attempted fix to inject 3.14 instead of using apt-get

Author: taddes

Dockerfile

@@ -3,8 +3,9 @@ ARG TOKENSERVER_DATABASE_BACKEND=mysql
 # Alternatively MYSQLCLIENT_PKG=libmysqlclient-dev for the Oracle/MySQL official client
 ARG MYSQLCLIENT_PKG=libmariadb-dev-compat
 
-# NOTE: Ensure builder's Rust version matches CI's in .circleci/config.yml
-# RUST_VER
+FROM python:3.14-bookworm AS python-base
+
+# NOTE: Ensure builder's Rust version matches CI's in .github/ directory.
 FROM docker.io/lukemathwalker/cargo-chef:0.1.73-rust-1.91.1-bookworm AS chef
 WORKDIR /app
 
@@ -17,26 +18,28 @@ ARG SYNCSTORAGE_DATABASE_BACKEND
 ARG TOKENSERVER_DATABASE_BACKEND
 ARG MYSQLCLIENT_PKG
 
+COPY --from=python-base /usr/local /usr/local
+
 RUN apt-get -q update && \
     MYSQL_PKG="" && \
     POSTGRES_DEV_PKG="" && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "mysql" ] || [ "$TOKENSERVER_DATABASE_BACKEND" = "mysql" ]; then \
-        MYSQL_PKG="$MYSQLCLIENT_PKG"; \
-        if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
-            # First install gnupg and setup MySQL repo
-            # Key ID A8D3785C from https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
-            apt-get -q install -y --no-install-recommends gnupg ca-certificates && \
-            echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
-            # Fetch and install the MySQL public key
-            gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
-            gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
-            apt-get -q update ; \
-        fi; \
+    MYSQL_PKG="$MYSQLCLIENT_PKG"; \
+    if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
+    # First install gnupg and setup MySQL repo
+    # Key ID A8D3785C from https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
+    apt-get -q install -y --no-install-recommends gnupg ca-certificates && \
+    echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
+    # Fetch and install the MySQL public key
+    gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
+    gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
+    apt-get -q update ; \
+    fi; \
     fi && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-        POSTGRES_DEV_PKG="libpq-dev"; \
+    POSTGRES_DEV_PKG="libpq-dev"; \
     fi && \
-    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_DEV_PKG cmake python3-dev python3-pip python3-setuptools python3-wheel python3-venv pkg-config && \
+    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_DEV_PKG cmake pkg-config && \
     rm -rf /var/lib/apt/lists/*
 
 COPY --from=planner /app/recipe.json recipe.json
@@ -47,7 +50,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
     set -x && \
     TOKENSERVER_FEATURES="" && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-        TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
+    TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
     fi && \
     cargo chef cook --release --no-default-features --features=syncstorage-db/$SYNCSTORAGE_DATABASE_BACKEND $TOKENSERVER_FEATURES --features=py_verifier --recipe-path recipe.json
 
@@ -73,11 +76,11 @@ RUN poetry export --no-interaction --without dev --output requirements.txt --wit
     poetry export --no-interaction --without dev --output requirements.txt --without-hashes && \
     cd /app/tools/postgres && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ]; then \
-        poetry export --no-interaction --without dev --output requirements.txt --without-hashes; \
+    poetry export --no-interaction --without dev --output requirements.txt --without-hashes; \
     else \
-        # Because we can't conditionally COPY files in the next stage, generate
-        # this empty requirements.txt file so that we can always COPY it
-        touch requirements.txt; \
+    # Because we can't conditionally COPY files in the next stage, generate
+    # this empty requirements.txt file so that we can always COPY it
+    touch requirements.txt; \
     fi && \
     cd /app
 
@@ -87,7 +90,7 @@ RUN mkdir -p /app/wheels && \
     pip3 wheel --no-cache-dir -r /app/tools/integration_tests/requirements.txt -w /app/wheels && \
     pip3 wheel --no-cache-dir -r /app/tools/tokenserver/requirements.txt -w /app/wheels && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ] && [ -f /app/tools/postgres/requirements.txt ]; then \
-        pip3 wheel --no-cache-dir -r /app/tools/postgres/requirements.txt -w /app/wheels; \
+    pip3 wheel --no-cache-dir -r /app/tools/postgres/requirements.txt -w /app/wheels; \
     fi
 
