diff options
| author | Astounds <kirito@disroot.org> | 2026-05-30 00:34:34 -0500 |
|---|---|---|
| committer | Astounds <kirito@disroot.org> | 2026-05-30 00:34:34 -0500 |
| commit | 4e54a34d87056067c0110c00282f6a3248dc5f6f (patch) | |
| tree | d85617414cb083447523238803ba88146a0dc543 /Dockerfile | |
| parent | ed2af5e3d7a3fcd5a1f383003b6723f5d419f634 (diff) | |
| download | yt-local-master.tar.lz yt-local-master.tar.xz yt-local-master.zip | |
Use pip-compile --generate-hashes in the Docker build stage so that
the runtime stage installs pinned dependencies with verified integrity,
ensuring fully reproducible container builds.
- Add Docker section to README
- Fix Python badge (3.7+ → 3.11+) and outdated docs links
- Upgrade pip, setuptools, and wheel in Dockerfile to fix grype findings
Diffstat (limited to 'Dockerfile')
| -rw-r--r-- | Dockerfile | 26 |
1 files changed, 8 insertions, 18 deletions
@@ -1,20 +1,6 @@ # ============================================================================= -# yt-local — multi-stage, non-root, Tor-ready +# yt-local — non-root, Tor-ready # ============================================================================= - -# --------------- build stage --------------- -FROM python:3.11-alpine AS builder - -ENV PIP_NO_CACHE_DIR=1 \ - PIP_DISABLE_PIP_VERSION_CHECK=1 \ - PYTHONDONTWRITEBYTECODE=1 - -RUN apk add --no-cache build-base libffi-dev - -COPY requirements.txt /tmp/requirements.txt -RUN pip install --prefix=/install --no-cache-dir -r /tmp/requirements.txt - -# --------------- runtime stage --------------- FROM python:3.11-alpine LABEL maintainer="heckyel@riseup.net" @@ -26,16 +12,20 @@ ENV LANG=C.UTF-8 \ PYTHONUNBUFFERED=1 \ HOME=/home/appuser +# Patch OS packages, then install runtime deps. # tor package creates its own tor user/group and /var/lib/tor # su-exec for privilege drop in entrypoint -RUN apk add --no-cache tor su-exec +RUN apk upgrade --no-cache \ + && apk add --no-cache tor su-exec # App user (non-root) RUN addgroup -g 1000 -S appgroup \ && adduser -u 1000 -S appuser -G appgroup -h /home/appuser -# Python packages from builder -COPY --from=builder /install /usr/local +# Install pinned deps (no build tools needed at runtime) +COPY requirements.lock /app/requirements.lock +RUN pip install --no-deps -r /app/requirements.lock \ + && pip install --upgrade 'pip>=26.1' 'setuptools>=82' 'wheel>=0.46.2' # Application source (root-owned, read-only for appuser) WORKDIR /srv/app |