maint: docker file regular user (#29)

FelixKuhnAnsys · web-flow · commit af3c9173014b · 2024-09-30T08:49:25.000+02:00
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,20 +1,35 @@
 FROM python:3.12-slim
 
+# Create a non-root user and group
+RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser
+
+# Set the home directory for the non-root user
+ENV HOME=/home/appuser
+ENV PATH="$HOME/.local/bin:$PATH"
+
+# Set the working directory
 WORKDIR /app
 
-# Copy the app folder and the config.yaml file
-COPY src /app
+# Set the ownership of the /app directory to the non-root user
+RUN chown -R appuser:appgroup /app
+
+# Copy the application files and config.yaml, setting ownership to the non-root user
+COPY --chown=appuser:appgroup src /app
+COPY --chown=appuser:appgroup README.md /app
+COPY --chown=appuser:appgroup pyproject.toml /app
+COPY --chown=appuser:appgroup configs/config.yaml /app
 
-# readme required by pip
-COPY README.md /app
-COPY pyproject.toml /app
-COPY configs/config.yaml /app
+# Switch to the non-root user
+USER appuser
 
-# Install dependencies
-RUN echo $(ls)
-RUN pip install --no-cache-dir .[all]
+# Create a virtual environment and install dependencies inside it
+RUN python -m venv /app/venv \
+    && . /app/venv/bin/activate \
+    && pip install --upgrade pip \
+    && pip install --no-cache-dir .[all]
 
+# Expose the port that the service will listen on
 EXPOSE 50052
 
-# Use the environment variable in CMD
-CMD ["sh", "-c", "allie-flowkit-python"]
+# Activate the virtual environment and run the service
+CMD ["/bin/sh", "-c", ". /app/venv/bin/activate && allie-flowkit-python"]
