1438e474e8
Create system user appuser with useradd, set ownership of /app, and switch to non-root user before CMD to reduce container attack surface. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
43 lines
1 KiB
Docker
43 lines
1 KiB
Docker
FROM python:3.11-slim
|
|
|
|
# Install system dependencies and build TA-Lib from source
|
|
RUN apt-get update && apt-get install -y \
|
|
build-essential \
|
|
wget \
|
|
curl \
|
|
libpq-dev \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& wget http://prdownloads.sourceforge.net/ta-lib/ta-lib-0.4.0-src.tar.gz \
|
|
&& tar -xzf ta-lib-0.4.0-src.tar.gz \
|
|
&& cd ta-lib/ \
|
|
&& ./configure --prefix=/usr \
|
|
&& make \
|
|
&& make install \
|
|
&& cd .. \
|
|
&& rm -rf ta-lib ta-lib-0.4.0-src.tar.gz
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Copy dependency files
|
|
COPY pyproject.toml ./
|
|
|
|
# Install Python dependencies
|
|
RUN pip install --no-cache-dir --upgrade pip && \
|
|
pip install --no-cache-dir .
|
|
|
|
# Copy application code
|
|
COPY . .
|
|
|
|
# Expose port for FastAPI
|
|
EXPOSE 8001
|
|
|
|
# Create non-root user and set ownership
|
|
RUN useradd -r -s /bin/false appuser
|
|
RUN chown -R appuser:appuser /app
|
|
|
|
# Switch to non-root user
|
|
USER appuser
|
|
|
|
# Run the inference server by default
|
|
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001"]
|