rev 4
This commit is contained in:
Daniil
+77
-16
@@ -1,31 +1,92 @@
|
||||
# syntax=docker/dockerfile:1
|
||||
# syntax=docker/dockerfile:1.7
|
||||
|
||||
FROM python:3.11-slim
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 1: base — system dependencies shared by dev and prod
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM python:3.11-slim AS base
|
||||
|
||||
COPY --from=ghcr.io/astral-sh/uv:0.8.15 /uv /uvx /bin/
|
||||
|
||||
ENV PYTHONDONTWRITEBYTECODE=1 \
|
||||
PYTHONUNBUFFERED=1 \
|
||||
PATH="/app/.venv/bin:/root/.local/bin:${PATH}"
|
||||
PATH="/app/.venv/bin:${PATH}"
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
build-essential \
|
||||
curl \
|
||||
ffmpeg \
|
||||
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
|
||||
--mount=type=cache,target=/var/lib/apt,sharing=locked \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
ffmpeg \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Install uv
|
||||
RUN curl -LsSf https://astral.sh/uv/install.sh | sh
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 2: deps — install Python dependencies (no project code)
|
||||
# This layer is cached as long as pyproject.toml and uv.lock don't change.
|
||||
# build-essential is needed here for compiling C extensions (e.g. psycopg2)
|
||||
# but is NOT carried into the prod stage (prod inherits from base instead).
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM base AS deps
|
||||
|
||||
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
|
||||
--mount=type=cache,target=/var/lib/apt,sharing=locked \
|
||||
apt-get update && apt-get install -y --no-install-recommends \
|
||||
build-essential \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Install deps (expects uv.lock)
|
||||
COPY pyproject.toml uv.lock ./
|
||||
RUN uv sync --frozen --no-dev
|
||||
RUN --mount=type=cache,target=/root/.cache/uv \
|
||||
uv sync --frozen --no-dev --no-install-project
|
||||
|
||||
# Copy source
|
||||
COPY cpv3 ./cpv3
|
||||
COPY alembic ./alembic
|
||||
COPY alembic.ini ./
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 3: dev — development target (used by docker-compose)
|
||||
#
|
||||
# Does NOT install the cpv3 package into site-packages at all. The source
|
||||
# code is bind-mounted from the host at /app/cpv3, and Python finds it via
|
||||
# sys.path (WORKDIR /app is on sys.path by default for scripts run from /app).
|
||||
# This means:
|
||||
# - No second `uv sync` step that could go stale or conflict with the mount
|
||||
# - Hot reload works because uvicorn watches the bind-mounted directory
|
||||
# - No risk of importing a stale copy from site-packages
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM deps AS dev
|
||||
|
||||
# Without `uv sync` (which creates an editable .pth finder in site-packages),
|
||||
# Python cannot find the cpv3 package. PYTHONPATH=/app makes /app/cpv3
|
||||
# discoverable as a regular package. This is the standard approach for
|
||||
# development containers with bind-mounted source code.
|
||||
ENV PYTHONPATH=/app
|
||||
|
||||
# watchfiles is already included via uvicorn[standard] in main deps.
|
||||
# It is used by uvicorn --reload and by the worker auto-restart wrapper.
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
CMD ["sh", "-c", "uv run alembic upgrade head && uv run uvicorn cpv3.main:app --host 0.0.0.0 --port 8000"]
|
||||
CMD ["sh", "-c", "alembic upgrade head && uvicorn cpv3.main:app --host 0.0.0.0 --port 8000 --reload --reload-dir /app/cpv3"]
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
# Stage 4: prod — production target (used by CI/CD image builds)
|
||||
#
|
||||
# Inherits from base (not deps) so build-essential is excluded from the
|
||||
# final image (~200MB savings). Pre-compiled .venv is copied from deps.
|
||||
# Runs as non-root user for container security.
|
||||
# ---------------------------------------------------------------------------
|
||||
FROM base AS prod
|
||||
|
||||
ENV UV_LINK_MODE=copy
|
||||
|
||||
COPY --from=deps /app/.venv /app/.venv
|
||||
COPY pyproject.toml uv.lock ./
|
||||
COPY cpv3 ./cpv3
|
||||
COPY alembic ./alembic
|
||||
COPY alembic.ini ./
|
||||
RUN --mount=type=cache,target=/root/.cache/uv \
|
||||
uv sync --frozen --no-dev
|
||||
|
||||
RUN groupadd --gid 1000 app && \
|
||||
useradd --uid 1000 --gid app --create-home app
|
||||
RUN chown -R app:app /app
|
||||
USER app
|
||||
|
||||
EXPOSE 8000
|
||||
|
||||
CMD ["sh", "-c", "alembic upgrade head && uvicorn cpv3.main:app --host 0.0.0.0 --port 8000"]
|
||||
|
||||
Reference in New Issue
Block a user