improve container image

- remove duplicate / obsolete files from container image - directly run as user iris instead of using sudo - make sure iris users has only write access to logs and state directory - patch sender rpc log file in config to write to a writeable directory - reduce number of layers - remove init file writeable directory
linkedin · Apr 19, 2022 · c4123e4 · c4123e4
1 parent 4006266
commit c4123e4
Showing 1 changed file with 21 additions and 21 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -2,37 +2,37 @@ FROM ubuntu:20.04
 ENV DEBIAN_FRONTEND noninteractive
 
 RUN apt-get update && apt-get -y dist-upgrade \
-    && apt-get -y install libffi-dev libsasl2-dev python3-dev libyaml-dev sudo \
+    && apt-get -y install libffi-dev libsasl2-dev python3-dev libyaml-dev \
         libldap2-dev libssl-dev python3-pip python3-setuptools python3-venv \
     mysql-client nginx uwsgi uwsgi-plugin-python3 uwsgi-plugin-gevent-python3 \
     && pip3 install mysql-connector-python \
     && rm -rf /var/cache/apt/archives/*
 
-RUN useradd -m -s /bin/bash iris
-
-COPY src /home/iris/source/src
-COPY setup.py /home/iris/source/setup.py
-COPY MANIFEST.in /home/iris/source/MANIFEST.in
-COPY README.md /home/iris/source/README.md
 
 WORKDIR /home/iris
 
-RUN chown -R iris:iris /home/iris/source /var/log/nginx /var/lib/nginx \
-    && sudo -Hu iris mkdir -p /home/iris/var/log/uwsgi /home/iris/var/log/nginx /home/iris/var/run /home/iris/var/relay \
-    && sudo -Hu iris python3 -m venv /home/iris/env \
-    && sudo -Hu iris /bin/bash -c 'source /home/iris/env/bin/activate && python3 -m pip install -U pip wheel && cd /home/iris/source && pip install .'
-
-COPY . /home/iris
-COPY ops/config/systemd /etc/systemd/system
-COPY ops/daemons /home/iris/daemons
-COPY ops/daemons/uwsgi-docker.yaml /home/iris/daemons/uwsgi.yaml
-COPY db /home/iris/db
-COPY configs /home/iris/config
+COPY src source/src
+COPY setup.py MANIFEST.in README.md source/
+
+RUN python3 -m venv /home/iris/env && \
+    /bin/bash -c 'source /home/iris/env/bin/activate && python3 -m pip install -U pip wheel && cd /home/iris/source && pip install .'
+
+COPY ops/daemons daemons/
+COPY ops/daemons/uwsgi-docker.yaml daemons/uwsgi.yaml
+COPY db db/
+COPY configs/config.dev.yaml config/config.yaml
+# Patch Config File to write logfile to a writeable location
+RUN sed -i "s/filename.*/filename: '\/home\/iris\/var\/log\/sender\/rpc.access.log'/" config/config.yaml
 COPY healthcheck /tmp/status
-COPY ops/entrypoint.py /home/iris/entrypoint.py
+COPY ops/entrypoint.py entrypoint.py
 
-RUN chown -R iris:iris /home/iris/
+RUN useradd -m -s /bin/bash iris && \
+    chown -R iris:iris /var/log/nginx /var/lib/nginx && \
+    mkdir -p /home/iris/var/log/uwsgi /home/iris/var/log/nginx /home/iris/var/run /home/iris/var/relay /home/iris/var/log/sender && \
+    chown -R iris:iris /home/iris/var/log/uwsgi /home/iris/var/log/nginx /home/iris/var/run /home/iris/var/relay /home/iris/var/log/sender
 
 EXPOSE 16649
 
-CMD ["sudo", "-EHu", "iris", "bash", "-c", "source /home/iris/env/bin/activate && python -u /home/iris/entrypoint.py"]
+ENV INIT_FILE=/tmp/iris_db_initialized
+USER iris
+CMD ["bash", "-c", "source /home/iris/env/bin/activate && exec python -u /home/iris/entrypoint.py"]