Spaces:
Sleeping
Sleeping
Yousif Abdulhafiz commited on
Commit ·
a19b20f
1
Parent(s): 00eaa92
Run app as non-root user in Dockerfile for enhanced security
Browse files- Dockerfile +10 -0
Dockerfile
CHANGED
|
@@ -23,6 +23,8 @@ RUN --mount=type=cache,target=/root/.cache/uv \
|
|
| 23 |
# ---- Development Stage ----
|
| 24 |
FROM python:3.13.3-slim-bookworm AS development
|
| 25 |
|
|
|
|
|
|
|
| 26 |
WORKDIR /src
|
| 27 |
|
| 28 |
ENV PYTHONUNBUFFERED=1 \
|
|
@@ -42,6 +44,14 @@ COPY --from=builder ${VIRTUAL_ENV} ${VIRTUAL_ENV}
|
|
| 42 |
# Copy application code
|
| 43 |
COPY . /src
|
| 44 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 45 |
EXPOSE 8501
|
| 46 |
HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health || exit 1
|
| 47 |
|
|
|
|
| 23 |
# ---- Development Stage ----
|
| 24 |
FROM python:3.13.3-slim-bookworm AS development
|
| 25 |
|
| 26 |
+
RUN useradd -m -u 1000 appuser
|
| 27 |
+
|
| 28 |
WORKDIR /src
|
| 29 |
|
| 30 |
ENV PYTHONUNBUFFERED=1 \
|
|
|
|
| 44 |
# Copy application code
|
| 45 |
COPY . /src
|
| 46 |
|
| 47 |
+
# Ensure permissions so non-root can read/execute env and write to repo dirs if needed
|
| 48 |
+
RUN chown -R appuser:appuser /virtualenvs /src
|
| 49 |
+
|
| 50 |
+
# Streamlit config: use the non-root user's home and disable telemetry writes
|
| 51 |
+
ENV HOME=/home/appuser
|
| 52 |
+
|
| 53 |
+
USER appuser
|
| 54 |
+
|
| 55 |
EXPOSE 8501
|
| 56 |
HEALTHCHECK CMD curl --fail http://localhost:8501/_stcore/health || exit 1
|
| 57 |
|