66 lines
2.7 KiB
Docker
66 lines
2.7 KiB
Docker
FROM python:3.11-slim
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Single layer for all system setup to minimize image size
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
sqlite3 curl gosu \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& apt-get clean \
|
|
&& groupadd -g 1000 appuser \
|
|
&& useradd -u 1000 -g appuser -m appuser
|
|
|
|
# Install Python dependencies efficiently
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir -r requirements.txt \
|
|
&& pip cache purge \
|
|
&& rm -rf ~/.cache/pip
|
|
|
|
# Copy application files in order of change frequency (for better caching)
|
|
COPY VERSION .
|
|
COPY core/ ./core/
|
|
COPY clients/ ./clients/
|
|
COPY nfoguard.py .
|
|
|
|
# Final setup in single layer
|
|
RUN mkdir -p /app/data \
|
|
&& chown -R appuser:appuser /app \
|
|
&& printf '#!/bin/bash\nset -euo pipefail\nPUID=${PUID:-1000}\nPGID=${PGID:-1000}\nif [ "$(id -u)" -eq 0 ]; then\n groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser\n id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser\n usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true\n chown -R "$PUID:$PGID" /app || true\n exec gosu appuser "$@"\nelse\n exec "$@"\nfi' > /entrypoint.sh \
|
|
&& chmod +x /entrypoint.sh
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
CMD curl -f http://localhost:8080/health || exit 1
|
|
|
|
EXPOSE 8080
|
|
ENTRYPOINT ["/entrypoint.sh"]
|
|
CMD ["python", "nfoguard.py"]
|
|
|
|
# Root-aware entrypoint
|
|
RUN echo '#!/bin/bash' > /entrypoint.sh && \
|
|
echo 'set -euo pipefail' >> /entrypoint.sh && \
|
|
echo '' >> /entrypoint.sh && \
|
|
echo 'PUID=${PUID:-1000}' >> /entrypoint.sh && \
|
|
echo 'PGID=${PGID:-1000}' >> /entrypoint.sh && \
|
|
echo '' >> /entrypoint.sh && \
|
|
echo 'if [ "$(id -u)" -eq 0 ]; then' >> /entrypoint.sh && \
|
|
echo ' # running as root: we can adjust IDs and drop privileges' >> /entrypoint.sh && \
|
|
echo ' groupmod -o -g "$PGID" appuser 2>/dev/null || groupadd -o -g "$PGID" appuser' >> /entrypoint.sh && \
|
|
echo ' id appuser &>/dev/null || useradd -o -u "$PUID" -g "$PGID" -m appuser' >> /entrypoint.sh && \
|
|
echo ' usermod -o -u "$PUID" -g "$PGID" appuser 2>/dev/null || true' >> /entrypoint.sh && \
|
|
echo ' chown -R "$PUID:$PGID" /app || true' >> /entrypoint.sh && \
|
|
echo ' exec gosu appuser "$@"' >> /entrypoint.sh && \
|
|
echo 'else' >> /entrypoint.sh && \
|
|
echo ' # not root (e.g., compose set user: 1000:1000) — just run' >> /entrypoint.sh && \
|
|
echo ' exec "$@"' >> /entrypoint.sh && \
|
|
echo 'fi' >> /entrypoint.sh
|
|
RUN chmod +x /entrypoint.sh
|
|
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
|
|
CMD curl -f http://localhost:8080/health || exit 1
|
|
|
|
EXPOSE 8080
|
|
ENTRYPOINT ["/entrypoint.sh"]
|
|
CMD ["python", "nfoguard.py"]
|