Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck

- Replace pip with uv for 10-25x faster dependency installation - Add BuildKit cache mounts for apt and uv caches across builds - Add non-root appuser for improved container security - Add HEALTHCHECK directive for container orchestration - Add curl to runtime for healthcheck support - Remove libgl1 (unused), add syntax directive for BuildKit
2026-02-21 19:49:11 +00:00 · 2026-02-21 19:49:11 +00:00 · a122a7983a
commit a122a7983a
parent c762d5a0a6
1 changed files with 30 additions and 10 deletions
--- a/40
+++ b/40
@ -1,32 +1,39 @@
+# syntax=docker/dockerfile:1
+
 # Stage 1: Install build tools and Python dependencies
 FROM python:3.13-slim AS builder

-RUN apt-get update && apt-get install -y --no-install-recommends \
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
+
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    gcc \
    python3-dev \
    libopencv-dev \
-    libmariadb-dev \
-    && rm -rf /var/lib/apt/lists/*
+    libmariadb-dev

 WORKDIR /app

 COPY requirements.txt ./

-# Install dependencies into a venv using pip (no poetry needed)
-RUN python -m venv /app/.venv && \
-    /app/.venv/bin/pip install --no-cache-dir -r requirements.txt
+# Install dependencies into a venv using uv (10-25x faster than pip)
+RUN --mount=type=cache,target=/root/.cache/uv \
+    python -m venv /app/.venv && \
+    /app/.venv/bin/uv pip install -r requirements.txt

 # Stage 2: Runtime system dependencies (runs in parallel with builder)
 FROM python:3.13-slim AS runtime-base

-RUN apt-get update && apt-get install -y --no-install-recommends \
-    libgl1 \
+RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
+    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+    apt-get update && apt-get install -y --no-install-recommends \
    libglib2.0-0 \
    tesseract-ocr \
    tesseract-ocr-eng \
    libmariadb3 \
-    && rm -rf /var/lib/apt/lists/*
+    curl

 # Stage 3: Test — runtime deps + venv + test dependencies + run tests
 FROM runtime-base AS test
@ -36,7 +43,10 @@ WORKDIR /app
 COPY --from=builder /app/.venv /app/.venv
 ENV PATH="/app/.venv/bin:$PATH"

-RUN pip install --no-cache-dir pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
+
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --python /app/.venv/bin/python pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis

 COPY . .

@ -45,6 +55,8 @@ RUN pytest tests/ -x -q
 # Stage 4: Final image — combine venv from builder + runtime base
 FROM runtime-base

+RUN adduser --system --no-create-home appuser
+
 WORKDIR /app

 # Copy the venv from the builder stage
@ -55,5 +67,13 @@ ENV PATH="/app/.venv/bin:$PATH"
 # Copy the application code
 COPY . .

+RUN chown -R appuser /app
+
+USER appuser
+
 EXPOSE 5001
+
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=40s \
+  CMD curl -f http://localhost:5001/api/status || exit 1
+
 CMD ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --no-server-header"]