From 3393a9758627ce621089f417df286b006e075e3e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Mar 2026 07:11:19 +0000 Subject: [PATCH 1/3] Initial plan From d38b5fd832a58c817ed938c9513434067ab3c04c Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Mon, 23 Mar 2026 07:12:11 +0000 Subject: [PATCH 2/3] Fix Dockerfile: explicit uv.lock copy, healthcheck port env var, and CMD shell form Co-authored-by: ochui <21917688+ochui@users.noreply.github.com> Agent-Logs-Url: https://github.com/flowdacity/queue-server/sessions/e4d7c845-1368-447a-89ac-82f076792a42 --- Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 8261e36..4ec6e5b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ WORKDIR /app # Copy uv from official image for better security and updates COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ -COPY pyproject.toml uv.lock* ./ +COPY pyproject.toml uv.lock ./ RUN --mount=type=cache,target=/root/.cache/uv \ uv sync --locked --no-install-project @@ -53,7 +53,7 @@ USER appuser EXPOSE ${PORT} HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD python -c "import httpx; httpx.get('http://127.0.0.1:${PORT}/metrics/')" || exit 1 + CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); httpx.get(f'http://127.0.0.1:{port}/metrics/')" || exit 1 ENTRYPOINT ["sh", "-c"] -CMD ["exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}"] +CMD exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT} From a5df87bc7fe749b765032aad19121b4060cc8b62 Mon Sep 17 00:00:00 2001 From: "Ochui, Princewill Patrick" <21917688+ochui@users.noreply.github.com> Date: Mon, 23 Mar 2026 15:07:41 +0100 Subject: [PATCH 3/3] Refactor Dockerfile: streamline uv sync commands and update user permissions for improved security --- Dockerfile | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4ec6e5b..aa15c78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,18 +12,17 @@ ENV PYTHONDONTWRITEBYTECODE=1 \ WORKDIR /app -# Copy uv from official image for better security and updates COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ COPY pyproject.toml uv.lock ./ RUN --mount=type=cache,target=/root/.cache/uv \ - uv sync --locked --no-install-project + uv sync --locked --no-dev --no-install-project COPY . . RUN --mount=type=cache,target=/root/.cache/uv \ - uv sync --locked + uv sync --locked --no-dev # --- Runtime stage --- FROM python:${PYTHON_VERSION}-slim @@ -37,23 +36,20 @@ ENV PYTHONDONTWRITEBYTECODE=1 \ WORKDIR /app -RUN groupadd -r appuser && \ - useradd -r -g appuser -u 1000 -s /sbin/nologin appuser +RUN groupadd --system flowdacity && \ + useradd --system --gid flowdacity --uid 1000 --create-home --shell /usr/sbin/nologin flowdacity -COPY --from=builder --chown=appuser:appuser /app/.venv /app/.venv +COPY --from=builder --chown=flowdacity:flowdacity /app/.venv /app/.venv +COPY --from=builder --chown=flowdacity:flowdacity /app /app -COPY --chown=appuser:appuser . . +RUN chmod -R a-w /app && \ + chmod -R u+rwX /app -RUN chmod -R 555 /app/fq_server && \ - chmod 555 /app/*.py && \ - chmod 444 /app/default.conf /app/pyproject.toml - -USER appuser +USER flowdacity EXPOSE ${PORT} HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \ - CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); httpx.get(f'http://127.0.0.1:{port}/metrics/')" || exit 1 + CMD python -c "import os, httpx; port = os.environ.get('PORT', '8080'); r = httpx.get(f'http://127.0.0.1:{port}/metrics/'); raise SystemExit(0 if r.status_code < 400 else 1)" -ENTRYPOINT ["sh", "-c"] -CMD exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT} +CMD ["sh", "-c", "exec uvicorn asgi:app --host 0.0.0.0 --port ${PORT}"] \ No newline at end of file