[CHORE] Testing local setup for EY Apple silicon development

docker-compose.M1.yaml

@@ -4,6 +4,7 @@ include:
 services:
   ####################### Keycloak for Cypress #######################
   keycloak:
+    platform: linux/amd64
     build:
       context: ./cypress/.docker/keycloak
       dockerfile: Dockerfile.test
@@ -22,6 +23,7 @@ services:
 
   ####################### Open Telemetry #######################
   otelcollector:
+    platform: linux/amd64
     image: otel/opentelemetry-collector
     command: [--config=/etc/otel-collector-config.yaml]
     volumes:
@@ -38,6 +40,7 @@ services:
   ####################### Jaeger Tracing #######################
 
   jaeger:
+    platform: linux/amd64
     image: "jaegertracing/all-in-one:latest"
     container_name: mds_jaeger
     environment:
@@ -50,6 +53,7 @@ services:
 
   ####################### Postgres Definition #######################
   postgres:
+    platform: linux/amd64
     restart: always
     container_name: mds_postgres
     user: postgres
@@ -91,6 +95,7 @@ services:
 
   ####################### Flyway Migration Definition #######################
   flyway:
+    platform: linux/amd64
     container_name: mds_flyway
     build:
       context: migrations
@@ -151,6 +156,7 @@ services:
       redis:
         condition: service_healthy
   backend:
+    platform: linux/amd64
     restart: always
     user: 1000:1000
     container_name: mds_backend
@@ -184,6 +190,7 @@ services:
       retries: 5
 
   core_api_celery:
+    platform: linux/amd64
     restart: always
     container_name: core_api_celery
     build:
@@ -234,7 +241,6 @@ services:
       interval: 15s
       timeout: 5s
       retries: 5
-      start_period: 30s
 
   ####################### Minespace Definition #######################
   minespace:
@@ -260,10 +266,13 @@ services:
 
   ####################### NRIS_BACKEND Definition #######################
   nris_backend:
+    platform: linux/amd64
     restart: always
     container_name: nris_python
     build:
       context: services/nris-api/backend
+      args:
+        INSECURE_GIT: "true"
     ports:
       - 5500:5500
     volumes:
@@ -280,11 +289,14 @@ services:
       retries: 5
 
   nris_migrate:
+    platform: linux/amd64
     restart: on-failure
     container_name: nris_migrate
     build:
       dockerfile: Dockerfile.migrate
       context: services/nris-api/backend
+      args:
+        INSECURE_GIT: "true"
     volumes:
       - ./services/nris-api/backend:/app
     depends_on:
@@ -313,6 +325,7 @@ services:
 
   ####################### DOCUMENT_MANAGER_BACKEND Definition #######################
   document_manager_backend:
+    platform: linux/amd64
     restart: always
     container_name: document_manager_backend
     build:
@@ -331,6 +344,7 @@ services:
     env_file: ./services/document-manager/backend/.env
 
   document_manager_celery:
+    platform: linux/amd64
     restart: always
     container_name: document_manager_celery
     build:
@@ -348,6 +362,7 @@ services:
     env_file: ./services/document-manager/backend/.env
 
   document_manager_migrate:
+    platform: linux/amd64
     restart: on-failure
     container_name: document_manager_migrate
     build:

services/core-api/Dockerfile

@@ -3,8 +3,12 @@ FROM python:3.11.14-slim
 WORKDIR /app
 
 # Update installation utility
-RUN apt-get update
-RUN apt-get install build-essential -y
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    ca-certificates \
+    git && \
+    update-ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 # Install the requirements
 COPY requirements.txt .

services/document-manager/backend/Dockerfile

@@ -3,8 +3,12 @@ FROM python:3.12.12-bookworm
 # Create working directory
 WORKDIR /app
 
-# Update installation utility
-RUN apt-get update
+# Update installation utility and install SSL/VCS deps
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    git && \
+    update-ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 # Install the requirements
 COPY requirements.txt .

services/filesystem-provider/Dockerfile

@@ -1,39 +1,39 @@
-FROM mcr.microsoft.com/dotnet/sdk:7.0
-
+# Stage 1: Build
+FROM --platform=$BUILDPLATFORM mcr.microsoft.com/dotnet/sdk:7.0 AS build
+ARG TARGETARCH
+WORKDIR /src
+COPY ej2-amazon-s3-aspcore-file-provider/ .
+RUN dotnet restore -a $TARGETARCH
+RUN dotnet publish -c Release -o /app -a $TARGETARCH --no-restore
+
+# Stage 2: Runtime
+FROM mcr.microsoft.com/dotnet/aspnet:7.0
 USER 0
 