 ENV PATH=$PATH:/root/.cargo/bin
@@ -98,13 +101,13 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
     set -x && \
     TOKENSERVER_FEATURES="" && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-        TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
+    TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
     fi && \
     cargo --version && \
     rustc --version && \
     cargo install --path ./syncserver --no-default-features --features=syncstorage-db/$SYNCSTORAGE_DATABASE_BACKEND $TOKENSERVER_FEATURES --features=py_verifier --locked --root /app
 
-FROM docker.io/library/debian:bookworm-slim
+FROM python:3.14-slim-bookworm
 ARG SYNCSTORAGE_DATABASE_BACKEND
 ARG TOKENSERVER_DATABASE_BACKEND
 ARG MYSQLCLIENT_PKG
@@ -115,21 +118,16 @@ RUN apt-get -q update && \
     # Always install MySQL libs because Python integration tests depend on mysqlclient
     MYSQL_PKG="$MYSQLCLIENT_PKG" && \
     if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
-        # First install gnupg and setup MySQL repo
-        apt-get install -y --no-install-recommends gnupg ca-certificates wget && \
-        echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
-        # Fetch and install the MySQL public key
-        gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
-        gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
-        apt-get -q update ; \
+    # First install gnupg and setup MySQL repo
+    apt-get install -y --no-install-recommends gnupg ca-certificates wget && \
+    echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
+    # Fetch and install the MySQL public key
+    gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
+    gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
+    apt-get -q update ; \
     fi && \
     POSTGRES_PKG="libpq5" && \
-    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_PKG libssl3 libffi8 libcurl4 libpython3.11 python3 python3-pip python3-venv curl jq && \
-    # The python3-cryptography debian package installs version 2.6.1, but we
-    # we want to use the version specified in requirements.txt. To do this,
-    # we have to remove the python3-cryptography package here.
-    apt-get -q remove -y python3-cryptography 2>/dev/null || true && \
-    apt-get -q autoremove -y && \
+    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_PKG libssl3 libffi8 libcurl4 curl jq && \
     rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
@@ -144,11 +142,12 @@ COPY --from=builder /app/wheels /tmp/wheels
 RUN groupadd --gid 10001 app && \
     useradd --uid 10001 --gid 10001 --home /app --create-home app
 
-RUN pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/requirements.txt && \
+RUN pip3 install --break-system-packages --no-cache-dir "setuptools>=75.0.0" && \
+    pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/requirements.txt && \
     pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/integration_tests/requirements.txt && \
     pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/tokenserver/requirements.txt && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ] && [ -f /app/tools/postgres/requirements.txt ]; then \
-        pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/postgres/requirements.txt; \
+    pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/postgres/requirements.txt; \
     fi && \
     rm -rf /tmp/wheels /root/.cache/pip
 

poetry.lock

@@ -15,6 +15,7 @@ package-mode = false
 [tool.poetry.dependencies]
 cryptography = "^46.0.5"
 pyfxa = "^0.8.1"
+setuptools = ">=75.0.0"
 tokenlib = "^2.0.0"
 
 [tool.poetry.group.tokenserver-unit-tests.dependencies]

pyproject.toml

@@ -23,6 +23,7 @@ psutil = "^7.0.0"
 pyjwt = "^2.10.1"
 pyramid = "^1.10.8"
 pyramid-hawkauth = "^2.0.0"
+setuptools = ">=75.0.0"
 pyfxa = "0.8.1"
 pytest = "^9.0.2"
 requests = "^2.32.4"

tools/integration_tests/poetry.lock

@@ -18,6 +18,7 @@ boto = "2.49.0"
 hawkauthlib = "2.0.0"
 mysqlclient = "2.1.1"
 pyramid = "^1.10.8"
+setuptools = ">=75.0.0"
 sqlalchemy = "^1.4.46"
 testfixtures = "^8.3.0"
 tokenlib = "2.0.0"