From 5b0830ea083f5c512c563a3af71df578d448832e Mon Sep 17 00:00:00 2001
From: Eugene Davis <eugene@eugenemdavis.net>
Date: Mon, 26 Sep 2022 12:18:48 +0200
Subject: [PATCH] Update Dockerfile to use build stage and set non-root user

---
 Dockerfile     | 25 +++++++++++++++++++------
 Dockerfile.dev | 36 +++++++++++++++++++++++-------------
 2 files changed, 42 insertions(+), 19 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 1bfc82ac..67c5fc1b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,30 @@
 # This file is intended to be used apart from the containing source code tree.
 
-FROM python:3-alpine
+FROM python:3-alpine as builder
 
 # Version of Radicale (e.g. v3)
 ARG VERSION=master
+
+RUN apk add --no-cache --virtual gcc libffi-dev musl-dev \
+    && python -m venv /app/venv \
+    && /app/venv/bin/pip install --no-cache-dir "Radicale[bcrypt] @ https://github.com/Kozea/Radicale/archive/${VERSION}.tar.gz"
+
+
+FROM python:3-alpine
+
+WORKDIR /app
+
+RUN adduser radicale --home /var/lib/radicale --system --uid 1000 --disabled-password \
+    && apk add --no-cache ca-certificates openssl
+
+COPY --chown=1000 --from=builder /app/venv /app
+
 # Persistent storage for data
 VOLUME /var/lib/radicale
 # TCP port of Radicale
 EXPOSE 5232
 # Run Radicale
-CMD ["radicale", "--hosts", "0.0.0.0:5232"]
+ENTRYPOINT [ "/app/bin/python", "/app/bin/radicale"]
+CMD ["--hosts", "0.0.0.0:5232"]
 
-RUN apk add --no-cache ca-certificates openssl \
- && apk add --no-cache --virtual .build-deps gcc libffi-dev musl-dev \
- && pip install --no-cache-dir "Radicale[bcrypt] @ https://github.com/Kozea/Radicale/archive/${VERSION}.tar.gz" \
- && apk del .build-deps
+USER 1000
\ No newline at end of file
diff --git a/Dockerfile.dev b/Dockerfile.dev
index edf1f4af..879c5e39 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,19 +1,29 @@
-FROM python:3-alpine
+FROM python:3-alpine as builder
 
-# Version of Radicale (e.g. v3)
-ARG VERSION=master
-# Persistent storage for data
-VOLUME /var/lib/radicale
-# TCP port of Radicale
-EXPOSE 5232
-# Run Radicale
-CMD ["radicale", "--hosts", "0.0.0.0:5232"]
 
 COPY . /app
 
 WORKDIR /app
 
-RUN apk add --no-cache ca-certificates openssl \
-    && apk add --no-cache --virtual .build-deps gcc libffi-dev musl-dev \
-    && pip install --no-cache-dir -e  . \
-    && apk del .build-deps
+RUN apk add --no-cache --virtual gcc libffi-dev musl-dev \
+    && python -m venv /app/venv \
+    && /app/venv/bin/pip install --no-cache-dir .[bcrypt]
+
+FROM python:3-alpine
+
+WORKDIR /app
+
+RUN adduser radicale --home /var/lib/radicale --system --uid 1000 --disabled-password \
+    && apk add --no-cache ca-certificates openssl
+
+COPY --chown=1000 --from=builder /app/venv /app
+
+# Persistent storage for data
+VOLUME /var/lib/radicale
+# TCP port of Radicale
+EXPOSE 5232
+# Run Radicale
+ENTRYPOINT [ "/app/bin/python", "/app/bin/radicale"]
+CMD ["--hosts", "0.0.0.0:5232"]
+
+USER 1000
\ No newline at end of file