feat: Refactors Docker setup to improve security and efficiency

Switches base image from Python to Alpine for a slimmer image and improved startup efficiency. Uses a virtual environment for Python dependencies and adds a dedicated user for the application, enhancing security and environment isolation. Introduces a new entrypoint script for better configuration of uWSGI server and updates Docker compose setup to include security options and resource limits. Removes old compose file in favor of a more secure configuration example.
2025-04-02 20:47:37 +03:00 · 2025-01-31 09:22:29 +01:00 · 2025-01-31 09:22:29 +01:00 · a2f8284c55
commit a2f8284c55
parent 35664d986b
4 changed files with 50 additions and 11 deletions
--- a/21
+++ b/21
@ -1,12 +1,21 @@
-FROM python:3.10-slim
+FROM alpine:3.20

-WORKDIR /app
+ENV APP_ENV=/opt/venv
+ENV PATH="${APP_ENV}/bin:$PATH"

-RUN apt-get update && apt-get install -y --no-install-recommends \
-    && apt-get clean && rm -rf /var/lib/apt/lists/*
+RUN apk add --no-cache py3-pip uwsgi-python3 && \
+  python3 -m venv $APP_ENV

-RUN pip install --no-cache-dir wikimore
+COPY . /app
+
+RUN $APP_ENV/bin/pip install --no-cache-dir pip && \
+  $APP_ENV/bin/pip install /app && \
+  adduser -S -D -H wikimore
+
+COPY entrypoint.sh /entrypoint.sh

 EXPOSE 8109

-CMD ["wikimore"]
+USER wikimore
+
+ENTRYPOINT ["/entrypoint.sh"]
--- a/docker-compose-example.yml
+++ b/docker-compose-example.yml
@ -0,0 +1,17 @@
+services:
+  wikimore-app:
+    container_name: wikimore
+    restart: unless-stopped
+    image: privatecoffee/wikimore:latest
+    ports:
+      - "127.0.0.1:8109:8109"
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    read_only: true
+    deploy:
+      resources:
+        limits:
+          cpus: '0.5'
+          memory: 300M
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -1,5 +0,0 @@
-services:
-    wikimore-app:
-        build: .
-        ports:
-            - 8109:8109 ## change host port if needed
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,18 @@
+#!/bin/sh
+args="--plugin python3 \
+	--http-socket 0.0.0.0:$PORT \
+	--master \
+	--module wikimore.app:app \
+	-H /opt/venv"
+
+if [ "$UWSGI_PROCESSES" ]
+then
+	args="$args --processes $UWSGI_PROCESSES"
+fi
+
+if [ "$UWSGI_THREADS" ]
+then
+	args="$args --threads $UWSGI_THREADS"
+fi
+
+exec /usr/sbin/uwsgi $args