From 36388d942950ec4a563b5419f2409958e3c5a479 Mon Sep 17 00:00:00 2001 From: no ack hosting ab <57805558+mikaelkrantz945@users.noreply.github.com> Date: Thu, 25 Sep 2025 14:41:47 +0200 Subject: [PATCH] Secure Dockerfile and application (#317) fix: Run ProxLB in container as plb user instead of root * Run ProxLB as plb user * Run within a venv --- Dockerfile | 35 ++++++++++++++++++++++++----------- 1 file changed, 24 insertions(+), 11 deletions(-) diff --git a/Dockerfile b/Dockerfile index b80c2c8..f08c44e 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,20 +9,33 @@ LABEL org.label-schema.vendor="gyptazy" LABEL org.label-schema.url="https://proxlb.de" LABEL org.label-schema.vcs-url="https://github.com/gyptazy/ProxLB" -# Install Python3 -RUN apk add --no-cache python3 py3-pip +# --- Step 1 (root): system deps, user, dirs --- +RUN apk add --no-cache python3 py3-pip \ + && addgroup -S plb \ + && adduser -S -G plb -h /home/plb plb \ + && mkdir -p /app/conf /opt/venv \ + && chown -R plb:plb /app /home/plb /opt/venv -# Create a directory for the app WORKDIR /app -# Copy the python program from the current directory to /app -COPY proxlb /app/proxlb +# Copy only requirements first for better layer caching +COPY --chown=plb:plb requirements.txt /app/requirements.txt -# Copy requirements to the container -COPY requirements.txt /app/requirements.txt +# --- Step 2 (appuser): venv + deps + code --- +USER plb -# Install dependencies in the virtual environment -RUN pip install --break-system-packages -r /app/requirements.txt +# Create venv owned by appuser and put it on PATH +RUN python3 -m venv /opt/venv +ENV PATH="/opt/venv/bin:${PATH}" -# Set the entry point to use the virtual environment's python -ENTRYPOINT ["/usr/bin/python3", "/app/proxlb/main.py"] +# Install Python dependencies into the venv (no PEP 668 issues) +RUN pip install --no-cache-dir -r /app/requirements.txt + +# Copy application code (owned by appuser) +COPY --chown=plb:plb proxlb /app/proxlb + +# Optional: placeholder config so a bind-mount can override cleanly +RUN touch /app/conf/proxlb.yaml + +# Run as non-root using venv Python +ENTRYPOINT ["/opt/venv/bin/python", "/app/proxlb/main.py"]