diff options
Diffstat (limited to 'Dockerfile')
| -rw-r--r-- | Dockerfile | 26 |
1 files changed, 8 insertions, 18 deletions
@@ -1,20 +1,6 @@ # ============================================================================= -# yt-local — multi-stage, non-root, Tor-ready +# yt-local — non-root, Tor-ready # ============================================================================= - -# --------------- build stage --------------- -FROM python:3.11-alpine AS builder - -ENV PIP_NO_CACHE_DIR=1 \ - PIP_DISABLE_PIP_VERSION_CHECK=1 \ - PYTHONDONTWRITEBYTECODE=1 - -RUN apk add --no-cache build-base libffi-dev - -COPY requirements.txt /tmp/requirements.txt -RUN pip install --prefix=/install --no-cache-dir -r /tmp/requirements.txt - -# --------------- runtime stage --------------- FROM python:3.11-alpine LABEL maintainer="heckyel@riseup.net" @@ -26,16 +12,20 @@ ENV LANG=C.UTF-8 \ PYTHONUNBUFFERED=1 \ HOME=/home/appuser +# Patch OS packages, then install runtime deps. # tor package creates its own tor user/group and /var/lib/tor # su-exec for privilege drop in entrypoint -RUN apk add --no-cache tor su-exec +RUN apk upgrade --no-cache \ + && apk add --no-cache tor su-exec # App user (non-root) RUN addgroup -g 1000 -S appgroup \ && adduser -u 1000 -S appuser -G appgroup -h /home/appuser -# Python packages from builder -COPY --from=builder /install /usr/local +# Install pinned deps (no build tools needed at runtime) +COPY requirements.lock /app/requirements.lock +RUN pip install --no-deps -r /app/requirements.lock \ + && pip install --upgrade 'pip>=26.1' 'setuptools>=82' 'wheel>=0.46.2' # Application source (root-owned, read-only for appuser) WORKDIR /srv/app |