-
Notifications
You must be signed in to change notification settings - Fork 18
/
Dockerfile
80 lines (63 loc) · 2.34 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# `python-base` sets up all our shared environment variables
FROM python:3.10.14-slim-bookworm as python-base
# python
ENV PYTHONUNBUFFERED=1 \
# prevents python creating .pyc files
PYTHONDONTWRITEBYTECODE=1 \
\
# pip
PIP_NO_CACHE_DIR=off \
PIP_DISABLE_PIP_VERSION_CHECK=on \
PIP_DEFAULT_TIMEOUT=100 \
\
# poetry
# https://python-poetry.org/docs/configuration/#using-environment-variables
POETRY_VERSION=1.8.3 \
# make poetry install to this location
POETRY_HOME="/opt/poetry" \
# make poetry create the virtual environment in the project's root
# it gets named `.venv`
POETRY_VIRTUALENVS_IN_PROJECT=true \
# do not ask any interactive question
POETRY_NO_INTERACTION=1 \
\
# paths
# this is where our requirements + virtual environment will live
PYSETUP_PATH="/opt/pysetup" \
VENV_PATH="/opt/pysetup/.venv"
# prepend poetry and venv to path
ENV PATH="$POETRY_HOME/bin:$VENV_PATH/bin:/root/.cargo/bin:$PATH"
# `builder-base` stage is used to build deps + create our virtual environment
FROM python-base as builder-base
RUN apt-get update
RUN apt-get upgrade -y; apt-get install --no-install-recommends -y build-essential curl libpq-dev postgresql-client && \
rm -rf /var/lib/apt/lists/*
RUN curl https://sh.rustup.rs -sSf | \
sh -s -- --default-toolchain stable -y
# install poetry - respects $POETRY_VERSION & $POETRY_HOME
RUN curl -sSL https://install.python-poetry.org | python -
# copy project requirement files here to ensure they will be cached.
WORKDIR $PYSETUP_PATH
COPY poetry.lock pyproject.toml ./
# install runtime deps - uses $POETRY_VIRTUALENVS_IN_PROJECT internally
RUN poetry install --only main
# `production` image used for runtime
FROM python-base as production
# Update all packages and add home folder for nobody user
RUN apt-get update && apt-get upgrade -y; \
rm -rf /var/lib/apt/lists/* && \
mkdir -p /nonexistent && chown -R 65534:65534 /nonexistent
# Remove vulnerable setuptools version (CVE-2024-6345)
RUN pip3 uninstall setuptools -y
USER nobody
# Copy dependencies from build container
WORKDIR /app
COPY --from=builder-base $PYSETUP_PATH $PYSETUP_PATH
COPY --from=builder-base /usr/lib/ /usr/lib/
# Copy source code
COPY . ./
# set env
ENV PYTHONPATH="${PYTHONPATH}:/app"
# Start application
ENTRYPOINT ["python"]
CMD ["src/main.py"]