 RUN apt-get update \
-    && apt-get install -y --allow-unauthenticated \
+    && apt-get install -y --no-install-recommends \
     libc6-dev \
     libgdiplus \
     libx11-dev \
     curl \
-    vim \
     supervisor \
-    procps
-
-RUN ln -s /lib/x86_64-linux-gnu/libdl-2.24.so /lib/x86_64-linux-gnu/libdl.so
-    # install System.Drawing native dependencies
-RUN apt-get update && apt-get install -y --allow-unauthenticated libgdiplus libc6-dev libx11-dev
-RUN ln -s libgdiplus.so gdiplus.dll
+    procps \
+    && rm -rf /var/lib/apt/lists/*
 
-COPY ej2-amazon-s3-aspcore-file-provider ${APP_ROOT}/app
+RUN ln -s /lib/x86_64-linux-gnu/libdl.so.2 /lib/x86_64-linux-gnu/libdl.so || true
+RUN ln -s /usr/lib/libgdiplus.so /usr/lib/gdiplus.dll || true
 
-COPY init.sh .
+WORKDIR /app
+COPY --from=build /app .
+COPY init.sh /app/init.sh
+RUN chmod +x /app/init.sh
 
 # Provide user permissions to temp dotnet workspace
-RUN mkdir /.dotnet
-RUN chmod -R 700 /.dotnet
-RUN chown -R 1001:0 /.dotnet
-
+RUN mkdir /.dotnet && chmod -R 770 /.dotnet && chown -R 1001:0 /.dotnet
 ENV DOTNET_CLI_HOME /.dotnet
 ENV XDG_DATA_HOME /.dotnet
 
-RUN cd ${APP_ROOT}/app && dotnet restore && dotnet build
-
-RUN chmod -R 700 ${APP_ROOT}/app
-RUN chown -R 1001:0 ${APP_ROOT}/app
-
+RUN chmod -R 770 /app && chown -R 1001:0 /app
 
 USER 1001
 EXPOSE 62870

services/nris-api/backend/Dockerfile

@@ -1,18 +1,27 @@
-FROM python:3.12.12-bookworm
+FROM python:3.11.14-bookworm
 
 ENV LD_LIBRARY_PATH="/opt/oracle/instantclient:${LD_LIBRARY_PATH}" \
     PATH="/opt/oracle/instantclient:${PATH}" \
     OCI_HOME="/opt/oracle/instantclient" \
     OCI_LIB_DIR="/opt/oracle/instantclient" \
     OCI_INCLUDE_DIR="/opt/oracle/instantclient/sdk/include"
 
-RUN curl -o instantclient-basic-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-basic-linux.x64-19.8.0.0.0dbru.zip
-RUN curl -o instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip
-RUN curl -o instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip
+# Install tools and CA certificates before downloading Oracle Instant Client
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential unzip curl libaio1 git ca-certificates && \
+    update-ca-certificates && \
+    git config --system http.sslCAInfo /etc/ssl/certs/ca-certificates.crt && \
+    rm -rf /var/lib/apt/lists/*
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ENV GIT_SSL_CAPATH=/etc/ssl/certs
 
-RUN apt-get update
-RUN BUILD_PACKAGES="build-essential unzip curl libaio1 git" && \
-    apt-get install -y $BUILD_PACKAGES
+# Download Oracle Instant Client archives (supporting optional insecure mode for corporate proxies)
+ARG INSECURE_GIT=false
+RUN if [ "$INSECURE_GIT" = "true" ]; then CURL_OPTS='-k'; else CURL_OPTS=''; fi && \
+    curl $CURL_OPTS -o instantclient-basic-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-basic-linux.x64-19.8.0.0.0dbru.zip && \
+    curl $CURL_OPTS -o instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip && \
+    curl $CURL_OPTS -o instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip
 
 RUN mkdir -p opt/oracle && \
     unzip instantclient-basic-linux.x64-19.8.0.0.0dbru.zip -d /opt/oracle && \
@@ -27,8 +36,14 @@ RUN mkdir -p opt/oracle && \
 RUN mkdir /app
 WORKDIR /app
 
