sonar.sources>
diff --git a/requirements-common.txt b/requirements-common.txt
new file mode 100644
index 0000000..e8a2fe7
--- /dev/null
+++ b/requirements-common.txt
@@ -0,0 +1,8 @@
+requests==2.23.0
+onap_dcae_cbs_docker_client==1.0.1
+six==1.15.0
+PyYAML==5.4
+httplib2==0.19.0
+HTTPretty==1.0.5
+pyOpenSSL==20.0.1
+Wheel==0.36.2
diff --git a/requirements-docker.txt b/requirements-docker.txt
new file mode 100644
index 0000000..a399877
--- /dev/null
+++ b/requirements-docker.txt
@@ -0,0 +1,2 @@
+-r requirements-common.txt
+psycopg2==2.8.6 --no-binary psycopg2
diff --git a/requirements.txt b/requirements.txt
index d72592f..cbc91a0 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,9 +1,2 @@
-requests==2.23.0
-onap_dcae_cbs_docker_client==1.0.1
-six==1.15.0
-PyYAML==5.4
-httplib2==0.19.0
-HTTPretty==1.0.5
-pyOpenSSL==20.0.1
-Wheel==0.36.2
+-r requirements-common.txt
 psycopg2-binary==2.8.6
diff --git a/setup.py b/setup.py
index 02990bf..4df5a29 100644
--- a/setup.py
+++ b/setup.py
@@ -35,19 +35,19 @@ from setuptools import setup, find_packages
 setup(
     name='miss_htbt_service',
     description='Missing heartbeat microservice to communicate with policy-engine',
-    version='2.1.1',
+    version='2.2.0',
     #packages=find_packages(exclude=["tests.*", "tests"]),
     packages=find_packages(),
     install_requires=[
-"requests==2.23.0",
-"onap_dcae_cbs_docker_client==1.0.1",
-"six==1.15.0",
-"PyYAML==5.4",
-"httplib2==0.19.0",
-"HTTPretty==1.0.5",
-"pyOpenSSL==20.0.1",
-"Wheel==0.36.2",
-"psycopg2-binary==2.8.6"
+        "requests==2.23.0",
+        "onap_dcae_cbs_docker_client==1.0.1",
+        "six==1.15.0",
+        "PyYAML==5.4",
+        "httplib2==0.19.0",
+        "HTTPretty==1.0.5",
+        "pyOpenSSL==20.0.1",
+        "Wheel==0.36.2",
+        "psycopg2-binary==2.8.6"
     ],
     author = "Vijay Venkatesh Kumar",
     author_email = "vv770d@att.com",
diff --git a/tox.ini b/tox.ini
index 9fc6063..9dcf73f 100644
--- a/tox.ini
+++ b/tox.ini
@@ -1,6 +1,6 @@
 # content of: tox.ini , put in same dir as setup.py
 [tox]
-envlist = py37,py38
+envlist = py38,py39
 
 [testenv]
 deps=
diff --git a/version.properties b/version.properties
index 3c5fba7..3ad2137 100644
--- a/version.properties
+++ b/version.properties
@@ -1,6 +1,6 @@
 major=2
-minor=1
-patch=1
+minor=2
+patch=0
 base_version=${major}.${minor}.${patch}
 release_version=${base_version}
 snapshot_version=${base_version}-SNAPSHOT
author	Alexander Mazuruk <a.mazuruk@samsung.com>	2021-02-18 17:24:44 +0100
committer	Alexander Mazuruk <a.mazuruk@samsung.com>	2021-05-11 01:27:00 +0200
commit	e22e10e5aa858fe36db2580e072e5b53957117e9 (patch)
tree	1560e4dc52ecf9835b34a10bc1f4415b68b2934f
parent	031694bad1802a75918b9b97d5c34faac729f0c6 (diff)