devtron-labs · badal773 · Feb 10, 2025 · Feb 10, 2025 · Mar 18, 2025 · Mar 18, 2025
@@ -1,13 +1,12 @@
-# Dockerfile
-
 # Base Image
-FROM python:3.8
+# Using official python 3.13-slim for smaller footprint and latest stable version
+FROM python:3.13-slim
 
-# set default environment variables
-ENV PYTHONUNBUFFERED 1
-ENV LANG C.UTF-8
+# Set environment variables for Python behavior
+ENV PYTHONUNBUFFERED=1
+ENV LANG=C.UTF-8
 
-# to take runtime arguments and set env variables
+# Accept build arguments for Django superuser creation
 ARG DJANGO_SUPERUSER_USERNAME
 ENV DJANGO_SUPERUSER_USERNAME=${DJANGO_SUPERUSER_USERNAME}
 
@@ -17,32 +16,40 @@ ENV DJANGO_SUPERUSER_PASSWORD=${DJANGO_SUPERUSER_PASSWORD}
 ARG DJANGO_SUPERUSER_EMAIL
 ENV DJANGO_SUPERUSER_EMAIL=${DJANGO_SUPERUSER_EMAIL}
 
-# create and set working directory
+# Create app directory and assign ownership later to non-root user
 RUN mkdir /app
+
 WORKDIR /app
 
-RUN chown -R www-data:www-data /app
+# Install system dependencies and nginx with minimal packages, no recommends
+RUN apt-get update && apt-get install -y --no-install-recommends nginx vim && \
+    rm -rf /var/lib/apt/lists/*
 
-# Add current directory code to working directory
+# Copy app source code
 COPY . /app/
 
-# install environment dependencies
-RUN pip install -r requirements.txt 
+# Install Python dependencies
+RUN pip install --no-cache-dir -r requirements.txt
 
-# install nginx
-RUN apt-get update && apt-get install nginx vim -y --no-install-recommends
+# Create a non-root user 'nonroot' and group, change ownership of /app and nginx logs
+RUN groupadd -r nonroot && useradd -r -g nonroot nonroot && \
+    chown -R nonroot:nonroot /app /var/log/nginx
 
-#Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/nginx.default for sample nginx.default file
+# Copy nginx config file
 COPY nginx.default /etc/nginx/sites-available/default
 
-RUN ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
+# Symlink nginx logs to stdout/stderr for container logging
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log
 
-
-# start server
+# Expose port 8000 for Django/gunicorn and nginx
 EXPOSE 8000
 
+# Use non-root user for better security
+USER nonroot
+
+# Set stop signal for graceful shutdown
 STOPSIGNAL SIGTERM
 
-# Refer https://github.com/devtron-labs/devtron/blob/main/sample-docker-templates/django/start-server.sh for sample start-server.sh file
-CMD ["/app/start-server.sh"]
+# Start server script (migrations, superuser creation, gunicorn & nginx)
+CMD ["/app/start-server.sh"]
@@ -1,22 +1,15 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2024. Devtron Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
+#!/bin/sh
 
-# start-server.sh
-python manage.py migrate 
-python manage.py createsuperuser --no-input
+# Apply DB migrations
+python manage.py migrate
 
-(gunicorn DjangoApp.wsgi --user www-data --bind 0.0.0.0:8000 --workers 3) && nginx -g "daemon off;"
+# Create superuser if details provided (non-interactive)
+if [ -n "$DJANGO_SUPERUSER_USERNAME" ] && [ -n "$DJANGO_SUPERUSER_PASSWORD" ] && [ -n "$DJANGO_SUPERUSER_EMAIL" ]; then
+    python manage.py createsuperuser --no-input || true
+fi
+
+# Start gunicorn as non-root user binding on all interfaces port 8000, 3 workers
+gunicorn DjangoApp.wsgi --user nonroot --bind 0.0.0.0:8000 --workers 3 &
+
+# Start nginx in foreground
+nginx -g "daemon off;"
@@ -1,39 +1,50 @@
-#Base Image
-FROM python:3.8
-
-#Getting System Ready to install dependencies
-RUN apt-get clean \
-    && apt-get -y update
-
-#Installing nginx
-RUN apt-get -y install nginx \
-    && apt-get -y install python3-dev \
-    && apt-get -y install build-essential
-
-#Creating symbolic link for access and error log from nginx
-RUN ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log
-
-#Creating a dir in Container
-RUN mkdir /app
-
-#Moving into the directory created
+# Base Image - Using python:3.13-slim for reduced image size
+FROM python:3.13-slim
+
+# Set environment variables
+ENV PYTHONUNBUFFERED=1
+ENV LANG=C.UTF-8
+
+# Install system dependencies (nginx, build tools) without recommended packages to keep image small
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    nginx \
+    python3-dev \
+    build-essential \
+    # Clean up to reduce image size
+    && rm -rf /var/lib/apt/lists/* 
+
+# Symlink nginx logs to stdout/stderr for containerized log access
+RUN ln -sf /dev/stdout /var/log/nginx/access.log && \
+    ln -sf /dev/stderr /var/log/nginx/error.log
+
+# Create application directory
+RUN mkdir -p /app
+
+# Set working directory
 WORKDIR /app
 
-#Changing ownership of files in /app
-RUN chown -R www-data:www-data /app
+# Add application code
+COPY . /app/
 
