-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathDockerfile
86 lines (66 loc) · 2.76 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# ==========================================================
# NOTE:
# Using latest tag to get Python 3.9 security updates,
# consciously disregarding SonarCloud issue docker:S6596
# "Specific version tag for image should be used".
# ==========================================================
FROM registry.access.redhat.com/ubi9/python-39 AS appbase
# ==========================================================
# Setting file ownership to root:root and running the container
# as appuser:appuser, so that the files' permissions can't be
# changed afterwards as appuser (using file ownership).
#
# See SonarCloud issue docker:S6504 ("Allowing non-root users
# to modify resources copied to an image is security-sensitive"):
# https://rules.sonarsource.com/docker/RSPEC-6504/
ENV PYTHONUNBUFFERED 1
USER root
WORKDIR /app
RUN mkdir /entrypoint \
# Mark the app directory as safe to get rid of git's
# "fatal: detected dubious ownership in repository at '/app'" warning
# when spinning up the container
&& git config --system --add safe.directory /app \
# Create appuser group and user for running the app as non-root
&& groupadd --system appuser \
&& useradd --system --gid appuser --create-home appuser
COPY --chown=root:root requirements.txt /app/requirements.txt
RUN dnf update -y \
&& dnf install -y nc postgresql-devel \
&& pip install -U pip \
&& pip install --no-cache-dir -r /app/requirements.txt \
&& dnf clean all
COPY --chown=root:root docker-entrypoint.sh /entrypoint/docker-entrypoint.sh
ENTRYPOINT ["/entrypoint/docker-entrypoint.sh"]
# ==============================
FROM appbase AS staticbuilder
# ==============================
ENV VAR_ROOT /app
COPY --chown=root:root . /app
RUN python manage.py collectstatic --noinput
# ==============================
FROM appbase AS development
# ==============================
COPY --chown=root:root requirements-dev.txt /app/requirements-dev.txt
RUN pip install --no-cache-dir -r /app/requirements-dev.txt \
&& pip install --no-cache-dir pip-tools
ENV DEV_SERVER=1
# Copy all files not ignored by .dockerignore to container
# and make them readable & executable by everyone
COPY --chown=root:root . /app/
RUN chmod -R ugo=rX /app/
USER appuser:appuser
EXPOSE 8080/tcp
# ==============================
FROM appbase AS production
# ==============================
COPY --from=staticbuilder --chown=root:root /app/static /app/static
COPY --chown=root:root requirements-prod.txt /app/requirements-prod.txt
RUN pip install --no-cache-dir -r /app/requirements-prod.txt \
&& dnf clean all
# Copy all files not ignored by .dockerignore to container
# and make them readable & executable by everyone
COPY --chown=root:root . /app/
RUN chmod -R ugo=rX /app/
USER appuser:appuser
EXPOSE 8080/tcp