mirror of
https://git.private.coffee/PrivateCoffee/wikimore.git
synced 2025-04-03 21:17:35 +03:00
feat: Refactors Docker setup to improve security and efficiency
Switches base image from Python to Alpine for a slimmer image and improved startup efficiency. Uses a virtual environment for Python dependencies and adds a dedicated user for the application, enhancing security and environment isolation. Introduces a new entrypoint script for better configuration of uWSGI server and updates Docker compose setup to include security options and resource limits. Removes old compose file in favor of a more secure configuration example.
This commit is contained in:
Kumi
parent
35664d986b
commit
a2f8284c55
4 changed files with 50 additions and 11 deletions
21
Dockerfile
21
Dockerfile
|
|
@ -1,12 +1,21 @@
|
||||||
FROM python:3.10-slim
|
FROM alpine:3.20
|
||||||
|
|
||||||
WORKDIR /app
|
ENV APP_ENV=/opt/venv
|
||||||
|
ENV PATH="${APP_ENV}/bin:$PATH"
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apk add --no-cache py3-pip uwsgi-python3 && \
|
||||||
&& apt-get clean && rm -rf /var/lib/apt/lists/*
|
python3 -m venv $APP_ENV
|
||||||
|
|
||||||
RUN pip install --no-cache-dir wikimore
|
COPY . /app
|
||||||
|
|
||||||
|
RUN $APP_ENV/bin/pip install --no-cache-dir pip && \
|
||||||
|
$APP_ENV/bin/pip install /app && \
|
||||||
|
adduser -S -D -H wikimore
|
||||||
|
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
|
||||||
EXPOSE 8109
|
EXPOSE 8109
|
||||||
|
|
||||||
CMD ["wikimore"]
|
USER wikimore
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
|
|
||||||
17
docker-compose-example.yml
Normal file
17
docker-compose-example.yml
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
services:
|
||||||
|
wikimore-app:
|
||||||
|
container_name: wikimore
|
||||||
|
restart: unless-stopped
|
||||||
|
image: privatecoffee/wikimore:latest
|
||||||
|
ports:
|
||||||
|
- "127.0.0.1:8109:8109"
|
||||||
|
security_opt:
|
||||||
|
- no-new-privileges:true
|
||||||
|
cap_drop:
|
||||||
|
- ALL
|
||||||
|
read_only: true
|
||||||
|
deploy:
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpus: '0.5'
|
||||||
|
memory: 300M
|
||||||
|
|
@ -1,5 +0,0 @@
|
||||||
services:
|
|
||||||
wikimore-app:
|
|
||||||
build: .
|
|
||||||
ports:
|
|
||||||
- 8109:8109 ## change host port if needed
|
|
||||||
18
entrypoint.sh
Normal file
18
entrypoint.sh
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
#!/bin/sh
|
||||||
|
args="--plugin python3 \
|
||||||
|
--http-socket 0.0.0.0:$PORT \
|
||||||
|
--master \
|
||||||
|
--module wikimore.app:app \
|
||||||
|
-H /opt/venv"
|
||||||
|
|
||||||
|
if [ "$UWSGI_PROCESSES" ]
|
||||||
|
then
|
||||||
|
args="$args --processes $UWSGI_PROCESSES"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "$UWSGI_THREADS" ]
|
||||||
|
then
|
||||||
|
args="$args --threads $UWSGI_THREADS"
|
||||||
|
fi
|
||||||
|
|
||||||
|
exec /usr/sbin/uwsgi $args
|
||||||
Loading…
Add table
Add a link
Reference in a new issue