Skip to content

Gnocchi

The gnocchi image is built from ContainerFiles/gnocchi. Security patches are applied by scripts/gnocchi-cve-patching.sh.

This container packages the Gnocchi metric storage service for use in the stack. The build installs the required packages, applies security updates and configuration, and prepares the service for integration.

graph LR
    A[Base image] --> B[Install packages]
    B --> C[Apply CVE patches]
    C --> D[Configure Gnocchi]
    D --> E[Container ready]
    Ceph_Libs --> A
ContainerFile used for the build 
# syntax = docker/dockerfile:1
# This Dockerfile uses multi-stage build to customize DEV and PROD images:
# https://docs.docker.com/develop/develop-images/multistage-build/

ARG CEPH_TAG=v19.2.2-latest
FROM ghcr.io/rackerlabs/genestack-images/ceph-libs:${CEPH_TAG} AS dependency_build
ARG CACHEBUST=0
ARG GNOCCHI_VERSION=master
ARG OS_CONSTRAINTS=master
RUN export DEBIAN_FRONTEND=noninteractive
RUN curl -fsSL -o /tmp/upper-constraints.txt https://opendev.org/openstack/requirements/raw/branch/${OS_CONSTRAINTS}/upper-constraints.txt \
  && sed -i '/^gnocchi===.*/d' /tmp/upper-constraints.txt \
  && /var/lib/openstack/bin/pip install --constraint /tmp/upper-constraints.txt \
                                        "gnocchi[postgresql,ceph,keystone] @ git+https://github.com/gnocchixyz/gnocchi.git@${GNOCCHI_VERSION}" \
                                        gnocchiclient \
                                        PyMySQL \
                                        pymemcache \
                                        SQLAlchemy \
                                        uwsgi \
                                        cffi \
                                        bcrypt

COPY scripts/gnocchi-cve-patching.sh /opt/
RUN bash /opt/gnocchi-cve-patching.sh

RUN find / -name '*.pyc' -delete \
  && find / -name '*.pyo' -delete \
  && find / -name '__pycache__' -delete \
  && find / -name '*.whl' -delete \
  && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/client.key \
  && rm -f /var/lib/openstack/lib/python*/site-packages/slapdtest/certs/server.key \
  && for f in /var/lib/openstack/lib/python*/site-packages/PyJWT-*.dist-info/METADATA; do \
       if [ -f "$f" ]; then \
         sed -i '/^Usage/,/^Documentation\n^-.*$/d' "$f"; \
       fi; \
     done

FROM python:3.12-slim-bookworm
LABEL maintainer="Rackspace"
LABEL vendor="Rackspace OpenStack Team"
LABEL org.opencontainers.image.name="gnocchi"
LABEL org.opencontainers.image.description="OpenStack Service (gnocchi) built for the enterprise."
COPY --from=dependency_build /usr/local/lib /usr/local/lib
COPY --from=dependency_build /usr/lib/x86_64-linux-gnu /usr/lib/x86_64-linux-gnu
COPY --from=dependency_build /usr/lib/python3/dist-packages /usr/lib/python3/dist-packages
COPY --from=dependency_build /var/lib/openstack /var/lib/openstack
RUN export DEBIAN_FRONTEND=noninteractive \
  && apt-get update && apt-get upgrade -y \
  && apt-get install --no-install-recommends -y \
                                             apache2 \
                                             apache2-dev \
                                             libffi8 \
                                             libpq5 \
                                             libsnappy1v5 \
                                             libxml2 \
                                             python3 \
                                             python3-dev \
                                             python3-memcache \
                                             bash \
                                             brotli \
                                             build-essential \
                                             curl \
                                             wget \
                                             locales \
                                             docutils-common \
                                             gettext \
                                             git \
                                             libffi-dev \
                                             libjs-sphinxdoc \
                                             libjs-underscore \
                                             libldap2-dev \
                                             libpq-dev \
                                             postgresql \
                                             memcached \
                                             librados-dev \
                                             liberasurecode-dev \
                                             python3-rados \
                                             ceph \
                                             libsasl2-dev \
                                             libsnappy-dev \
                                             libprotobuf-dev \
                                             libssl-dev \
                                             libsystemd-dev \
                                             libxml2-dev \
                                             libxslt1-dev \
                                             libxslt1.1 \
                                             pkg-config \
                                             ssl-cert \
                                             xmlsec1 \
  && /var/lib/openstack/bin/pip install --upgrade mod_wsgi \
  && /var/lib/openstack/bin/mod_wsgi-express module-config > /etc/apache2/mods-available/wsgi.load \
  && a2enmod wsgi \
  && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
  && apt-get clean -y \
  && rm -rf /var/lib/apt/lists/* \
  && find / -name '*.pyc' -delete \
  && find / -name '*.pyo' -delete \
  && find / -name '__pycache__' -delete \
  && groupadd --system --gid 42424 gnocchi \
  && useradd --system --gid 42424 --uid 42424 --shell /sbin/nologin --create-home --home /var/lib/gnocchi gnocchi \
  && mkdir -p /var/lib/openstack/etc/gnocchi \
  && ln -s /var/lib/openstack/etc/gnocchi /etc/gnocchi \
  && chown gnocchi:gnocchi -h /etc/gnocchi \
  && chown -R gnocchi:gnocchi /var/lib/openstack/etc/gnocchi \
  && sed -i 's@^ErrorLog.*@ErrorLog /dev/stderr@' /etc/apache2/apache2.conf \
  && mkdir -p /var/run/apache2 /var/lock/apache2 /var/log/apache2 \
  && chown www-data:www-data /var/run/apache2 /var/lock/apache2 /var/log/apache2
# Set the environment variables for the gnocchi venv
ENV PATH="/var/lib/openstack/bin:$PATH"
ENV PYTHONPATH="/usr/local/lib/python3.12/site-packages:/var/lib/openstack/lib/python3.12/site-packages:$PYTHONPATH"
# Set the working directory
WORKDIR /var/lib/openstack
# Set the entrypoint to the gnocchi upgrade command
ENTRYPOINT ["/var/lib/openstack/bin/gnocchi-upgrade"]

Build Arguments

Argument Default
CEPH_TAG v19.2.2-latest
CACHEBUST 0
GNOCCHI_VERSION master
OS_CONSTRAINTS master
Build Command 
docker build \
--build-arg CEPH_TAG=v19.2.2-latest \
--build-arg CACHEBUST=0 \
--build-arg GNOCCHI_VERSION=master \
--build-arg OS_CONSTRAINTS=master \
-f ContainerFiles/gnocchi \
-t gnocchi:local \
.

Dependencies

Container Image

The container image is available on Github Container Registry.