1- ARG ALPINE_IMG_TAG=3.17
1+ ARG DEBIAN_IMG_TAG=slim-bookworm
22ARG PYTHON_IMG_TAG=3.10
33
4- FROM docker.io/python:${PYTHON_IMG_TAG}-alpine${ALPINE_IMG_TAG } as base
4+ FROM docker.io/python:${PYTHON_IMG_TAG}-${DEBIAN_IMG_TAG } as base
55ARG APP_VERSION=0.1.0
6- ARG DOCKERFILE_VERSION=0.4 .0
6+ ARG DOCKERFILE_VERSION=0.5 .0
77ARG ALPINE_IMG_TAG
88ARG PYTHON_IMG_TAG
991010LABEL org.hotosm.tasks.app-version="${APP_VERSION}" \
11- org.hotosm.tasks.alpine -img-tag="${ALPINE_IMG_TAG }" \
11+ org.hotosm.tasks.debian -img-tag="${DEBIAN_IMG_TAG }" \
1212 org.hotosm.tasks.python-img-tag="${PYTHON_IMG_TAG}" \
1313 org.hotosm.tasks.dockerfile-version="${DOCKERFILE_VERSION}" \
1414 org.hotosm.tasks.maintainer="${MAINTAINER}" \
1515 org.hotosm.tasks.api-port="5000"
1616# Fix timezone (do not change - see issue #3638)
1717ENV TZ UTC
18+ # Add non-root user, permissions, init log dir
19+ RUN useradd --uid 9000 --create-home --home /home/appuser --shell /bin/false appuser
20+
1821
1922
2023
2124FROM base as extract-deps
25+ RUN pip install --no-cache-dir --upgrade pip
2226WORKDIR /opt/python
2327COPY pyproject.toml pdm.lock README.md /opt/python/
24- RUN pip install --no-cache-dir --upgrade pip \
25- && pip install --no-cache-dir pdm==2.5.3
28+ RUN pip install --no-cache-dir pdm==2.7.4
2629RUN pdm export --prod --without-hashes > requirements.txt
2730
2831
2932
3033FROM base as build
34+ RUN pip install --no-cache-dir --upgrade pip
3135WORKDIR /opt/python
3236# Setup backend build-time dependencies
33- RUN apk update && \
34- apk add \
35- postgresql-dev \
36- gcc \
37- g++ \
37+ RUN apt-get update
38+ RUN apt-get install -y build-essential
39+ RUN apt-get install -y \
40+ postgresql-server-dev-15 \
3841 python3-dev \
39- musl-dev \
4042 libffi-dev \
41- geos-dev \
42- proj-util \
43- proj-dev \
44- make
43+ libgeos-dev
4544# Setup backend Python dependencies
46- COPY --from=extract-deps \
45+ COPY --chown=appuser:appuser -- from=extract-deps \
4746 /opt/python/requirements.txt /opt/python/
47+ USER appuser:appuser
4848RUN pip install --user --no-warn-script-location \
4949 --no-cache-dir -r /opt/python/requirements.txt
5050
@@ -61,27 +61,25 @@ ENV PYTHONDONTWRITEBYTECODE=1 \
6161 SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
6262 REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt
6363# Setup backend runtime dependencies
64- RUN apk update && \
65- apk add --no-cache \
66- postgresql-libs geos proj-util
67- COPY --from=build \
68- /root/.local \
64+ RUN apt-get update && \
65+ apt-get install --no-install-recommends -y \
66+ postgresql-client libgeos3.11.1 proj-bin && \
67+ apt-get clean && rm -rf /var/lib/apt/lists/*
68+ COPY --chown=appuser:appuser --from=build \
69+ /home/appuser/.local \
6970 /home/appuser/.local
71+ USER appuser:appuser
7072COPY backend backend/
7173COPY migrations migrations/
7274COPY scripts/world scripts/world/
7375COPY scripts/database scripts/database/
7476COPY manage.py .
75- # Add non-root user, permissions, init log dir
76- RUN adduser -D -u 900 -h /home/appuser -s /bin/false appuser \
77- && chown -R appuser:appuser /usr/src /home/appuser
7877
7978
8079
8180FROM runtime as debug
82- RUN pip install --no-warn-script-location \
81+ RUN pip install --user -- no-warn-script-location \
8382 --no-cache-dir debugpy==1.6.7
84- USER appuser
8583CMD ["python" , "-m" , "debugpy" , "--wait-for-client" , "--listen" , "0.0.0.0:5678" , \
8684 "-m" , "gunicorn" , "-c" , "python:backend.gunicorn" , "manage:application" , \
8785 "--reload" , "--log-level" , "error" ]
@@ -90,7 +88,9 @@ CMD ["python", "-m", "debugpy", "--wait-for-client", "--listen", "0.0.0.0:5678",
9088
9189FROM runtime as prod
9290# Pre-compile packages to .pyc (init speed gains)
91+ USER root
9392RUN python -c "import compileall; compileall.compile_path(maxlevels=10, quiet=1)"
94- USER appuser
93+ USER appuser:appuser
94+ RUN python -m compileall .
9595CMD ["gunicorn" , "-c" , "python:backend.gunicorn" , "manage:application" , \
9696 "--workers" , "1" , "--log-level" , "error" ]
0 commit comments