+# Optional: allow insecure Git SSL for corporate proxies
+RUN if [ "$INSECURE_GIT" = "true" ]; then git config --system http.sslVerify false; fi
+
 # Install the requirements
 COPY requirements.txt .
+# Constrain build backend dependencies for isolated builds
+RUN echo "setuptools<70" > /tmp/constraints.txt
+ENV PIP_CONSTRAINT=/tmp/constraints.txt
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Oracle config files

services/nris-api/backend/Dockerfile.ci

@@ -1,4 +1,4 @@
-FROM python:3.12.12-bookworm
+FROM python:3.11.14-bookworm
 
 ENV LD_LIBRARY_PATH="/opt/oracle/instantclient:${LD_LIBRARY_PATH}" \
     PATH="/opt/oracle/instantclient:${PATH}" \
@@ -10,9 +10,10 @@ RUN curl -o instantclient-basic-linux.x64-19.8.0.0.0dbru.zip https://download.or
 RUN curl -o instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sdk-linux.x64-19.8.0.0.0dbru.zip
 RUN curl -o instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip https://download.oracle.com/otn_software/linux/instantclient/19800/instantclient-sqlplus-linux.x64-19.8.0.0.0dbru.zip
 
-RUN apt-get update
-RUN BUILD_PACKAGES="build-essential unzip curl libaio1 git" && \
-    apt-get install -y $BUILD_PACKAGES
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential unzip curl libaio1 git ca-certificates && \
+    update-ca-certificates && \
+    rm -rf /var/lib/apt/lists/*
 
 RUN mkdir -p opt/oracle && \
     unzip instantclient-basic-linux.x64-19.8.0.0.0dbru.zip -d /opt/oracle && \

services/nris-api/backend/Dockerfile.migrate

@@ -1,11 +1,36 @@
-FROM python:3.12.12-bookworm
+FROM python:3.11.14-bookworm
 
 # Create working directory
 RUN mkdir /app
 WORKDIR /app
 
+# Install system dependencies for SSL and VCS
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
+    git \
+    curl && \
+    update-ca-certificates && \
+    git config --system http.sslCAInfo /etc/ssl/certs/ca-certificates.crt && \
+    rm -rf /var/lib/apt/lists/*
+
 # Install the requirements
 COPY requirements.txt .
+# Ensure Git and pip use system CAs
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+ENV GIT_SSL_CAPATH=/etc/ssl/certs
+RUN pip config set global.cert /etc/ssl/certs/ca-certificates.crt || true
+
+# Optional: allow insecure Git SSL for corporate proxies (off by default)
+ARG INSECURE_GIT=false
+RUN if [ "$INSECURE_GIT" = "true" ]; then git config --system http.sslVerify false; fi
+
+# Ensure packaging tools are present for building some wheels
+RUN pip install --no-cache-dir setuptools==68.2.2 wheel
+
+# Constrain build backend dependencies for isolated builds
+RUN echo "setuptools<70" > /tmp/constraints.txt
+ENV PIP_CONSTRAINT=/tmp/constraints.txt
+
 RUN pip install --no-cache-dir -r requirements.txt
 
 # Run the server

services/permits/docker-compose.yaml

@@ -1,12 +1,14 @@
 services:
 
   nlm-ingestor:
+    platform: linux/amd64
     container_name: nlm_ingestor
     image: ghcr.io/nlmatics/nlm-ingestor:latest
     ports:
       - 5010:5001
 
   haystack:
+    platform: linux/amd64
     container_name: haystack
     build:
       context: './'
@@ -32,6 +34,7 @@ services:
       redis:
         condition: service_healthy
   haystack_celery:
+    platform: linux/amd64
     container_name: haystack_celery
     build:
       context: './'
@@ -65,9 +68,10 @@ services:
       redis:
         condition: service_started
   create_certs:
+    platform: linux/amd64
     tty: true
     container_name: create_certs
-    image: docker.elastic.co/elasticsearch/elasticsearch:8.12.1
+    image: elasticsearch:8.12.1
     command: >
       bash -c '
       ### 1. Create CA and certificates for elasticsearch.
@@ -113,7 +117,8 @@ services:
       retries: 120
 
   elasticsearch:
-    image: "docker.elastic.co/elasticsearch/elasticsearch:8.12.1"
+    platform: linux/amd64
+    image: "elasticsearch:8.12.1"
     container_name: elasticsearch
     ports:
       - 9200:9200
@@ -154,7 +159,8 @@ services:
       create_certs:
         condition: service_healthy
   kibana:
-    image: "docker.elastic.co/kibana/kibana:8.12.1"
+    platform: linux/amd64
+    image: "kibana:8.12.1"
     ports:
       - 5601:5601
     depends_on: