powonline/Dockerfile at develop · exhuma/powonline · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# =============================================================================
# Stage 1 — build
#   Install dependencies and the application into an isolated virtualenv.
#   Uses uv for fast, reproducible, lockfile-driven installs.
# =============================================================================
FROM python:3.12-slim AS build

# Install uv from the official distroless image — no pip round-trip needed.
COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv

WORKDIR /app

# Layer-cache dependencies: copy lockfiles before source so this layer is only
# invalidated when dependencies actually change.
COPY README.rst pyproject.toml uv.lock ./

# Sync production dependencies into /app/.venv (no dev extras).
RUN uv sync --frozen --no-dev --no-install-project

# Now copy the application source and install it (no-deps: deps already synced).
COPY src/ ./src/
RUN uv pip install --python /app/.venv/bin/python --no-deps .

# Copy migration assets that the runtime container needs.
COPY alembic/ ./alembic/
COPY alembic.ini ./

# =============================================================================
# Stage 2 — runtime
#   Minimal image containing only what is needed to run the application.
# =============================================================================
FROM python:3.12-slim AS runtime

# Create a non-root user/group for the application process.
RUN groupadd --system appgroup \
    && useradd --system --gid appgroup --no-create-home appuser

# Copy the virtualenv produced in the build stage.
COPY --from=build /app/.venv /opt/powonline

# Copy database migration assets.
COPY --from=build /app/alembic /alembic/alembic
COPY --from=build /app/alembic.ini /alembic/alembic.ini

# Copy entrypoint scripts from the repository.
COPY containers/main/resources/start.bash /start.bash
COPY containers/main/resources/migrate.bash /migrate.bash

# Rewrite shebangs in venv scripts that were baked with the build-stage path
# (/app/.venv/...) so they resolve correctly from /opt/powonline/... at runtime.
RUN find /opt/powonline/bin -maxdepth 1 -type f \
    | xargs -r grep -rlF '/app/.venv' \
    | xargs -r sed -i 's|/app/.venv|/opt/powonline|g'

# Prepare a writable uploads directory owned by the application user.
# At runtime, mount a named volume over /var/lib/powonline/uploads.
RUN chmod +x /start.bash /migrate.bash \
    && chown -R appuser:appgroup /alembic \
    && mkdir -p /var/lib/powonline/uploads \
    && chown -R appuser:appgroup /var/lib/powonline

# Drop privileges.
USER appuser

EXPOSE 8000

ENTRYPOINT ["/start.bash"]