27 lines
995 B
Docker
27 lines
995 B
Docker
FROM python:3.11-slim
|
|
|
|
# Create non-root user for security
|
|
RUN groupadd -r appuser && useradd -r -g appuser appuser
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy application files
|
|
COPY app.py ./
|
|
COPY templates/ ./templates/
|
|
|
|
# Install dependencies as root (versions pinned in requirements.txt)
|
|
COPY requirements.txt ./
|
|
RUN pip install --no-cache-dir -r requirements.txt
|
|
|
|
# Create necessary directories and set permissions
|
|
RUN mkdir -p /tmp && chown -R appuser:appuser /app /tmp
|
|
|
|
# Switch to non-root user
|
|
USER appuser
|
|
|
|
# Expose port 8080 (internal)
|
|
EXPOSE 8080
|
|
|
|
# Bind to 0.0.0.0 so Traefik (separate container) can reach us; exposure is limited to Docker network only (no host/internet direct access)
|
|
CMD ["gunicorn", "-b", "0.0.0.0:8080", "--workers", "2", "--worker-class", "sync", "--worker-connections", "1000", "--max-requests", "1000", "--max-requests-jitter", "100", "--timeout", "30", "--keep-alive", "2", "--limit-request-line", "4094", "--limit-request-fields", "100", "--worker-tmp-dir", "/tmp", "app:app"]
|