Rework Dockerfile to create smaller container and run as non-root by default

This changes the created image size from ~1.3G -> ~0.5G and runs code as non-root uid in container
2025-04-15 14:54:06 +00:00 · 2025-04-05 14:50:00 +03:00 · 2025-04-05 14:50:00 +03:00 · fe0aebb4a6
commit fe0aebb4a6
parent 4c764cd543
1 changed files with 23 additions and 6 deletions
--- a/29
+++ b/29
@ -1,12 +1,29 @@
-FROM python:3.11
+FROM python:3.11 AS build-image

-ENV PYTHONUNBUFFERED 1

-RUN mkdir /app /app/static /app/images
-
-WORKDIR /app

 RUN apt-get update && apt-get install -y gettext libgettextpo-dev tidy && apt-get clean

+WORKDIR /app
+
 COPY requirements.txt /app/
-RUN pip install -r requirements.txt --no-cache-dir
+RUN python -mvenv /venv
+ENV PATH=/venv/bin:$PATH
+RUN pip install --compile -r requirements.txt --no-cache-dir
+
+
+FROM python:3.11-slim
+
+RUN apt-get update && apt-get install -y gettext libpq5 tidy && apt-get clean
+
+RUN mkdir -p /app/images /app/static
+
+
+
+RUN addgroup --system app && adduser --system --group bookwyrm
+RUN mkdir -p /app/static /app/images && chown bookwyrm:bookwyrm /app/static /app/images
+WORKDIR /app
+USER bookwyrm
+COPY --from=build-image /venv /venv
+ENV PYTHONUNBUFFERED=1
+ENV PATH=/venv/bin:$PATH