revert attempts to inject python image, revisit due to pyramid upgrade necessity

Author: taddes

Dockerfile

@@ -3,9 +3,8 @@ ARG TOKENSERVER_DATABASE_BACKEND=mysql
 # Alternatively MYSQLCLIENT_PKG=libmysqlclient-dev for the Oracle/MySQL official client
 ARG MYSQLCLIENT_PKG=libmariadb-dev-compat
 
-FROM python:3.14-bookworm AS python-base
-
-# NOTE: Ensure builder's Rust version matches CI's in .github/ directory.
+# NOTE: Ensure builder's Rust version matches CI's in .circleci/config.yml
+# RUST_VER
 FROM docker.io/lukemathwalker/cargo-chef:0.1.73-rust-1.91.1-bookworm AS chef
 WORKDIR /app
 
@@ -18,28 +17,26 @@ ARG SYNCSTORAGE_DATABASE_BACKEND
 ARG TOKENSERVER_DATABASE_BACKEND
 ARG MYSQLCLIENT_PKG
 
-COPY --from=python-base /usr/local /usr/local
-
 RUN apt-get -q update && \
     MYSQL_PKG="" && \
     POSTGRES_DEV_PKG="" && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "mysql" ] || [ "$TOKENSERVER_DATABASE_BACKEND" = "mysql" ]; then \
-    MYSQL_PKG="$MYSQLCLIENT_PKG"; \
-    if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
-    # First install gnupg and setup MySQL repo
-    # Key ID A8D3785C from https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
-    apt-get -q install -y --no-install-recommends gnupg ca-certificates && \
-    echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
-    # Fetch and install the MySQL public key
-    gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
-    gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
-    apt-get -q update ; \
-    fi; \
+        MYSQL_PKG="$MYSQLCLIENT_PKG"; \
+        if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
+            # First install gnupg and setup MySQL repo
+            # Key ID A8D3785C from https://dev.mysql.com/doc/refman/8.0/en/checking-gpg-signature.html
+            apt-get -q install -y --no-install-recommends gnupg ca-certificates && \
+            echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
+            # Fetch and install the MySQL public key
+            gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
+            gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
+            apt-get -q update ; \
+        fi; \
     fi && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-    POSTGRES_DEV_PKG="libpq-dev"; \
+        POSTGRES_DEV_PKG="libpq-dev"; \
     fi && \
-    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_DEV_PKG cmake pkg-config && \
+    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_DEV_PKG cmake python3-dev python3-pip python3-setuptools python3-wheel python3-venv pkg-config && \
     rm -rf /var/lib/apt/lists/*
 
 COPY --from=planner /app/recipe.json recipe.json
@@ -50,7 +47,7 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
     set -x && \
     TOKENSERVER_FEATURES="" && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-    TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
+        TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
     fi && \
     cargo chef cook --release --no-default-features --features=syncstorage-db/$SYNCSTORAGE_DATABASE_BACKEND $TOKENSERVER_FEATURES --features=py_verifier --recipe-path recipe.json
 
@@ -76,11 +73,11 @@ RUN poetry export --no-interaction --without dev --output requirements.txt --wit
     poetry export --no-interaction --without dev --output requirements.txt --without-hashes && \
     cd /app/tools/postgres && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ]; then \
-    poetry export --no-interaction --without dev --output requirements.txt --without-hashes; \
+        poetry export --no-interaction --without dev --output requirements.txt --without-hashes; \
     else \
-    # Because we can't conditionally COPY files in the next stage, generate
-    # this empty requirements.txt file so that we can always COPY it
-    touch requirements.txt; \
+        # Because we can't conditionally COPY files in the next stage, generate
+        # this empty requirements.txt file so that we can always COPY it
+        touch requirements.txt; \
     fi && \
     cd /app
 
@@ -90,7 +87,7 @@ RUN mkdir -p /app/wheels && \
     pip3 wheel --no-cache-dir -r /app/tools/integration_tests/requirements.txt -w /app/wheels && \
     pip3 wheel --no-cache-dir -r /app/tools/tokenserver/requirements.txt -w /app/wheels && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ] && [ -f /app/tools/postgres/requirements.txt ]; then \
-    pip3 wheel --no-cache-dir -r /app/tools/postgres/requirements.txt -w /app/wheels; \
+        pip3 wheel --no-cache-dir -r /app/tools/postgres/requirements.txt -w /app/wheels; \
     fi
 