-#Adding the complete project in dir created
-ADD . /app/
+# Install Python dependencies
+RUN pip install --no-cache-dir -r requirements.txt
 
-#Installing dependencies
-RUN pip3 install -r requirements.txt
-
-# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/nginx.default for sample nginx.default file
+# Copy nginx config
 COPY nginx.default /etc/nginx/sites-available/default
 
-#Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/start.sh for sample start.sh file
-#Making start.sh executable
+# Make start.sh executable
 RUN chmod +x ./start.sh
 
+# Create a non-root user and change ownership of /app to that user
+RUN groupadd -r nonroot && useradd -r -g nonroot nonroot && \
+    chown -R nonroot:nonroot /app /var/log/nginx
+
+# Expose port 80 (used by nginx)
+EXPOSE 80
+
+# Switch to non-root user for better container security
+USER nonroot
+
+# Run app with start.sh
 CMD ["./start.sh"]
@@ -1,22 +1,8 @@
-#!/usr/bin/env bash
-#
-# Copyright (c) 2024. Devtron Inc.
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-#     http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-service nginx start
-# Refer https://raw.githubusercontent.com/devtron-labs/devtron/main/sample-docker-templates/flask/uwsgi.ini for sample uwsgi.ini file
-uwsgi --ini uwsgi.ini
+#!/bin/bash
+set -e
 
+# Start nginx in the background
+nginx
 
+# Start uwsgi with provided ini config
+exec uwsgi --ini uwsgi.ini
@@ -1,14 +1,15 @@
 [uwsgi]
 module = app:app
-uid = www-data
-gid = www-data
+
 master = true
 processes = 5
 
 socket = /tmp/uwsgi.socket
-chmod-sock = 664
+chmod-socket = 664
 vacuum = true
 
 die-on-term = true
 
-
+# Run as non-root user
+uid = nonroot
+gid = nonroot
@@ -1,36 +1,41 @@
-################################# Build Container ###############################
+################################# Build Container #################################
 
-FROM golang:1.16 as builder
+# Use the latest stable Go image for building
+FROM golang:1.22.3 AS builder
 
-# Setup the working directory
+# Set working directory inside the container
 WORKDIR /app
 
-# COPY go module
-COPY go.mod go.sum /app/
-
-# Download go modules and cache for next time build
+# Copy Go module files and download dependencies
+COPY go.mod go.sum ./
 RUN go mod download
 
-# Add source code
-ADD . /app/
+# Copy the entire source code into the container
+COPY . .
 
-# Build the source
+# Build the Go binary with CGO disabled for static linking
 RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main app.go
 
+################################# Production Container ############################
 
-################################# Prod Container #################################
+# Use a minimal and secure Alpine base image
+FROM alpine:3.20
 
-# Use a minimal alpine image
-FROM alpine:3.7
+# Install CA certificates (for HTTPS calls)
+RUN apk --no-cache add ca-certificates
 
-# Add ca-certificates in case you need them
-RUN apk update && apk add ca-certificates && rm -rf /var/cache/apk/*
+# Create a non-root user and switch to it
+RUN adduser -D -g '' nonroot
+USER nonroot
 
 # Set working directory
-WORKDIR /root
+WORKDIR /home/nonroot
 
-# Copy the binary from builder
+# Copy the compiled binary from the builder stage
 COPY --from=builder /app/main .
 
-# Run the binary
-CMD ["./main"]
+# Expose port if your app serves over a specific port (optional)
+# EXPOSE 8080
+
+# Start the application
+CMD ["./main"]
@@ -1,30 +1,37 @@
 ################################# Build Container ###############################
 
-# Base Image of Build Container
-FROM gradle:4.7.0-jdk8-alpine AS build
+# Use latest Gradle with JDK 21 and Alpine for minimal size and speed
+FROM gradle:8.13.0-jdk21-alpine AS build
 
-# Changing the ownership of file and copying files in container
+# Set working directory and ensure proper permissions
 COPY --chown=gradle:gradle . /home/gradle/src
-
-# Moving into workdir
 WORKDIR /home/gradle/src
 
-# Compiling & building the code 
-RUN gradle build --no-daemon 
+# Build the application without using the Gradle daemon
+RUN gradle build --no-daemon
 
 ################################# Prod Container #################################
 
-# Base Image for Prod Container
-FROM openjdk:8-jre-slim
+# Use a minimal JDK base image for production
+FROM eclipse-temurin:21-jdk-jammy
 
-# Exposing Port of this container
-EXPOSE 8080
+# Create a non-root user to run the app securely
+RUN addgroup -g 2002 nonroot && adduser -u 2002 -G nonroot -S nonroot
+
+# Set the working directory
+WORKDIR /app
 
-# Creating a dir
-RUN mkdir /app
+# Copy the JAR file from the build stage
+COPY --from=build /home/gradle/src/build/libs/*.jar /app/demo.jar
 
-# Copying only the jar files created before
-COPY --from=build /home/gradle/src/build/libs/*.jar /app/my-app.jar
+# Set ownership of the jar file
+RUN chown nonroot:nonroot /app/demo.jar
+
+# Switch to non-root user
+USER nonroot
+
+# Expose the application port
+EXPOSE 8080
 
-# Uncomment if you want to run default commands during the initialization of this container
-# CMD exec java -jar /app/my-app.jar
+# Run the jar file
+CMD ["java", "-jar", "/app/demo.jar"]