FROM python:3.11-slim # Set working directory WORKDIR /app # Install system dependencies in a single layer and clean up RUN apt-get update && apt-get install -y --no-install-recommends \ sqlite3 curl gosu \ && rm -rf /var/lib/apt/lists/* \ && apt-get clean # Create user early RUN groupadd -g 1000 appuser && useradd -u 1000 -g appuser -m appuser # Copy and install Python dependencies first (for better caching) COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt \ && pip cache purge # Copy application files COPY nfoguard.py . COPY core/ ./core/ COPY clients/ ./clients/ COPY VERSION . # Set permissions RUN mkdir -p /app/data && chown -R appuser:appuser /app # Root-aware entrypoint RUN echo '#!/bin/bash' > /entrypoint.sh && \ echo 'set -euo pipefail' >> /entrypoint.sh && \ echo '' >> /entrypoint.sh && \ echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \ echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \ echo '' >> /entrypoint.sh && \ echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \ echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \ echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \ echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \ echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \ echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \ echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \ echo 'else' >> /entrypoint.sh && \ echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \ echo ' exec "$@"' >> /entrypoint.sh && \ echo 'fi' >> /entrypoint.sh RUN chmod +x /entrypoint.sh # Health check HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 EXPOSE 8080 ENTRYPOINT ["/entrypoint.sh"] CMD ["python", "nfoguard.py"] # Root-aware entrypoint RUN echo '#!/bin/bash' > /entrypoint.sh && \ echo 'set -euo pipefail' >> /entrypoint.sh && \ echo '' >> /entrypoint.sh && \ echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \ echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \ echo '' >> /entrypoint.sh && \ echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \ echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \ echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \ echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \ echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \ echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \ echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \ echo 'else' >> /entrypoint.sh && \ echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \ echo ' exec "$@"' >> /entrypoint.sh && \ echo 'fi' >> /entrypoint.sh RUN chmod +x /entrypoint.sh HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ CMD curl -f http://localhost:8080/health || exit 1 EXPOSE 8080 ENTRYPOINT ["/entrypoint.sh"] CMD ["python", "nfoguard.py"]