-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
57 lines (42 loc) · 1.39 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
FROM python:3.9-slim
# Maintainer of the Dockerfile
LABEL maintainer="Mairror Team"
# Input data
ARG NON_ROOT_USER=nroot
ARG ID=1000
# Hadolint DL4006
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
# Switch to root user to make administrative tasks
# hadolint ignore=DL3002
USER root
# Change directory to /tmp to do administrative tasks
WORKDIR /tmp
# Create a non-root user group
RUN addgroup ${NON_ROOT_USER} --gid ${ID} && \
adduser \
--disabled-password \
--uid ${ID} --gid ${ID} \
--shell /bin/bash \
--gecos "" \
${NON_ROOT_USER}
# Upgrade OS && install all OS dependencies
RUN apt-get update && \
# DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends
# APT and /tmp cleanup
apt-get clean && apt-get autoremove -y && \
rm -rf /var/lib/{apt,dpkg,cache,log}/ && \
rm -rf -- *
# Change directory to /app to execute the app
WORKDIR /app
# Change the ownership of /app to the non-root user
RUN chown -R ${NON_ROOT_USER}:${NON_ROOT_USER} /app
# Install python libraries
COPY requirements.txt /app
RUN pip install --upgrade pip==21.3.1 --no-cache-dir && \
pip install -r /app/requirements.txt --no-cache-dir
# Use non-root user
USER ${NON_ROOT_USER}
# Add local files as late as possible to avoid cache busting
COPY --chown=${NON_ROOT_USER}:${ID} src/ /app
COPY --chown=${USER} start.sh /app/start.sh
CMD ["/app/start.sh"]