ecfa38f11e
To latest stable versions.
84 lines
2.5 KiB
Docker
84 lines
2.5 KiB
Docker
# ---- base image to inherit from ----
|
|
FROM python:3.14.3-slim-trixie AS common
|
|
|
|
# Install xmlsec1 dependencies required for xmlsec (for SAML)
|
|
# Needs to be kept before the `pip install`
|
|
RUN export DEBIAN_FRONTEND=noninteractive && \
|
|
apt-get update && \
|
|
apt-get -y upgrade && \
|
|
apt-get install -qy --no-install-recommends xmlsec1 && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# Silence pip warnings about running as root in a container
|
|
ENV PIP_ROOT_USER_ACTION=ignore
|
|
|
|
# We want the most up-to-date stable pip release
|
|
RUN pip install --upgrade pip
|
|
|
|
ENV PYTHONUNBUFFERED=1
|
|
|
|
# Give the "root" group the same permissions AS the "root" user on /etc/passwd
|
|
# to allow a user belonging to the root group to add new users; typically the
|
|
# docker user (see entrypoint).
|
|
RUN chmod g=u /etc/passwd
|
|
|
|
# We wrap commands run in this container by the following entrypoint that
|
|
# creates a user on-the-fly with the container user ID (see USER) and root group
|
|
# ID.
|
|
COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
|
|
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
|
|
|
|
# Un-privileged user running the application
|
|
ARG DOCKER_USER
|
|
|
|
# Gunicorn
|
|
RUN mkdir -p /usr/local/etc/gunicorn
|
|
COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satosa.py
|
|
|
|
# The default command runs gunicorn WSGI server in satosa's main module
|
|
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
|
|
|
|
# ---- Development image ----
|
|
FROM common AS development
|
|
|
|
# Install curl (for healthchecks)
|
|
RUN export DEBIAN_FRONTEND=noninteractive && \
|
|
apt-get update && apt-get install -qy curl
|
|
|
|
# Playwright browsers
|
|
ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
|
|
RUN pip install playwright
|
|
RUN playwright install --with-deps webkit
|
|
|
|
# Test root CA
|
|
COPY env.d/development/certs/mkcert-root-ca.pem /usr/local/share/ca-certificates/mkcert-root-ca.crt
|
|
RUN update-ca-certificates
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy project file to list dependencies
|
|
COPY ./src/satosa/pyproject.toml /app/
|
|
|
|
# Install oidc2fer in editable mode along with development dependencies
|
|
RUN pip install -e .[dev]
|
|
|
|
# Copy oidc2fer application (see .dockerignore)
|
|
COPY ./src/satosa /app/
|
|
|
|
# Switch to unprivileged user
|
|
USER ${DOCKER_USER}
|
|
|
|
# ---- Production image (keep last so it is the default target) ----
|
|
FROM common AS production
|
|
|
|
# Copy oidc2fer application (see .dockerignore)
|
|
COPY ./src/satosa /app/
|
|
|
|
WORKDIR /app
|
|
|
|
# Uninstall pip, setuptools and wheel after installation to reduce attack surface
|
|
RUN pip install . && pip uninstall -y setuptools wheel pip
|
|
|
|
# Switch to unprivileged user
|
|
USER ${DOCKER_USER}
|