-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
64 lines (49 loc) · 2.17 KB
/
Dockerfile
File metadata and controls
64 lines (49 loc) · 2.17 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# Stage 1: base - 基础配置
FROM python:3.12-slim AS base
WORKDIR /app
ARG PORT=8080
# 配置 Debian 国内镜像源(阿里云)
RUN if [ -f /etc/apt/sources.list ]; then \
sed -i 's/deb.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list && \
sed -i 's/security.debian.org/mirrors.aliyun.com/g' /etc/apt/sources.list; \
else \
echo "deb https://mirrors.aliyun.com/debian/ bookworm main contrib non-free non-free-firmware" > /etc/apt/sources.list && \
echo "deb https://mirrors.aliyun.com/debian/ bookworm-updates main contrib non-free non-free-firmware" >> /etc/apt/sources.list && \
echo "deb https://mirrors.aliyun.com/debian-security bookworm-security main contrib non-free non-free-firmware" >> /etc/apt/sources.list; \
fi && \
apt-get update && apt-get install -y --no-install-recommends \
gcc \
curl \
&& rm -rf /var/lib/apt/lists/*
# 配置 pip 国内镜像源(清华大学)
RUN pip config set global.index-url https://pypi.tuna.tsinghua.edu.cn/simple && \
pip install --no-cache-dir --upgrade pip
# Stage 2: deps - 安装依赖
FROM base AS deps
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# Stage 3: runtime - 运行应用
FROM base AS runtime
# 从 DEPS 阶段复制 Python 依赖(安装到系统路径,所有用户可访问)
COPY --from=deps /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=deps /usr/local/bin /usr/local/bin
# 创建非 root 用户
RUN groupadd -r appuser && useradd -r -g appuser appuser
# 复制应用代码和配置
COPY .dockerignore .dockerignore
COPY --chown=appuser:appuser . .
# 创建日志目录并设置权限
RUN mkdir -p logs && chown -R appuser:appuser /app
# 复制启动和健康检查脚本
COPY entrypoint.sh /app/entrypoint.sh
COPY healthcheck.sh /app/healthcheck.sh
RUN chmod +x /app/entrypoint.sh /app/healthcheck.sh
# 切换到非 root 用户
USER appuser
# 暴露端口
EXPOSE ${PORT}
# 健康检查
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD curl -f http://localhost:${PORT}/health || exit 1
# 启动应用
ENTRYPOINT ["/app/entrypoint.sh"]