From 4e0c27ee337b28c5385d54bdee64883c64fb5fea Mon Sep 17 00:00:00 2001 From: Andreas Violaris <48277853+aviolaris@users.noreply.github.com> Date: Sun, 7 Jul 2024 21:54:17 +0300 Subject: [PATCH] Update Dockerfile to mitigate vulnerabilities, reduce image size, and upgrade Python version - Changed the base image from python:3.11.6-alpine3.18 to alpine:3.20.1 due to multiple critical vulnerabilities found in almost all recent versions of python:alpine images. - Implemented a multi-stage build to ensure that only essential parts of Python are included by compiling Python source files into optimized bytecode and removing the original source files and unnecessary directories, which significantly reduces the final image size. - Upgraded Python version from 3.11 to 3.12 for improved performance and security enhancements. - Simplified the build process by using ARG for Python version, enabling easier future updates. --- Dockerfile | 56 ++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index 38f7828..9434cf0 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,14 +1,46 @@ -FROM python:3.11.6-alpine3.18 AS build-stage -LABEL maintainer="Andreas Violaris" -COPY . /instaunfollowers -WORKDIR /instaunfollowers -RUN pip install --upgrade pip -RUN pip install --no-cache-dir -r requirements.txt +ARG PYTHON_VERSION=3.12 +FROM alpine:3.20.1 as build-stage +ARG PYTHON_VERSION +COPY . /app/instaunfollowers/ +RUN apk add --no-cache python3~=${PYTHON_VERSION} py3-pip +WORKDIR /usr/lib/python${PYTHON_VERSION} +RUN python3 -m compileall -o 2 . \ + && find . -name "*.cpython-*.opt-2.pyc" \ + | awk '{print $1, $1}' \ + | sed 's/__pycache__\///2' \ + | sed 's/.cpython-[0-9]\{2,\}.opt-2//2' \ + | xargs -n 2 mv \ + && find . -name "*.py" -delete \ + && find . -name "__pycache__" -exec rm -r {} + +WORKDIR /app/instaunfollowers/ +RUN python3 -m venv venv \ + && . venv/bin/activate \ + && pip install --upgrade pip \ + && pip install --no-cache-dir -r requirements.txt -FROM python:3.11.6-alpine3.18 -ENV PYTHONPATH=/usr/local/lib/python3.11/site-packages -COPY --from=build-stage $PYTHONPATH $PYTHONPATH -COPY --from=build-stage /instaunfollowers /instaunfollowers -WORKDIR /instaunfollowers -HEALTHCHECK --interval=12s --timeout=12s --start-period=30s CMD python3 healthcheck.py +FROM alpine:3.20.1 +LABEL maintainer="Andreas Violaris" +LABEL description="Dockerfile for InstaUnFollowers application" +LABEL license="CC BY-NC-ND 4.0" +LABEL url="https://hub.docker.com/r/aviolaris/instaunfollowers" +LABEL vcs-url="https://github.com/aviolaris/instaunfollowers" +LABEL documentation_en="https://github.com/aviolaris/instaunfollowers/blob/main/README.md" +LABEL documentation_gr="https://github.com/aviolaris/instaunfollowers/blob/main/README.gr.md" +ARG PYTHON_VERSION +COPY --from=build-stage /usr/bin/python3 /usr/bin/python3 +COPY --from=build-stage \ + /usr/lib/libpython${PYTHON_VERSION}.so.1.0 \ + /usr/lib/libpython${PYTHON_VERSION}.so.1.0 +COPY --from=build-stage \ + /usr/lib/python${PYTHON_VERSION}/ \ + /usr/lib/python${PYTHON_VERSION}/ +COPY --from=build-stage \ + /app/instaunfollowers/ \ + /app/instaunfollowers/ +RUN cp -r /app/instaunfollowers/venv/lib/python${PYTHON_VERSION}/site-packages/* \ + /usr/lib/python${PYTHON_VERSION}/site-packages/ \ + && rm -rf /app/instaunfollowers/venv/ +WORKDIR /app/instaunfollowers +HEALTHCHECK --interval=12s --timeout=12s --start-period=30s \ + CMD python3 app/healthcheck.py ENTRYPOINT ["python3", "-m", "app.app"] \ No newline at end of file