Update Dockerfile to mitigate vulnerabilities, reduce image size, and…

… upgrade Python version - Changed the base image from python:3.11.6-alpine3.18 to alpine:3.20.1 due to multiple critical vulnerabilities found in almost all recent versions of python:alpine images. - Implemented a multi-stage build to ensure that only essential parts of Python are included by compiling Python source files into optimized bytecode and removing the original source files and unnecessary directories, which significantly reduces the final image size. - Upgraded Python version from 3.11 to 3.12 for improved performance and security enhancements. - Simplified the build process by using ARG for Python version, enabling easier future updates.
aviolaris · Jul 7, 2024 · 4e0c27e · 4e0c27e
1 parent d2eade1
commit 4e0c27e
Showing 1 changed file with 44 additions and 12 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,14 +1,46 @@
-FROM python:3.11.6-alpine3.18 AS build-stage
-LABEL maintainer="Andreas Violaris"
-COPY . /instaunfollowers
-WORKDIR /instaunfollowers
-RUN pip install --upgrade pip
-RUN pip install --no-cache-dir -r requirements.txt
+ARG PYTHON_VERSION=3.12
+FROM alpine:3.20.1 as build-stage
+ARG PYTHON_VERSION
+COPY . /app/instaunfollowers/
+RUN apk add --no-cache python3~=${PYTHON_VERSION} py3-pip
+WORKDIR /usr/lib/python${PYTHON_VERSION}
+RUN python3 -m compileall -o 2 . \
+    && find . -name "*.cpython-*.opt-2.pyc" \
+    | awk '{print $1, $1}' \
+    | sed 's/__pycache__\///2' \
+    | sed 's/.cpython-[0-9]\{2,\}.opt-2//2' \
+    | xargs -n 2 mv \
+    && find . -name "*.py" -delete \
+    && find . -name "__pycache__" -exec rm -r {} +
+WORKDIR /app/instaunfollowers/
+RUN python3 -m venv venv \
+    && . venv/bin/activate \
+    && pip install --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt
 
-FROM python:3.11.6-alpine3.18
-ENV PYTHONPATH=/usr/local/lib/python3.11/site-packages
-COPY --from=build-stage $PYTHONPATH $PYTHONPATH
-COPY --from=build-stage /instaunfollowers /instaunfollowers
-WORKDIR /instaunfollowers
-HEALTHCHECK --interval=12s --timeout=12s --start-period=30s CMD python3 healthcheck.py
+FROM alpine:3.20.1
+LABEL maintainer="Andreas Violaris"
+LABEL description="Dockerfile for InstaUnFollowers application"
+LABEL license="CC BY-NC-ND 4.0"
+LABEL url="https://hub.docker.com/r/aviolaris/instaunfollowers"
+LABEL vcs-url="https://github.com/aviolaris/instaunfollowers"
+LABEL documentation_en="https://github.com/aviolaris/instaunfollowers/blob/main/README.md"
+LABEL documentation_gr="https://github.com/aviolaris/instaunfollowers/blob/main/README.gr.md"
+ARG PYTHON_VERSION
+COPY --from=build-stage /usr/bin/python3 /usr/bin/python3
+COPY --from=build-stage \
+    /usr/lib/libpython${PYTHON_VERSION}.so.1.0 \
+    /usr/lib/libpython${PYTHON_VERSION}.so.1.0
+COPY --from=build-stage \
+    /usr/lib/python${PYTHON_VERSION}/ \
+    /usr/lib/python${PYTHON_VERSION}/
+COPY --from=build-stage \
+    /app/instaunfollowers/ \
+    /app/instaunfollowers/
+RUN cp -r /app/instaunfollowers/venv/lib/python${PYTHON_VERSION}/site-packages/* \
+    /usr/lib/python${PYTHON_VERSION}/site-packages/ \
+    && rm -rf /app/instaunfollowers/venv/
+WORKDIR /app/instaunfollowers
+HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \
+    CMD python3 app/healthcheck.py
 ENTRYPOINT ["python3", "-m", "app.app"]