2026-04-21 17:24:03 +09:30
|
|
|
FROM python:3.11-slim as builder
|
|
|
|
|
|
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
|
|
|
build-essential \
|
|
|
|
|
libpq-dev \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
|
|
|
|
RUN python -m venv /opt/venv
|
|
|
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
|
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
COPY requirements/base.txt requirements/base.txt
|
|
|
|
|
COPY requirements/production.txt requirements/production.txt
|
|
|
|
|
|
2026-06-23 07:16:42 +00:00
|
|
|
RUN pip install --no-cache-dir --upgrade pip setuptools wheel && \
|
2026-04-21 17:24:03 +09:30
|
|
|
pip install --no-cache-dir -r requirements/production.txt
|
|
|
|
|
|
|
|
|
|
FROM python:3.11-slim
|
|
|
|
|
|
2026-06-23 07:16:42 +00:00
|
|
|
RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends \
|
2026-04-21 17:24:03 +09:30
|
|
|
libpq5 \
|
|
|
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
|
|
2026-06-23 07:16:42 +00:00
|
|
|
# Patch system-level wheel (CVE-2026-24049) + setuptools-vendored jaraco.context
|
|
|
|
|
# (CVE-2026-23949) that Trivy flags in /usr/local site-packages.
|
|
|
|
|
RUN pip install --no-cache-dir --upgrade pip setuptools wheel
|
|
|
|
|
|
2026-04-21 17:24:03 +09:30
|
|
|
RUN groupadd --gid 1000 appgroup && \
|
|
|
|
|
useradd --uid 1000 --gid appgroup --shell /bin/bash --create-home appuser
|
|
|
|
|
|
|
|
|
|
COPY --from=builder /opt/venv /opt/venv
|
|
|
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
|
|
|
|
|
|
WORKDIR /app
|
|
|
|
|
COPY --chown=appuser:appgroup . .
|
|
|
|
|
|
|
|
|
|
RUN mkdir -p /app/logs && chown -R appuser:appgroup /app/logs
|
|
|
|
|
|
|
|
|
|
USER appuser
|
|
|
|
|
|
|
|
|
|
HEALTHCHECK --interval=60s --timeout=10s --start-period=10s --retries=3 \
|
|
|
|
|
CMD pgrep -f "job_runner" || exit 1
|
|
|
|
|
|
|
|
|
|
CMD ["python", "scripts/job_runner.py"]
|
