diff --git a/app/Dockerfile b/app/Dockerfile index 9cc434b..84ffe88 100644 --- a/app/Dockerfile +++ b/app/Dockerfile @@ -5,13 +5,12 @@ ARG GID=1000 # # first stage for our base image FROM python:3.13-alpine AS base -USER root -COPY --chmod=0700 ./hardening_base.sh . +COPY --chmod=0700 ./hardening_base.sh / RUN apk upgrade --no-cache && \ - apk add --no-cache su-exec && \ - ./hardening_base.sh && \ - rm ./hardening_base.sh + apk add --no-cache su-exec=0.2-r3 && \ + /hardening_base.sh && \ + rm /hardening_base.sh # # second stage for building wheels packages @@ -19,8 +18,8 @@ FROM base AS builder # copy the dependencies file to the root dir and install requirements COPY ./requirements.txt /root/ -RUN apk add --no-cache build-base && \ - python -m pip install --no-cache-dir -U pip wheel && \ +RUN apk add --no-cache build-base=0.5-r3 && \ + python -m pip install --no-cache-dir pip==24.3.1 wheel==0.45.1 && \ python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt @@ -50,9 +49,9 @@ VOLUME ["/home/$SERVICE_NAME/log", "/home/$SERVICE_NAME/config"] # and unistall python packages and alpine package manger to reduce attack surface COPY --from=builder /root/wheels /root/wheels COPY --chmod=0700 ./hardening_final.sh . -RUN python -m pip install --no-cache --no-index /root/wheels/* && \ +RUN python -m pip install --no-cache-dir --no-cache --no-index /root/wheels/* && \ rm -rf /root/wheels && \ - python -m pip uninstall --yes setuptools wheel pip && \ + python -m pip uninstall --yes wheel pip && \ apk --purge del apk-tools && \ ./hardening_final.sh && \ rm ./hardening_final.sh diff --git a/ha_addons/ha_addon/Dockerfile b/ha_addons/ha_addon/Dockerfile index aa267cd..480bbb9 100755 --- a/ha_addons/ha_addon/Dockerfile +++ b/ha_addons/ha_addon/Dockerfile @@ -10,36 +10,40 @@ ###################### -# 1 Build Image # +# 1 Build Base Image # ###################### ARG BUILD_FROM="ghcr.io/hassio-addons/base:stable" -FROM $BUILD_FROM - - -####################### -# 2 Modify Image # -####################### - - - - -####################### -# 3 Install apps # -####################### - - +# hadolint ignore=DL3006 +FROM $BUILD_FROM AS base # Installiere Python, pip und virtuelle Umgebungstools -RUN apk add --no-cache python3 py3-pip py3-virtualenv +RUN apk add --no-cache python3=3.12.8-r1 py3-pip=24.3.1-r0 -# Erstelle ein virtuelles Umfeld und aktiviere es -RUN python3 -m venv /opt/venv -RUN . /opt/venv/bin/activate -# Stelle sicher, dass das Add-on das virtuelle Umfeld nutzt -ENV PATH="/opt/venv/bin:$PATH" +####################### +# 2 Build wheel # +####################### +FROM base AS builder + +COPY rootfs/requirements.txt /root/ + +RUN apk add --no-cache build-base=0.5-r3 && \ + python -m pip install --no-cache-dir wheel==0.45.1 && \ + python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt + + + + +####################### +# 3 Build runtime # +####################### +FROM base AS runtime + +ARG SERVICE_NAME +ARG VERSION +ENV SERVICE_NAME=${SERVICE_NAME} @@ -47,36 +51,31 @@ ENV PATH="/opt/venv/bin:$PATH" # 4 Install libraries # ####################### +# install the requirements from the wheels packages from the builder stage +# and unistall python packages and alpine package manger to reduce attack surface -# Kopiere die requirements.txt Datei in das Image -COPY rootfs/requirements.txt /tmp/requirements.txt - -# installiere die Pakete aus requirements.txt -RUN pip install --no-cache-dir -r /tmp/requirements.txt +COPY --from=builder /root/wheels /root/wheels +RUN python -m pip install --no-cache-dir --no-cache --no-index /root/wheels/* && \ + rm -rf /root/wheels && \ + python -m pip uninstall --yes wheel pip && \ + apk --purge del apk-tools ####################### # 5 copy data # ####################### - -# Add rootfs COPY rootfs/ / -# make run.sh executable -RUN chmod a+x /run.sh - ####################### # 6 run app # ####################### -ARG SERVICE_NAME -ARG VERSION -ENV SERVICE_NAME=${SERVICE_NAME} - -RUN echo ${VERSION} > /proxy-version.txt +# make run.sh executable +RUN chmod a+x /run.sh && \ + echo ${VERSION} > /proxy-version.txt # command to run on container start CMD [ "/run.sh" ] diff --git a/repository.yaml b/repository.yaml deleted file mode 100644 index 42a9fc5..0000000 --- a/repository.yaml +++ /dev/null @@ -1,3 +0,0 @@ -name: TSUN-Proxy -url: https://github.com/s-allius/tsun-gen3-proxy/ha_addons -maintainer: Stefan Allius \ No newline at end of file