| FROM python:3.12 | |
| # Create a dedicated non-root user & group | |
| RUN addgroup --system appgroup && adduser --system --ingroup appgroup appuser | |
| # Create working dirs | |
| WORKDIR /app | |
| RUN mkdir -p /app/logs && mkdir -p /app/venv && chown -R appuser:appgroup /app | |
| # Copy code and requirements | |
| COPY . /app/ | |
| # Install venv + dependencies as root | |
| RUN python -m venv /app/venv \ | |
| && /app/venv/bin/pip install --upgrade pip \ | |
| && /app/venv/bin/pip install --no-cache-dir -r requirements.txt | |
| # Switch to non-root user | |
| USER appuser | |
| # Default command always uses venv Python | |
| CMD ["/app/venv/bin/python", "manager.py"] | |