forked from HHS/simpler-grants-pdf-builder
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
80 lines (63 loc) · 2.5 KB
/
Dockerfile
File metadata and controls
80 lines (63 loc) · 2.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# CHANGED: add an alias so we can copy from this stage later
FROM python:3.12-slim AS builder
# set work directory
WORKDIR /app
# Install system dependencies (Debian-based)
RUN apt-get update && \
apt-get install -y --no-install-recommends \
build-essential \
curl \
wget \
libffi-dev \
libpq-dev \
&& rm -rf /var/lib/apt/lists/*
# Install Poetry and create user
RUN curl -sSL https://install.python-poetry.org | POETRY_HOME=/usr/local python3 - && \
useradd --create-home --shell /bin/bash appuser && \
chown -R appuser:appuser /app
# Upgrade system pip and virtualenv
RUN python -m pip install --no-cache-dir --upgrade "pip>=25.3" "virtualenv>=20.29.1"
# Make "db-migrate" a shell command in the container
RUN echo '#!/bin/sh\nmake migrate' > /usr/local/bin/db-migrate && \
chmod +x /usr/local/bin/db-migrate
USER appuser
# Copy dependency files and install
COPY --chown=appuser:appuser pyproject.toml poetry.lock ./
RUN poetry config virtualenvs.in-project true && \
poetry install --no-root && \
rm -rf ~/.cache/pypoetry/{cache,artifacts}
# Upgrade venv pip
RUN /app/.venv/bin/python -m pip install --no-cache-dir --upgrade "pip>=25.3"
# Copy app and collect static files
COPY --chown=appuser:appuser . .
RUN poetry run python nofos/manage.py collectstatic --noinput --verbosity 0
# FINAL CLEANUP: Remove ALL pip 25.2 artifacts before copying to final stage
USER root
RUN find / -name "*pip-25.2*" -type f -delete 2>/dev/null || true && \
find / -path "*/pip-25.2*.dist-info" -type d -exec rm -rf {} + 2>/dev/null || true && \
echo "Final pip artifact scan:" && \
find / -name "*pip-25.2*" 2>/dev/null || echo "No pip 25.2 artifacts found"
# =========================
# Stage 2 "scratch" final
# - Hides upstream apt-get layers for Dockle
# - Restores PATH so ECS can find db-migrate/venv
# =========================
FROM scratch
# copy the complete filesystem from builder
COPY --from=builder / /
# ensure venv & poetry shims are on PATH
ENV PATH="/app/.venv/bin:/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin"
# REDO: runtime env vars (they don't copy from the builder image config)
ARG IS_PROD_ARG=0
ARG GITHUB_SHA_ARG
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
ENV IS_DOCKER=1
ENV IS_PROD=${IS_PROD_ARG}
ENV GITHUB_SHA=${GITHUB_SHA_ARG}
# restore working dir and user
WORKDIR /app
USER appuser
# final container port + command
EXPOSE ${PORT:-8000}
CMD ["sh", "-c", "poetry run gunicorn --workers 8 --timeout 89 --chdir nofos --bind 0.0.0.0:${PORT:-8000} bloom_nofos.wsgi:application"]