Secure Dockerfile and application (#317)

fix: Run ProxLB in container as plb user instead of root
* Run ProxLB as plb user
* Run within a venv

Dockerfile

@@ -9,20 +9,33 @@ LABEL org.label-schema.vendor="gyptazy"
 LABEL org.label-schema.url="https://proxlb.de"
 LABEL org.label-schema.vcs-url="https://github.com/gyptazy/ProxLB"
 
-# Install Python3
+# --- Step 1 (root): system deps, user, dirs ---
-RUN apk add --no-cache python3 py3-pip
+RUN apk add --no-cache python3 py3-pip \
+  && addgroup -S plb \
+  && adduser -S -G plb -h /home/plb plb \
+  && mkdir -p /app/conf /opt/venv \
+  && chown -R plb:plb /app /home/plb /opt/venv
 
-# Create a directory for the app
 WORKDIR /app
 
-# Copy the python program from the current directory to /app
+# Copy only requirements first for better layer caching
-COPY proxlb /app/proxlb
+COPY --chown=plb:plb requirements.txt /app/requirements.txt
 
-# Copy requirements to the container
+# --- Step 2 (appuser): venv + deps + code ---
-COPY requirements.txt /app/requirements.txt
+USER plb
 
-# Install dependencies in the virtual environment
+# Create venv owned by appuser and put it on PATH
-RUN pip install --break-system-packages -r /app/requirements.txt
+RUN python3 -m venv /opt/venv
+ENV PATH="/opt/venv/bin:${PATH}"
 
-# Set the entry point to use the virtual environment's python
+# Install Python dependencies into the venv (no PEP 668 issues)
-ENTRYPOINT ["/usr/bin/python3", "/app/proxlb/main.py"]
+RUN pip install --no-cache-dir -r /app/requirements.txt
+
+# Copy application code (owned by appuser)
+COPY --chown=plb:plb proxlb /app/proxlb
+
+# Optional: placeholder config so a bind-mount can override cleanly
+RUN touch /app/conf/proxlb.yaml
+
+# Run as non-root using venv Python
+ENTRYPOINT ["/opt/venv/bin/python", "/app/proxlb/main.py"]