simplify and harden docker implementation

Conversation 6 Commits 2 Files Changed 2

Ghost commented

This PR fixes the currently broken Dockerfile. As referenced via #4, I have pinned the version at Python 3.10 currently due to an out-of-date LXML in the main SimplyTranslateWeb repository.

Dockerfile: instead of using a Debian-based image, we switch to Alpine. We don't need to update and upgrade a docker container usually so we can just pull what we need. In my tests, the current Dockerfile will result in a 1.46 GB image. With these patches, the new Dockerfile will result in a 262.59 MB image; a significant reduction in image size and a faster overall build time.

Docker Compose:

user: this is set to nobody, the least privileged account.
read_only: this is set to true, this container doesn't write anything to the filesystem.
security_opt: there's a lot of settings, but the important on is that the container doesn't get any privileges when asking for them.
cap_drop: this drops all capabilities like CHOWN, SETUID, etc.
networks: this puts simplytranslate in its own separate bridge network where it cannot talk to other containers.

This PR fixes the currently broken Dockerfile. As referenced via #4, I have pinned the version at Python 3.10 currently due to an out-of-date LXML in the main SimplyTranslateWeb repository. Dockerfile: instead of using a Debian-based image, we switch to Alpine. We don't need to update and upgrade a docker container usually so we can just pull what we need. In my tests, the current Dockerfile will result in a 1.46 GB image. With these patches, the new Dockerfile will result in a 262.59 MB image; a significant reduction in image size and a faster overall build time. Docker Compose: * `user`: this is set to `nobody`, the least privileged account. * `read_only`: this is set to true, this container doesn't write anything to the filesystem. * `security_opt`: there's a lot of settings, but the important on is that the container doesn't get any privileges when asking for them. * `cap_drop`: this drops all capabilities like CHOWN, SETUID, etc. * `networks`: this puts `simplytranslate` in its own separate bridge network where it cannot talk to other containers.

Ghost added 1 commit

b26b3166f9 simplify and harden docker implementation

Ghost commented

Poster

I have a PR pending for SimpleWeb/SimplyTranslate-Engines#19. If that gets merged, we can build with the python:alpine image instead of pinning 3.10.

I have a PR pending for https://codeberg.org/SimpleWeb/SimplyTranslate-Engines/pulls/19. If that gets merged, we can build with the `python:alpine` image instead of pinning 3.10.

Ghost commented

Poster

The PR from SimpleWeb/SimplyTranslate-Engines#19 has been merged. Making a patch to 3.11

The PR from https://codeberg.org/SimpleWeb/SimplyTranslate-Engines/pulls/19 has been merged. Making a patch to 3.11

Ghost added 1 commit

641b428b36 upgrade to 3.11

Ghost commented

Poster

#4 is fixed and can be closed now with this patch as well as #3.

https://codeberg.org/SimpleWeb/SimplyTranslate-Docker/pulls/4 is fixed and can be closed now with this patch as well as https://codeberg.org/SimpleWeb/SimplyTranslate-Docker/issues/3.