8ed7405c8a
Non-root users cannot bind to privileged ports (<1024) without ambient capabilities, which Docker does not set by default. Switch uvicorn, healthcheck, and docker-compose port mapping from 80 to 8080. Also combine the two RUN instructions for user/directory setup into one layer. Addresses review feedback on #122. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
43 lines
1.3 KiB
Docker
43 lines
1.3 KiB
Docker
# Use official Python slim image
|
|
FROM python:3.12-slim
|
|
|
|
# Build-time version arg — passed by CI from the git tag
|
|
ARG BUILD_VERSION=dev
|
|
LABEL org.opencontainers.image.version=$BUILD_VERSION
|
|
|
|
# Set Python optimizations
|
|
ENV PYTHONUNBUFFERED=1
|
|
ENV PYTHONDONTWRITEBYTECODE=1
|
|
ENV PIP_NO_CACHE_DIR=1
|
|
# Bake the CalVer version into the image so it's readable at runtime
|
|
ENV APP_VERSION=$BUILD_VERSION
|
|
|
|
WORKDIR /usr/src/app
|
|
|
|
# Install system dependencies (PostgreSQL client libraries)
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
curl \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Copy and install Python dependencies
|
|
COPY requirements.txt ./
|
|
RUN pip install --no-cache-dir --upgrade pip && \
|
|
pip install --no-cache-dir -r requirements.txt
|
|
|
|
# Copy application code
|
|
COPY ./app /usr/src/app/app
|
|
|
|
# Create non-root user and set up directories for volumes
|
|
RUN addgroup --system appuser && \
|
|
adduser --system --ingroup appuser appuser && \
|
|
mkdir -p /usr/src/app/storage /usr/src/app/logs && \
|
|
chown -R appuser:appuser /usr/src/app
|
|
USER appuser
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
|
|
CMD curl -f http://localhost:8080/health || exit 1
|
|
|
|
# Start uvicorn
|
|
ENV WEB_WORKERS=2
|
|
CMD ["sh", "-c", "exec uvicorn app.main:app --host 0.0.0.0 --port 8080 --workers $WEB_WORKERS"] |