fix: improve Dockerfile for non-root user, permissions, and python version alignment #479
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR refactors the Dockerfile to use a multi-stage Python build with uv, aligns the Python version, and aims to enforce non-root execution and proper permissions.
- Introduces a uv-based build stage for dependency installation.
- Switches the final image to Python 3.12 slim and copies in a virtualenv.
- (Intended) switch to a non-root user and set ownership on installed files.
| RUN --mount=type=cache,target=/root/.cache/uv \ | ||
| uv sync --frozen --no-dev --no-editable | ||
|
|
||
| FROM python:3.12-slim-bookworm |
There was a problem hiding this comment.
The PR description mentions switching to a non-root user for security, but no user is created or switched to. Add a dedicated app user (e.g., RUN groupadd -r app && useradd -r -g app app) and a USER app directive.
Copilot uses AI. Check for mistakes.
|
|
||
| # Then, add the rest of the project source code and install it | ||
| # Installing separately from its dependencies allows optimal layer caching | ||
| ADD . /app |
There was a problem hiding this comment.
Use COPY instead of ADD for copying local files, since ADD has extra behaviors like tar extraction that aren't needed here.
| ADD . /app | |
| COPY . /app |
Copilot uses AI. Check for mistakes.
|
|
||
| WORKDIR /app | ||
|
|
||
| COPY --from=uv /root/.local /root/.local |
There was a problem hiding this comment.
[nitpick] This copies /root/.local into the final image, but the PATH is set to /app/.venv/bin. If /root/.local isn't used at runtime, consider removing this layer to shrink the image.
| COPY --from=uv /root/.local /root/.local |
Copilot uses AI. Check for mistakes.
| RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* | ||
|
|
There was a problem hiding this comment.
[nitpick] Installing git in the final image increases size and surface area. If git isn't required at runtime, remove this step or move it only into the build stage.
| RUN apt-get update && apt-get install -y git && rm -rf /var/lib/apt/lists/* |
Copilot uses AI. Check for mistakes.
|
yes, thankl confused repo , sorry for the time wasted
Saludos,
--------------------------------------------
Ignacio J.Ortega
skype:ignacioj.ortega
El jue, 5 jun 2025 a las 11:58, William Martin ***@***.***>)
escribió:
… Closed #479 <#479>.
—
Reply to this email directly, view it on GitHub
<#479 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAXHYV4B2ZEUDTM2JNAVRB33CAIFHAVCNFSM6AAAAAB6U6UM4CVHI2DSMVQWIX3LMV45UABCJFZXG5LFIV3GK3TUJZXXI2LGNFRWC5DJN5XDWMJXHE4TONJVG42TAMI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
fix: improve Dockerfile for non-root user, permissions, and python version alignment
Switches to a non-root user for better security
Adjusts file and directory permissions as needed
Aligns Python version to match application requirements
These changes enhance security and ensure compatibility in containerized environments.