smaller image
This commit is contained in:
+15
-33
@@ -3,49 +3,31 @@ FROM python:3.11-slim
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
# Install system dependencies in a single layer and clean up
|
||||
# Single layer for all system setup to minimize image size
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
sqlite3 curl gosu \
|
||||
&& rm -rf /var/lib/apt/lists/* \
|
||||
&& apt-get clean
|
||||
&& apt-get clean \
|
||||
&& groupadd -g 1000 appuser \
|
||||
&& useradd -u 1000 -g appuser -m appuser
|
||||
|
||||
# Create user early
|
||||
RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser
|
||||
|
||||
# Copy and install Python dependencies first (for better caching)
|
||||
# Install Python dependencies efficiently
|
||||
COPY requirements.txt .
|
||||
RUN pip install --no-cache-dir -r requirements.txt \
|
||||
&& pip cache purge
|
||||
&& pip cache purge \
|
||||
&& rm -rf ~/.cache/pip
|
||||
|
||||
# Copy application files
|
||||
COPY nfoguard.py .
|
||||
# Copy application files in order of change frequency (for better caching)
|
||||
COPY VERSION .
|
||||
COPY core/ ./core/
|
||||
COPY clients/ ./clients/
|
||||
COPY VERSION .
|
||||
COPY nfoguard.py .
|
||||
|
||||
# Set permissions
|
||||
RUN mkdir -p /app/data && chown -R appuser:appuser /app
|
||||
|
||||
# Root-aware entrypoint
|
||||
RUN echo '#!/bin/bash' > /entrypoint.sh && \
|
||||
echo 'set -euo pipefail' >> /entrypoint.sh && \
|
||||
echo '' >> /entrypoint.sh && \
|
||||
echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
|
||||
echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
|
||||
echo '' >> /entrypoint.sh && \
|
||||
echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
|
||||
echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
|
||||
echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
|
||||
echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
|
||||
echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
|
||||
echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
|
||||
echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \
|
||||
echo 'else' >> /entrypoint.sh && \
|
||||
echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
|
||||
echo ' exec "$@"' >> /entrypoint.sh && \
|
||||
echo 'fi' >> /entrypoint.sh
|
||||
|
||||
RUN chmod +x /entrypoint.sh
|
||||
# Final setup in single layer
|
||||
RUN mkdir -p /app/data \
|
||||
&& chown -R appuser:appuser /app \
|
||||
&& printf '#!/bin/bash\nset -euo pipefail\nPUID=${PUID:-1000}\nPGID=${PGID:-1000}\nif [ "$(id -u)" -eq 0 ]; then\n groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser\n id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser\n usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true\n chown -R "$PUID:$PGID" /app || true\n exec gosu appuser "$@"\nelse\n exec "$@"\nfi' > /entrypoint.sh \
|
||||
&& chmod +x /entrypoint.sh
|
||||
|
||||
# Health check
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
||||
|
||||
Reference in New Issue
Block a user