Improve Dockerfile

- Do not use python:X.Y images, they contain *a lot* of unnecessary and potentially vulnerable software - Prepare for a much slimmer image build
2021-01-17 12:18:45 +01:00
parent fce7b9a637
commit 3f44cf5a1f
2 changed files with 36 additions and 23 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,38 +1,52 @@
-FROM python:3.7-slim-buster
+FROM debian:buster

 ARG BUILD_SERIES=dev
 ARG BUILD_ID=0

 ENV DEBIAN_FRONTEND noninteractive

-RUN apt-get update \
-    && apt-get install -y --no-install-recommends \
-    make \
-    && apt-get clean
+# This Dockerfile attempts to strike a balance between image size and time it
+# takes to do an incremental build on changes.
+# Improvements welcome.

-COPY Makefile /opt/snikket-web-portal/Makefile
+RUN set -eu; \
+    apt-get update ; \
+    apt-get install -y --no-install-recommends \
+        python3 python3-pip python3-setuptools python3-wheel \
+        libpython3-dev \
+        make build-essential \
+        ; \
+    apt-get clean ; rm -rf /var/lib/apt/lists

 COPY requirements.txt /opt/snikket-web-portal/requirements.txt
-
 COPY build-requirements.txt /opt/snikket-web-portal/build-requirements.txt

-COPY snikket_web/ /opt/snikket-web-portal/snikket_web
-
-COPY babel.cfg /opt/snikket-web-portal/babel.cfg
-
-COPY web_config.production.py /opt/snikket-web-portal/.local/web_config.py
-
 WORKDIR /opt/snikket-web-portal

-RUN pip install -r requirements.txt \
-    && pip install -r build-requirements.txt
+RUN set -eu; \
+    pip3 install -r requirements.txt; \
+    pip3 install -r build-requirements.txt; \
+    rm -rf /root/.cache;

-RUN make
+COPY Makefile /opt/snikket-web-portal/Makefile
+COPY snikket_web/ /opt/snikket-web-portal/snikket_web
+COPY babel.cfg /opt/snikket-web-portal/babel.cfg

+# NOTE: abusing true(1) as a terrible way to disable a specific command. If
+# one merged all the RUN commands into one, one would want to run the
+# uninstall/remove commands there, but with the split up RUN commands it is
+# rather pointless.
+RUN set -eu; \
+    make; \
+    true pip3 uninstall -yr build-requirements.txt; \
+    true apt-get remove -y build-essential make libpython3-dev; \
+    true apt-get autoremove -y; \
+    pip3 install hypercorn; \
+    rm -rf /root/.cache; \
+    apt-get clean ; rm -rf /var/lib/apt/lists
+
+COPY web_config.production.py /opt/snikket-web-portal/.local/web_config.py
 ENV SNIKKET_WEB_CONFIG "/opt/snikket-web-portal/.local/web_config.py"

-RUN pip install hypercorn
-
-ADD docker/entrypoint.sh /bin/entrypoint.sh
-
-ENTRYPOINT ["/bin/sh", "/bin/entrypoint.sh"]
+ADD docker/entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]
--- a/web_config.production.py
+++ b/web_config.production.py
@@ -26,8 +26,7 @@ except KeyError:
          'To avoid losing sessions on each server restart, please provide '
          'a SECRET_KEY.',
          file=sys.stderr)
-
-SECRET_KEY = os.environ.get('SECRET_KEY', secrets.token_urlsafe(nbytes=32))
+    SECRET_KEY = secrets.token_urlsafe(nbytes=32)

 # URL (without trailing /) of the prosody HTTP server.
 #