Zion Boggan
repos/Oversight/Dockerfile
zionboggan.com ↗
Code Commits Tags
35 lines · text
History for this file →
1
FROM python:3.12-slim
2
3
WORKDIR /app
4
5
# System deps (minimal; libsodium is bundled with pynacl wheels)
6
RUN apt-get update \
7
    && apt-get install -y --no-install-recommends ca-certificates \
8
    && rm -rf /var/lib/apt/lists/*
9
10
COPY requirements.txt .
11
RUN pip install --no-cache-dir -r requirements.txt
12
13
# Copy the library + registry
14
COPY oversight_core/ ./oversight_core/
15
COPY registry/ ./registry/
16
17
# Persistent data volume
18
VOLUME ["/data"]
19
ENV OVERSIGHT_DB=/data/oversight-registry.sqlite
20
ENV OVERSIGHT_DATA=/data
21
22
# Run as an unprivileged user. /data is created and owned by the runtime user so
23
# the volume is writable without root. A registry RCE then lands as uid 1000,
24
# not root inside the container.
25
RUN useradd --system --uid 1000 --create-home oversight \
26
    && mkdir -p /data \
27
    && chown -R oversight:oversight /data /app
28
USER oversight
29
30
EXPOSE 8765
31
32
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
33
    CMD python -c "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8765/health').read()" || exit 1
34
35
CMD ["uvicorn", "registry.server:app", "--host", "0.0.0.0", "--port", "8765"]