Fix audiowaveform isolation issues in API dockerfile
#4680
Comments
sarayourfriend
added
🟨 priority: medium
|
The comment this links to is outdated. We are no longer using Line 11 in d9215a2 Is the build process still unreliable, if we've pinned the version? To clarify I am not opposed to (rather very much in favour of) the idea, I only want to know more about the rationale behind the change. |
|
It's unreliable if The unreliability isn't from selecting the dependencies or the locations of things, it's from the fact that the binary is dynamically linked to libraries that it was never validated against (and in particular built versions of those libraries from a distribution almost explicitly incompatible with the Debian approach to things). |
Current Situation
Despite realies/audiowaveform building audiowaveform using
BUILD_STATIC=1, the output is still a dynamically linked binary. From within thelatestimage:The API Dockerfile copies these four libraries directly from the
realies/audiowaveformimage and overlays them on the base system. Theaudiowaveformbinary we copy out of that image was built and tested with those libraries. However, as noted in our API Dockerfile, because we runapt updateafter copying these libraries,audiowaveformmay not necessarily be running with the version of those libraries it was built and tested against.Suggested Improvement
I propose we resolve this once and for all as follows:
Instead of copying the binary as built from
realies/audiowaveform, download the Debian Bookworm .deb (the1.10.1-1-12_<arch>.debone, 12 indicating the Debian version) from https://github.com/bbc/audiowaveform/releases/tag/1.10.1 and install it alongside other system dependencies in our existingRUN apt [...]line. We should also specify the Bookworm variant of the python-slimtag, even though that is the default. The correct .deb needs to be pulled based on the architecture of the build host.The main complexity of this is ensuring the correct architecture .deb is downloaded depending on the build host. On the other hand, it would allow us to delete a huge portion of the API Dockerfile dedicated to copying (and making it possible to copy) the
audiowaveformbinary out ofrealies/audiowaveform. It also removes an intermediate middle dependency between us andaudiowaveform.Benefit
Resolve this minor edge case in API build stability.
Additional context
I also considered the following alternatives:
/opt/audiowaveform, and then setLD_LIBRARY_PATHwhen invokingaudiowaveform. Do this without needing to modify the Python code that calls the binary by creating a shim/usr/local/bin/audiowaveformalong the lines of...:LD_LIBRARY_PATH="/opt/audiowaveform/lib:/opt/audiowaveform/usr/lib" /opt/audiowaveform/usr/local/bin/audiowaveform "$@"-slimto-alpinevariant for the final Python image. The (partially) "static" build only leaves out standard library dependencies. These are essentially never going to change unlessaudiowaveformchanges to a new language. We could therefore assume that so long as we ensure libstdc++ and libgcc are installed withapkwhen we update the base system (trivial), we wouldn't need to copy these final linked libraries anymore. libc.musl will already be in the alpine base system.The first of these alternatives is, in theory, a smaller change, but might take some fiddling (I haven't actually tried it but it should work in theory as long as
ldworks the way it should!). The second might work, but I don't know whether the rest of our Python application runs on Alpine without issue.Overall, the approach I chose to propose moving forward with is the simplest both in the immediate way it can be implemented and in that it significantly simplifies our API Dockerfile. It is the safest and cleanest option, all things considered.
The text was updated successfully, but these errors were encountered: