pulp
diff --git a/‎.CLAUDE.md‎
Lines changed: 178 additions & 0 deletions b/‎.CLAUDE.md‎
Lines changed: 178 additions & 0 deletions
diff --git a/‎.dockerignore‎
Lines changed: 1 addition & 0 deletions b/‎.dockerignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎.github/workflows/build-dev-container.yml‎
Lines changed: 48 additions & 0 deletions b/‎.github/workflows/build-dev-container.yml‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎dev-container/Dockerfile‎
Lines changed: 127 additions & 0 deletions b/‎dev-container/Dockerfile‎
Lines changed: 127 additions & 0 deletions
@@ -0,0 +1,178 @@
+# Dev Container: hosted-pulp-dev-env
+
+A self-contained development container with PostgreSQL, Redis, and all Pulp services running locally. Built automatically on every push to any branch.
+
+## Image Location
+
+```
+ghcr.io/pulp/hosted-pulp-dev-env:<branch-name>
+```
+
+Branch names are sanitized for Docker tags: `/` is replaced with `-` (e.g., branch `feature/foo` produces tag `feature-foo`).
+
+## Running the Container
+
+Mount the shared workspace volume at `/workspace` per alcove conventions:
+
+```bash
+docker run -d \
+  -v workspace:/workspace \
+  -p 24817:24817 \
+  -p 24816:24816 \
+  --name pulp-dev \
+  ghcr.io/pulp/hosted-pulp-dev-env:main
+```
+
+If the container finds a pulp-service checkout at `/workspace/pulp-service`, it installs it in development mode (`pip install -e`) at startup. Because `PULP_GUNICORN_RELOAD` is enabled by default, Gunicorn watches for Python file changes and automatically reloads -- you do not need to run `pulp-restart` after editing source files in most cases. See "Service Management" below for when a manual restart is required.
+
+## Services
+
+| Service      | Port  | Description                              |
+|------------- |-------|------------------------------------------|
+| pulp-api     | 24817 | Django REST API (Gunicorn WSGI)          |
+| pulp-content | 24816 | Async content delivery (Gunicorn aiohttp)|
+| pulp-worker  | --    | Celery background task worker            |
+| PostgreSQL   | 5432  | Database (local, trust auth)             |
+| Redis        | 6379  | Cache and Celery broker                  |
+
+All five services are managed by supervisord. The `pulp-restart` command only restarts Pulp services (api, content, worker), not PostgreSQL or Redis.
+
+## Configuration
+
+The dev container has domain support enabled (`DOMAIN_ENABLED=True`) and token authentication disabled (`TOKEN_AUTH_DISABLED=True`). This matches the hosted Pulp production configuration.
+
+### Environment Variables
+
+Override these at `docker run` time with `-e`:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `PULP_DEFAULT_ADMIN_PASSWORD` | `password` | Admin user password set during initialization |
+| `PULP_API_WORKERS` | `2` | Number of Gunicorn workers for the API |
+| `PULP_CONTENT_WORKERS` | `2` | Number of Gunicorn workers for the content app |
+| `PULP_WORKERS` | `2` | Number of Celery worker processes |
+| `PULP_GUNICORN_TIMEOUT` | `90` | Gunicorn request timeout in seconds |
+| `PULP_GUNICORN_RELOAD` | `true` | Auto-reload Gunicorn on Python file changes |
+
+## Commands
+
+### Patch Management
+
+Apply a patch to pulpcore's installed site-packages:
+
+```bash
+pulp-add-patch /path/to/my-fix.patch
+```
+
+Reverse a previously applied patch:
+
+```bash
+pulp-remove-patch /path/to/my-fix.patch
+```
+
+Patches target `/usr/local/lib/pulp/lib/python${PYTHON_VERSION}/site-packages` (default Python version: 3.11). After adding or removing a patch, you must restart services manually because patched files are in site-packages, not in the dev-installed editable source that Gunicorn watches:
+
+```bash
+pulp-restart
+```
+
+### Service Management
+
+Restart all Pulp services:
+
+```bash
+pulp-restart
+```
+
+Restart a specific service:
+
+```bash
+pulp-restart api
+pulp-restart content
+pulp-restart worker
+```
+
+**When to restart manually:** You need `pulp-restart` after applying or removing patches, changing settings in `/etc/pulp/settings.py`, or modifying Celery task definitions (the worker does not auto-reload). For regular Python source edits with dev mode installed, Gunicorn auto-reload handles API and content restarts automatically.
+
+Check service status (includes PostgreSQL and Redis):
+
+```bash
+supervisorctl status
+```
+
+View service logs:
+
+```bash
+# stderr logs (application errors, Django output)
+tail -f /var/log/pulp/pulp-api-stderr.log
+tail -f /var/log/pulp/pulp-content-stderr.log
+tail -f /var/log/pulp/pulp-worker-stderr.log
+
+# stdout logs (access logs, startup messages)
+tail -f /var/log/pulp/pulp-api-stdout.log
+tail -f /var/log/pulp/pulp-content-stdout.log
+tail -f /var/log/pulp/pulp-worker-stdout.log
+
+# infrastructure logs
+tail -f /var/log/pulp/postgresql-stderr.log
+tail -f /var/log/pulp/redis-stderr.log
+```
+
+### Running Tests
+
+Run all functional tests (requires pulp-service source in workspace):
+
+```bash
+pulp-test
+```
+
+Run a specific test file or test:
+
+```bash
+pulp-test pulp_service/pulp_service/tests/functional/test_authentication.py
+pulp-test pulp_service/pulp_service/tests/functional/test_authentication.py::TestClass::test_method
+```
+
+By default, `pulp-test` looks for tests in `/workspace/pulp-service`. Override the source location by setting `PULP_SERVICE_DIR`:
+
+```bash
+PULP_SERVICE_DIR=/workspace/my-fork pulp-test
+```
+
+If the test directory is not found under `PULP_SERVICE_DIR`, the script falls back to `/tmp/pulp_service/pulp_service/tests`.
+
+### Database Access
+
+Connect to the local PostgreSQL database:
+
+```bash
+runuser -u pulp -- psql -d pulp
+```
+
+Run Django management commands:
+
+```bash
+runuser -u pulp -- pulpcore-manager showmigrations
+runuser -u pulp -- pulpcore-manager shell
+```
+
+## Admin Credentials
+
+- **Username:** admin
+- **Password:** password (override with `PULP_DEFAULT_ADMIN_PASSWORD` env var at container start)
+
+## Alcove Integration
+
+When used with alcove, the `/workspace` volume is automatically shared between the Skiff container (running Claude Code) and this dev container. Repositories are cloned into `/workspace/<name>/`. The dev container image is declared in the alcove agent definition via `dev_container.image`.
+
+## Architecture
+
+The container mirrors the production three-service model:
+
+1. **pulp-api** -- Gunicorn WSGI serving the Django REST API
+2. **pulp-content** -- Gunicorn with aiohttp worker for async content delivery
+3. **pulp-worker** -- Celery worker for background task processing
+
+PostgreSQL and Redis run locally inside the same container (managed by supervisord) rather than as external services.
+
+All production patches from `images/assets/patches/` are pre-applied at build time. The container is based on UBI9 (Red Hat Universal Base Image).
@@ -2,3 +2,4 @@
 !/LICENSE
 !/images
 !/pulp_service
+!/dev-container
@@ -0,0 +1,48 @@
+name: Build Dev Container
+
+on:
+  push:
+    branches:
+      - '**'
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    env:
+      REGISTRY: ghcr.io
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract branch name
+        id: branch
+        env:
+          REF_NAME: ${{ github.ref_name }}
+        run: |
+          # Sanitize branch name for Docker tag (replace / with -)
+          TAG=$(echo "$REF_NAME" | sed 's|/|-|g')
+          echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: dev-container/Dockerfile
+          push: true
+          tags: ghcr.io/${{ github.repository_owner }}/hosted-pulp-dev-env:${{ steps.branch.outputs.tag }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
@@ -0,0 +1,127 @@
+FROM registry.access.redhat.com/ubi9/ubi
+
+ARG PYTHON_VERSION=3.11
+ENV PYTHONUNBUFFERED=0
+ENV DJANGO_SETTINGS_MODULE=pulpcore.app.settings
+ENV PULP_SETTINGS=/etc/pulp/settings.py
+ENV PULP_GUNICORN_TIMEOUT=90
+ENV PULP_API_WORKERS=2
+ENV PULP_CONTENT_WORKERS=2
+ENV PULP_GUNICORN_RELOAD=true
+ENV PULP_WORKERS=2
+ENV PULP_HTTPS=false
+ENV PULP_STATIC_ROOT=/var/lib/operator/static/
+ENV PYTHON_VERSION=${PYTHON_VERSION}
+ENV PATH="/usr/local/lib/pulp/bin:${PATH}"
+COPY images/repos.d/centos9-crb.repo /etc/yum.repos.d/
+COPY images/repos.d/centos9-appstream.repo /etc/yum.repos.d/
+
+RUN dnf -y install dnf-plugins-core && \
+    dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
+    dnf -y update
+
+RUN dnf -y install \
+        python${PYTHON_VERSION} python${PYTHON_VERSION}-cryptography \
+        python${PYTHON_VERSION}-devel python${PYTHON_VERSION}-pip \
+        openssl openssl-devel \
+        wget git \
+        lsof procps-ng \
+        python${PYTHON_VERSION}-psycopg2 \
+        redhat-rpm-config gcc \
+        glibc-langpack-en \
+        python${PYTHON_VERSION}-setuptools \
+        swig \
+        ostree-libs ostree --allowerasing --nobest && \
+    dnf -y install patch jq zstd vim-minimal less findutils
+
+RUN dnf -y install https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm && \
+    dnf -y module disable postgresql && \
+    dnf -y install postgresql16-server postgresql16 postgresql16-contrib && \
+    dnf -y install redis && \
+    dnf clean all
+
+ENV PATH="/usr/pgsql-16/bin:${PATH}"
+ENV PGDATA=/var/lib/pgsql/16/data
+
+RUN python${PYTHON_VERSION} -m venv --system-site-packages /usr/local/lib/pulp
+
+RUN pip install --upgrade pip setuptools wheel && \
+    pip install \
+        rhsm setproctitle \
+        "gunicorn>=22.0,<25.1.0" \
+        python-nginx \
+        "django-storages[boto3,azure]>=1.12.2" \
+        "requests[use_chardet_on_py3]" \
+        importlib-metadata watchtower \
+        supervisor \
+    && rm -rf /root/.cache/pip
+
+COPY pulp_service/ /tmp/pulp_service
+RUN pip install /tmp/pulp_service && rm -rf /root/.cache/pip
+
+RUN groupadd -g 700 --system pulp && \
+    useradd -d /var/lib/pulp --system -u 700 -g pulp pulp
+
+RUN mkdir -p /etc/pulp/certs \
+             /etc/ssl/pulp \
+             /var/lib/operator/static \
+             /var/lib/pgsql \
+             /var/lib/pulp/assets \
+             /var/lib/pulp/media \
+             /var/lib/pulp/scripts \
+             /var/lib/pulp/tmp \
+             /workspace \
+             /var/log/pulp
+
+RUN chown pulp:pulp -R /var/lib/pulp /var/lib/operator/static /var/log/pulp
+
+COPY images/assets/route_paths.py /usr/bin/route_paths.py
+COPY images/assets/wait_on_postgres.py /usr/bin/wait_on_postgres.py
+COPY images/assets/wait_on_database_migrations.sh /usr/bin/wait_on_database_migrations.sh
+COPY images/assets/set_init_password.sh /usr/bin/set_init_password.sh
+COPY images/assets/add_signing_service.sh /usr/bin/add_signing_service.sh
+COPY images/assets/pulp-api /usr/bin/pulp-api
+COPY images/assets/pulp-content /usr/bin/pulp-content
+COPY images/assets/pulp-resource-manager /usr/bin/pulp-resource-manager
+COPY images/assets/pulp-worker /usr/bin/pulp-worker
+COPY images/assets/log_middleware.py /usr/bin/log_middleware.py
+
+USER pulp:pulp
+RUN PULP_STATIC_ROOT=/var/lib/operator/static/ PULP_CONTENT_ORIGIN=localhost \
+    pulpcore-manager collectstatic --clear --noinput --link
+USER root:root
+
+RUN ln -sf /usr/local/lib/pulp/bin/pulpcore-manager /usr/local/bin/pulpcore-manager
+
+RUN chmod 2775 /var/lib/pulp/{scripts,media,tmp,assets} && \
+    chown :root /var/lib/pulp/{scripts,media,tmp,assets}
+
+COPY images/assets/patches/ /tmp/patches/
+RUN for patch_file in /tmp/patches/*.patch; do \
+        echo "Applying $(basename $patch_file)..." && \
+        patch -p1 -d /usr/local/lib/pulp/lib/python${PYTHON_VERSION}/site-packages < "$patch_file" || \
+        echo "WARNING: Failed to apply $(basename $patch_file)"; \
+    done && rm -rf /tmp/patches
+
+RUN openssl rand -base64 32 > /etc/pulp/certs/database_fields.symmetric.key && \
+    chown pulp:pulp /etc/pulp/certs/database_fields.symmetric.key && \
+    chmod 600 /etc/pulp/certs/database_fields.symmetric.key
+
+RUN mkdir -p /var/run/postgresql /var/lib/pgsql/16/data && \
+    chown -R postgres:postgres /var/run/postgresql /var/lib/pgsql/16
+
+RUN runuser -l postgres -c "/usr/pgsql-16/bin/initdb -D /var/lib/pgsql/16/data" && \
+    echo "local all all trust" > /var/lib/pgsql/16/data/pg_hba.conf && \
+    echo "host all all 127.0.0.1/32 trust" >> /var/lib/pgsql/16/data/pg_hba.conf && \
+    echo "host all all ::1/128 trust" >> /var/lib/pgsql/16/data/pg_hba.conf
+
+COPY dev-container/settings.py /etc/pulp/settings.py
+COPY dev-container/supervisord.conf /etc/supervisord.conf
+COPY dev-container/entrypoint.sh /entrypoint.sh
+COPY dev-container/scripts/ /usr/local/bin/
+RUN chmod +x /entrypoint.sh /usr/local/bin/pulp-*
+
+VOLUME ["/workspace"]
+EXPOSE 24817 24816
+
+ENTRYPOINT ["/entrypoint.sh"]