Skip to content

feat(docker): add Dockerfile.11_final_v2 with hardened, reproducible … #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

feat(docker): add Dockerfile.11_final_v2 with hardened, reproducible … #74

wants to merge 1 commit into from

Conversation

@PatrykQuantumNomad
Copy link

@PatrykQuantumNomad PatrykQuantumNomad commented Nov 9, 2025

Hi, I'm watching more videos and having more fun. I've added a version that is closer to my prod version.

This commit introduces Dockerfile.11_final_v2, a fully optimized, secure, and deterministic multi‑stage build for the FastAPI service.

Key improvements and changes:

  • Uses pinned digest base images (python:bookworm@sha256 and slim@sha256) for deterministic, reproducible builds.
  • Introduces Tini as PID 1 for proper signal forwarding and process reaping.
  • Builds dependencies via Astral UV for faster, locked, and cached installs.
  • Enforces non‑root numeric user (UID/GID 10000) for runtime safety.
  • Moves all DB and secret configuration to runtime environment variables instead of build‑time arguments.
  • Integrates a lightweight docker-entrypoint.sh for dynamic env expansion and clean signal handling.
  • Sets strict runtime hardening: --read-only, --tmpfs /tmp, --cap-drop=ALL, --security-opt no-new-privileges:true.
  • Adds OCI metadata labels (build date, revision, description) for traceability.
  • Supports reproducible dependency manifest (dependencies.txt) for auditability.
  • Enables healthcheck route compatibility with configurable APP_PORT.

@PatrykQuantumNomad
feat(docker): add Dockerfile.11_final_v2 with hardened, reproducible …
4642cbd 
…FastAPI build

This commit introduces Dockerfile.11_final_v2, a fully optimized,
secure, and deterministic multi‑stage build for the FastAPI service.

Key improvements and changes:

- Uses pinned digest base images (python:bookworm@sha256 and slim@sha256)
  for deterministic, reproducible builds.
- Introduces Tini as PID 1 for proper signal forwarding and process reaping.
- Builds dependencies via Astral UV for faster, locked, and cached installs.
- Enforces non‑root numeric user (UID/GID 10000) for runtime safety.
- Moves all DB and secret configuration to runtime environment variables
  instead of build‑time arguments.
- Integrates a lightweight `docker-entrypoint.sh` for dynamic env expansion
  and clean signal handling.
- Sets strict runtime hardening:
  --read-only, --tmpfs /tmp, --cap-drop=ALL, --security-opt no-new-privileges:true.
- Adds OCI metadata labels (build date, revision, description) for traceability.
- Supports reproducible dependency manifest (`dependencies.txt`) for auditability.
- Enables healthcheck route compatibility with configurable APP_PORT.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PatrykQuantumNomad