Files
oidc2fer/Dockerfile
T
Jonathan Perret 9994eb84b0 ⬆️ (python) upgrade to Python 3.14.3
Bumping base image to avoid reported vulnerabilities.
2026-02-27 19:04:37 +01:00

80 lines
2.4 KiB
Docker

# ---- base image to inherit from ----
FROM python:3.14.3-slim-trixie AS common
# Install xmlsec1 dependencies required for xmlsec (for SAML)
# Needs to be kept before the `pip install`
RUN export DEBIAN_FRONTEND=noninteractive && \
apt-get update && \
apt-get -y upgrade && \
apt-get install -qy --no-install-recommends xmlsec1 && \
rm -rf /var/lib/apt/lists/*
# Silence pip warnings about running as root in a container
ENV PIP_ROOT_USER_ACTION=ignore
# We want the most up-to-date stable pip release
RUN pip install --upgrade pip
ENV PYTHONUNBUFFERED=1
# Give the "root" group the same permissions AS the "root" user on /etc/passwd
# to allow a user belonging to the root group to add new users; typically the
# docker user (see entrypoint).
RUN chmod g=u /etc/passwd
# We wrap commands run in this container by the following entrypoint that
# creates a user on-the-fly with the container user ID (see USER) and root group
# ID.
COPY ./docker/files/usr/local/bin/entrypoint /usr/local/bin/entrypoint
ENTRYPOINT [ "/usr/local/bin/entrypoint" ]
# Un-privileged user running the application
ARG DOCKER_USER
# Gunicorn
RUN mkdir -p /usr/local/etc/gunicorn
COPY docker/files/usr/local/etc/gunicorn/satosa.py /usr/local/etc/gunicorn/satosa.py
# The default command runs gunicorn WSGI server in satosa's main module
CMD ["gunicorn", "-c", "/usr/local/etc/gunicorn/satosa.py"]
# ---- Development image ----
FROM common AS development
# Playwright browsers
ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
RUN pip install playwright
RUN playwright install --with-deps webkit
# Test root CA
COPY env.d/development/certs/mkcert-root-ca.pem /usr/local/share/ca-certificates/mkcert-root-ca.crt
RUN update-ca-certificates
WORKDIR /app
# Copy project file to list dependencies
COPY ./src/satosa/pyproject.toml /app/
# Install oidc2fer in editable mode along with development dependencies
RUN pip install -e .[dev]
# Copy oidc2fer application (see .dockerignore)
COPY ./src/satosa /app/
# Switch to unprivileged user
USER ${DOCKER_USER}
# ---- Production image (keep last so it is the default target) ----
FROM common AS production
# Copy oidc2fer application (see .dockerignore)
COPY ./src/satosa /app/
WORKDIR /app
# Uninstall pip, setuptools and wheel after installation to reduce attack surface
RUN pip install . && pip uninstall -y setuptools wheel pip
# Switch to unprivileged user
USER ${DOCKER_USER}