-
Notifications
You must be signed in to change notification settings - Fork 254
Expand file tree
/
Copy pathDockerfile.backend
More file actions
71 lines (55 loc) · 2.1 KB
/
Dockerfile.backend
File metadata and controls
71 lines (55 loc) · 2.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# syntax=docker/dockerfile:1.4
# BuildKit: enables cache mounts and better layer reuse.
#
# Build: docker build -t openrag-backend .
# -----------------------------------------------------------------------------
# Stage: base (system + uv)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS base
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
\
&& curl -LsSf https://astral.sh/uv/install.sh | sh \
&& rm -rf /var/lib/apt/lists/*
ENV PATH="/root/.local/bin:$PATH"
# -----------------------------------------------------------------------------
# Stage: builder (deps + app)
# -----------------------------------------------------------------------------
FROM base AS builder
# Build-time deps only (not in final image)
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
build-essential \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Dependency layer: reuse as long as lockfile and pyproject don't change
COPY pyproject.toml uv.lock ./
RUN --mount=type=cache,target=/root/.cache/uv,uid=0,gid=0 \
uv sync
# Application (invalidates after deps only when src/flows change)
COPY src/ ./src/
COPY flows/ ./flows/
# -----------------------------------------------------------------------------
# Stage: runtime (minimal image)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS runtime
# (+) Create non-root group: "openrag"
# (+) Create non-root user: "openrag"
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd --gid 103000 openrag \
&& useradd --uid 103000 --gid openrag --no-create-home openrag
WORKDIR /app
# --chown sets ownership at copy time; avoids an expensive chown -R layer
COPY --chown=openrag:openrag --from=builder /app /app
ENV VIRTUAL_ENV=/app/.venv
ENV PATH="/app/.venv/bin:$PATH"
# Switch to non-root user: "openrag"
USER openrag
EXPOSE 8000
CMD ["python", "src/main.py"]