mirror of
https://github.com/ghndrx/docker-templates.git
synced 2026-02-10 06:45:04 +00:00
Greg Hendrickson
8e8ae27640
Added three Python Dockerfile variants with security best practices: - Dockerfile.uv: Fast builds with UV package manager (recommended) - Dockerfile.pip: Traditional pip-based workflow - Dockerfile.distroless: Maximum security with no shell Features across all templates: - Multi-stage builds for minimal image size - Non-root user execution - BuildKit cache mounts for fast rebuilds - Tini init for proper signal handling - Health checks and OCI labels - Comprehensive README with customization guide
74 lines
2.1 KiB
Docker
74 lines
2.1 KiB
Docker
# syntax=docker/dockerfile:1.7
|
|
#
|
|
# Python Distroless Dockerfile (Maximum Security)
|
|
# Features: No shell, no package manager, minimal attack surface
|
|
#
|
|
# Build args:
|
|
# PYTHON_VERSION - Python version (default: 3.12)
|
|
#
|
|
# Note: Distroless images have no shell - debugging requires ephemeral containers
|
|
#
|
|
# Usage:
|
|
# docker build -t myapp:latest .
|
|
# docker run --rm -p 8000:8000 myapp:latest
|
|
|
|
# =============================================================================
|
|
# Stage 1: Build environment
|
|
# =============================================================================
|
|
ARG PYTHON_VERSION=3.12
|
|
|
|
FROM python:${PYTHON_VERSION}-slim AS builder
|
|
|
|
RUN apt-get update && \
|
|
apt-get install -y --no-install-recommends \
|
|
build-essential && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
WORKDIR /app
|
|
|
|
# Create virtual environment
|
|
RUN python -m venv /opt/venv
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
# Install dependencies
|
|
COPY requirements.txt .
|
|
RUN --mount=type=cache,target=/root/.cache/pip \
|
|
pip install --no-compile -r requirements.txt
|
|
|
|
# Copy application
|
|
COPY . .
|
|
RUN --mount=type=cache,target=/root/.cache/pip \
|
|
pip install --no-compile .
|
|
|
|
# =============================================================================
|
|
# Stage 2: Distroless runtime (maximum security)
|
|
# =============================================================================
|
|
FROM gcr.io/distroless/python3-debian12 AS runtime
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy virtual environment
|
|
COPY --from=builder /opt/venv /opt/venv
|
|
|
|
# Copy application
|
|
COPY --from=builder /app /app
|
|
|
|
# Set Python path to use venv
|
|
ENV PYTHONPATH="/opt/venv/lib/python3.12/site-packages" \
|
|
PYTHONDONTWRITEBYTECODE=1 \
|
|
PYTHONUNBUFFERED=1
|
|
|
|
# Distroless runs as nonroot by default (uid 65532)
|
|
USER nonroot
|
|
|
|
EXPOSE 8000
|
|
|
|
# No ENTRYPOINT - distroless uses the image's default entrypoint
|
|
CMD ["-m", "app.main"]
|
|
|
|
# Note: HEALTHCHECK not supported in distroless (no shell)
|
|
# Use Kubernetes probes or Docker healthcheck with exec form
|
|
|
|
LABEL org.opencontainers.image.title="My Python App (Distroless)" \
|
|
org.opencontainers.image.description="Maximum security Python image"
|