# syntax = docker/dockerfile:1.4 # Best practice: Choose a stable base image and tag. FROM python:3.11-slim-bookworm # Install security updates, and some useful packages. # # Best practices: # * Make sure apt-get doesn't run in interactive mode. # * Update system packages. # * Pre-install some useful tools. # * Minimize system package installation. RUN export DEBIAN_FRONTEND=noninteractive && \ apt-get update && \ apt-get -y upgrade && \ apt-get install -y --no-install-recommends tini procps net-tools && \ apt-get -y clean && \ rm -rf /var/lib/apt/lists/* # Install dependencies. # # Best practices: # * `COPY` in files only when needed. # * Reduce disk usage from `pip` installs. COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt # Create a new user to run as. # # Best practices: Don't run as root. RUN useradd --create-home appuser USER appuser WORKDIR /home/appuser # Copy in the code. # # Best practices: Avoid extra chowns. COPY --chown=appuser . . # Best practices: Prepare for C crashes. ENV PYTHONFAULTHANDLER=1 ENV PYTHONUNBUFFERED=0 ARG COMMIT_SHA LABEL io.runcible.repo-sha="${COMMIT_SHA}" # Run the code when the image is run: # # Best practices: # * Add an `init` process. # * Make sure images shut down correctly (via ENTRYPOINT [] syntax). # * '-g' option means killing the container kills all processes, not just the # entrypoint shell. ENTRYPOINT ["tini", "-g", "--", "./entrypoint.sh"]