viktor/wrongmove
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Optimize Dockerfile: uv, BuildKit cache mounts, non-root user, healthcheck

Browse source 
- Replace pip with uv for 10-25x faster dependency installation
- Add BuildKit cache mounts for apt and uv caches across builds
- Add non-root appuser for improved container security
- Add HEALTHCHECK directive for container orchestration
- Add curl to runtime for healthcheck support
- Remove libgl1 (unused), add syntax directive for BuildKit
This commit is contained in:
Viktor Barzin 2026-02-21 19:49:11 +00:00
parent c762d5a0a6
commit a122a7983a
No known key found for this signature in database
GPG key ID: 0EB088298288D958
1 changed files with 30 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

40
Dockerfile
View file

@ -1,32 +1,39 @@
# syntax=docker/dockerfile:1
# Stage 1: Install build tools and Python dependencies # Stage 1: Install build tools and Python dependencies
FROM python:3.13-slim AS builder FROM python:3.13-slim AS builder
RUN apt-get update && apt-get install -y --no-install-recommends \ COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update && apt-get install -y --no-install-recommends \
build-essential \ build-essential \
gcc \ gcc \
python3-dev \ python3-dev \
libopencv-dev \ libopencv-dev \
libmariadb-dev \ libmariadb-dev
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app WORKDIR /app
COPY requirements.txt ./ COPY requirements.txt ./
# Install dependencies into a venv using pip (no poetry needed) # Install dependencies into a venv using uv (10-25x faster than pip)
RUN python -m venv /app/.venv && \ RUN --mount=type=cache,target=/root/.cache/uv \
/app/.venv/bin/pip install --no-cache-dir -r requirements.txt python -m venv /app/.venv && \
/app/.venv/bin/uv pip install -r requirements.txt
# Stage 2: Runtime system dependencies (runs in parallel with builder) # Stage 2: Runtime system dependencies (runs in parallel with builder)
FROM python:3.13-slim AS runtime-base FROM python:3.13-slim AS runtime-base
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
libgl1 \ --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update && apt-get install -y --no-install-recommends \
libglib2.0-0 \ libglib2.0-0 \
tesseract-ocr \ tesseract-ocr \
tesseract-ocr-eng \ tesseract-ocr-eng \
libmariadb3 \ libmariadb3 \
&& rm -rf /var/lib/apt/lists/* curl
# Stage 3: Test — runtime deps + venv + test dependencies + run tests # Stage 3: Test — runtime deps + venv + test dependencies + run tests
FROM runtime-base AS test FROM runtime-base AS test
@ -36,7 +43,10 @@ WORKDIR /app
COPY --from=builder /app/.venv /app/.venv COPY --from=builder /app/.venv /app/.venv
ENV PATH="/app/.venv/bin:$PATH" ENV PATH="/app/.venv/bin:$PATH"
RUN pip install --no-cache-dir pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis COPY --from=ghcr.io/astral-sh/uv:latest /uv /bin/uv
RUN --mount=type=cache,target=/root/.cache/uv \
uv pip install --python /app/.venv/bin/python pytest pytest-asyncio pytest-xdist httpx aioresponses fakeredis
COPY . . COPY . .
@ -45,6 +55,8 @@ RUN pytest tests/ -x -q
# Stage 4: Final image — combine venv from builder + runtime base # Stage 4: Final image — combine venv from builder + runtime base
FROM runtime-base FROM runtime-base
RUN adduser --system --no-create-home appuser
WORKDIR /app WORKDIR /app
# Copy the venv from the builder stage # Copy the venv from the builder stage
@ -55,5 +67,13 @@ ENV PATH="/app/.venv/bin:$PATH"
# Copy the application code # Copy the application code
COPY . . COPY . .
RUN chown -R appuser /app
USER appuser
EXPOSE 5001 EXPOSE 5001
HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=40s \
CMD curl -f http://localhost:5001/api/status || exit 1
CMD ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --no-server-header"] CMD ["sh", "-c", "alembic upgrade head && uvicorn api.app:app --host 0.0.0.0 --port 5001 --no-server-header"]