From 690c66a13a7c4893796404f458152ce5f6b0d644 Mon Sep 17 00:00:00 2001
From: Stefan Allius <stefan.allius@t-online.de>
Date: Mon, 13 Nov 2023 20:47:14 +0100
Subject: [PATCH] hardening docker image

remove the python packages setuptools, wheel and pip from
final image to reduce the attack surface
---
 CHANGELOG.md   |  2 ++
 app/Dockerfile | 21 ++++++++++-----------
 2 files changed, 12 insertions(+), 11 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7c275d2..90d621b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- remove python packages setuptools, wheel, pip from final image to reduce the attack surface
+ 
 ## [0.5.3] - 2023-11-12
 
 - remove apk packet manager from the final image
diff --git a/app/Dockerfile b/app/Dockerfile
index 51bec0a..1409601 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -7,20 +7,18 @@ ARG GID=1000
 FROM python:3.12-alpine AS base
 USER root
 
-RUN apk update && \
-    apk upgrade
-RUN apk add --no-cache su-exec	
+RUN apk upgrade --no-cache && \
+    apk add --no-cache su-exec	
 
 #
 # second stage for building wheels packages
 FROM base as builder
 
-RUN apk add --no-cache build-base && \
-    python -m pip install --no-cache-dir -U pip wheel
-
 # copy the dependencies file to the root dir and install requirements
 COPY ./requirements.txt /root/
-RUN python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt
+RUN apk add --no-cache build-base && \
+    python -m pip install --no-cache-dir -U pip wheel && \
+    python -OO -m pip wheel --no-cache-dir --wheel-dir=/root/wheels -r /root/requirements.txt
 
 
 #
@@ -47,12 +45,13 @@ ENV HOME=/home/$SERVICE_NAME
 
 VOLUME ["/home/$SERVICE_NAME/log", "/home/$SERVICE_NAME/config"]
 
-# install the requirements from the wheels packages from the builder stage
+# install the requirements from the wheels packages from the builder stage 
+# and unistall python packages and alpine package manger to reduce attack surface
 COPY --from=builder /root/wheels /root/wheels
 RUN python -m pip install --no-cache --no-index /root/wheels/* && \
-    rm -rf /root/wheels
-
-RUN apk --purge del apk-tools
+    rm -rf /root/wheels && \
+    python -m pip uninstall --yes setuptools wheel pip && \
+    apk --purge del apk-tools
 
 # copy the content of the local src and config directory to the working directory
 COPY --chmod=0700 entrypoint.sh /root/entrypoint.sh