run container as non-root and prune unused deps
Add a dedicated `eirescope` user (UID 1000) and chown /app to it so the image no longer runs as root. Drop flask and sqlalchemy from requirements.txt — neither is imported anywhere; the server uses stdlib http.server and raw sqlite3. Add jinja2 explicitly (it was previously a transitive of Flask) and pin upper bounds on every dep so builds are at least somewhat reproducible.
This commit is contained in:
Richard Nixon
parent
a101dc61d5
commit
6edc45b3fe
2 changed files with 12 additions and 9 deletions
|
|
@ -5,6 +5,8 @@ RUN apt-get update && \
|
|||
apt-get install -y --no-install-recommends whois dnsutils && \
|
||||
rm -rf /var/lib/apt/lists/*
|
||||
|
||||
RUN useradd --create-home --shell /bin/bash --uid 1000 eirescope
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
COPY requirements.txt .
|
||||
|
|
@ -13,7 +15,9 @@ RUN pip install --no-cache-dir -r requirements.txt
|
|||
COPY . .
|
||||
|
||||
COPY docker-entrypoint.sh /docker-entrypoint.sh
|
||||
RUN chmod +x /docker-entrypoint.sh
|
||||
RUN chmod +x /docker-entrypoint.sh && chown -R eirescope:eirescope /app
|
||||
|
||||
USER eirescope
|
||||
|
||||
EXPOSE 5000
|
||||
|
||||
|
|
|
|||
|
|
@ -1,8 +1,7 @@
|
|||
flask>=3.0
|
||||
requests>=2.31
|
||||
beautifulsoup4>=4.12
|
||||
sqlalchemy>=2.0
|
||||
ipwhois>=1.2
|
||||
dnspython>=2.4
|
||||
phonenumbers>=8.13
|
||||
python-whois>=0.9
|
||||
requests>=2.31,<3
|
||||
beautifulsoup4>=4.12,<5
|
||||
jinja2>=3.1,<4
|
||||
ipwhois>=1.2,<2
|
||||
dnspython>=2.4,<3
|
||||
phonenumbers>=8.13,<9
|
||||
python-whois>=0.9,<1
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue