|
|
|
# syntax = docker/dockerfile:1.4
|
|
|
|
|
|
|
|
# Best practice: Choose a stable base image and tag.
|
|
|
|
FROM python:3.10-slim-bookworm
|
|
|
|
|
|
|
|
# Install security updates, and some useful packages.
|
|
|
|
#
|
|
|
|
# Best practices:
|
|
|
|
# * Make sure apt-get doesn't run in interactive mode.
|
|
|
|
# * Update system packages.
|
|
|
|
# * Pre-install some useful tools.
|
|
|
|
# * Minimize system package installation.
|
|
|
|
RUN export DEBIAN_FRONTEND=noninteractive && \
|
|
|
|
apt-get update && \
|
|
|
|
apt-get -y upgrade && \
|
|
|
|
apt-get install -y --no-install-recommends tini procps net-tools && \
|
|
|
|
apt-get -y clean && \
|
|
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
# Install dependencies.
|
|
|
|
#
|
|
|
|
# Best practices:
|
|
|
|
# * `COPY` in files only when needed.
|
|
|
|
# * Reduce disk usage from `pip` installs.
|
|
|
|
COPY requirements.txt .
|
|
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
|
|
|
|
# Create a new user to run as.
|
|
|
|
#
|
|
|
|
# Best practices: Don't run as root.
|
|
|
|
RUN useradd --create-home appuser
|
|
|
|
USER appuser
|
|
|
|
WORKDIR /home/appuser
|
|
|
|
|
|
|
|
# Copy in the code.
|
|
|
|
#
|
|
|
|
# Best practices: Avoid extra chowns.
|
|
|
|
COPY --chown=appuser . .
|
|
|
|
|
|
|
|
# Best practices: Prepare for C crashes.
|
|
|
|
ENV PYTHONFAULTHANDLER=1
|
|
|
|
ENV PYTHONUNBUFFERED=0
|
|
|
|
|
|
|
|
ARG COMMIT_SHA
|
|
|
|
|
|
|
|
LABEL io.runcible.repo-sha="${COMMIT_SHA}"
|
|
|
|
|
|
|
|
# Run the code when the image is run:
|
|
|
|
#
|
|
|
|
# Best practices:
|
|
|
|
# * Add an `init` process.
|
|
|
|
# * Make sure images shut down correctly (via ENTRYPOINT [] syntax).
|
|
|
|
# * '-g' option means killing the container kills all processes, not just the
|
|
|
|
# entrypoint shell.
|
|
|
|
ENTRYPOINT ["tini", "-g", "--", "./entrypoint.sh"]
|