 ENV PATH=$PATH:/root/.cargo/bin
@@ -101,13 +98,13 @@ RUN --mount=type=cache,target=/usr/local/cargo/registry,sharing=locked \
     set -x && \
     TOKENSERVER_FEATURES="" && \
     if [ "$TOKENSERVER_DATABASE_BACKEND" = "postgres" ]; then \
-    TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
+        TOKENSERVER_FEATURES="--features=tokenserver-db/postgres"; \
     fi && \
     cargo --version && \
     rustc --version && \
     cargo install --path ./syncserver --no-default-features --features=syncstorage-db/$SYNCSTORAGE_DATABASE_BACKEND $TOKENSERVER_FEATURES --features=py_verifier --locked --root /app
 
-FROM python:3.14-slim-bookworm
+FROM docker.io/library/debian:bookworm-slim
 ARG SYNCSTORAGE_DATABASE_BACKEND
 ARG TOKENSERVER_DATABASE_BACKEND
 ARG MYSQLCLIENT_PKG
@@ -118,16 +115,21 @@ RUN apt-get -q update && \
     # Always install MySQL libs because Python integration tests depend on mysqlclient
     MYSQL_PKG="$MYSQLCLIENT_PKG" && \
     if [ "$MYSQLCLIENT_PKG" = libmysqlclient-dev ] ; then \
-    # First install gnupg and setup MySQL repo
-    apt-get install -y --no-install-recommends gnupg ca-certificates wget && \
-    echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
-    # Fetch and install the MySQL public key
-    gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
-    gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
-    apt-get -q update ; \
+        # First install gnupg and setup MySQL repo
+        apt-get install -y --no-install-recommends gnupg ca-certificates wget && \
+        echo "deb https://repo.mysql.com/apt/debian/ bookworm mysql-8.0" >> /etc/apt/sources.list && \
+        # Fetch and install the MySQL public key
+        gpg --batch --keyserver hkp://keyserver.ubuntu.com --recv-keys A8D3785C && \
+        gpg --batch --armor --export A8D3785C | tee /etc/apt/trusted.gpg.d/mysql.asc && \
+        apt-get -q update ; \
     fi && \
     POSTGRES_PKG="libpq5" && \
-    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_PKG libssl3 libffi8 libcurl4 curl jq && \
+    apt-get -q install -y --no-install-recommends $MYSQL_PKG $POSTGRES_PKG libssl3 libffi8 libcurl4 libpython3.11 python3 python3-pip python3-venv curl jq && \
+    # The python3-cryptography debian package installs version 2.6.1, but we
+    # we want to use the version specified in requirements.txt. To do this,
+    # we have to remove the python3-cryptography package here.
+    apt-get -q remove -y python3-cryptography 2>/dev/null || true && \
+    apt-get -q autoremove -y && \
     rm -rf /var/lib/apt/lists/*
 
 WORKDIR /app
@@ -142,12 +144,11 @@ COPY --from=builder /app/wheels /tmp/wheels
 RUN groupadd --gid 10001 app && \
     useradd --uid 10001 --gid 10001 --home /app --create-home app
 
-RUN pip3 install --break-system-packages --no-cache-dir "setuptools>=75.0.0" && \
-    pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/requirements.txt && \
+RUN pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/requirements.txt && \
     pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/integration_tests/requirements.txt && \
     pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/tokenserver/requirements.txt && \
     if [ "$SYNCSTORAGE_DATABASE_BACKEND" = "postgres" ] && [ -f /app/tools/postgres/requirements.txt ]; then \
-    pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/postgres/requirements.txt; \
+        pip3 install --break-system-packages --no-cache-dir --no-index --find-links=/tmp/wheels -r /app/tools/postgres/requirements.txt; \
     fi && \
     rm -rf /tmp/wheels /root/.cache/pip
 

poetry.lock

@@ -15,7 +15,6 @@ package-mode = false
 [tool.poetry.dependencies]
 cryptography = "^46.0.5"
 pyfxa = "^0.8.1"
-setuptools = ">=75.0.0"
 tokenlib = "^2.0.0"
 
 [tool.poetry.group.tokenserver-unit-tests.dependencies]

pyproject.toml

@@ -23,7 +23,6 @@ psutil = "^7.0.0"
 pyjwt = "^2.10.1"
 pyramid = "^1.10.8"
 pyramid-hawkauth = "^2.0.0"
-setuptools = ">=75.0.0"
 pyfxa = "0.8.1"
 pytest = "^9.0.2"
 requests = "^2.32.4"

tools/integration_tests/poetry.lock

@@ -18,7 +18,6 @@ boto = "2.49.0"
 hawkauthlib = "2.0.0"
 mysqlclient = "2.1.1"
 pyramid = "^1.10.8"
-setuptools = ">=75.0.0"
 sqlalchemy = "^1.4.46"
 testfixtures = "^8.3.0"
 tokenlib = "2.0.0"