-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
80 lines (67 loc) · 2.07 KB
/
Dockerfile
File metadata and controls
80 lines (67 loc) · 2.07 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
# syntax=docker/dockerfile:1
############################!
#! BASE = Python image
############################!
FROM python:alpine3.22 AS base
# Install build dependencies for compiling native extensions
RUN apk add --no-cache --virtual .build-deps \
build-base \
libffi-dev \
openssl-dev \
linux-headers \
musl-dev \
python3-dev \
libcap \
libnl3 \
protobuf-dev \
bash \
&& apk add --no-cache \
libcap \
libnl3 \
protobuf \
bash \
&& python3 -m ensurepip \
&& pip3 install --upgrade pip setuptools wheel \
&& apk del .build-deps
############################!
#! BUILD = Compile nsjail
############################!
FROM debian:bookworm-slim AS build-nsjail
RUN apt-get update && apt-get install -y --no-install-recommends \
git build-essential bison clang cmake flex \
libcap-dev libnl-3-dev libnl-route-3-dev pkg-config \
protobuf-compiler libprotobuf-dev coreutils ca-certificates && \
rm -rf /var/lib/apt/lists/*
WORKDIR /src
RUN git clone --depth 1 --recurse-submodules https://github.com/google/nsjail.git
WORKDIR /src/nsjail
RUN make
############################!
#! PRODUCTION = Final app image
############################!
FROM base AS prod
# Add app user
RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser && \
mkdir -p /tmp/jailroot && \
chown appuser:appgroup /tmp/jailroot && \
chmod 1777 /tmp/jailroot
# Copy built nsjail binary
COPY --from=build-nsjail /src/nsjail/nsjail /usr/local/bin/nsjail
# Copy app source
WORKDIR /usr/local/app
COPY requirements.txt ./
RUN pip install --no-cache-dir -r requirements.txt
COPY src ./src
# Set permissions
RUN chown -R appuser:appgroup /usr/local/app && \
chmod -R u+rx /usr/local/app
# Environment setup
ENV FLASK_APP=src.app \
FLASK_RUN_HOST=0.0.0.0 \
FLASK_RUN_PORT=8080 \
FLASK_DEBUG=1 \
FLASK_ENV=development \
PATH="/usr/local/app/.venv/bin:$PATH"
USER appuser
EXPOSE 8080
CMD ["python", "-m", "flask", "run", "--host=0.0.0.0", "--port=8080"]