From c986028f51326c1f24bc8603e886f0f1c4536d34 Mon Sep 17 00:00:00 2001 From: Kyle Pope Date: Mon, 2 Mar 2026 17:43:43 +0800 Subject: [PATCH] Multi-stage Dockerfile: remove gcc/psql from runtime image (PT-11) Convert to two-stage build: builder stage installs gcc and compiles Python C extensions, runtime stage copies only the installed packages. Removes gcc and postgresql-client from the production image, reducing attack surface. postgresql-client was unused (healthchecks use urllib). Co-Authored-By: Claude Opus 4.6 --- backend/Dockerfile | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index 60f2692..c80a749 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,16 +1,22 @@ +# ── Build stage: compile C extensions ────────────────────────────────── +FROM python:3.12-slim AS builder + +WORKDIR /build + +RUN apt-get update && apt-get install -y --no-install-recommends \ + gcc \ + && rm -rf /var/lib/apt/lists/* + +COPY requirements.txt . +RUN pip install --no-cache-dir --prefix=/install -r requirements.txt + +# ── Runtime stage: lean production image ─────────────────────────────── FROM python:3.12-slim WORKDIR /app -# Install system dependencies -RUN apt-get update && apt-get install -y \ - gcc \ - postgresql-client \ - && rm -rf /var/lib/apt/lists/* - -# Copy requirements and install Python dependencies -COPY requirements.txt . -RUN pip install --no-cache-dir -r requirements.txt +# Copy pre-built Python packages from builder +COPY --from=builder /install /usr/local # Copy application code COPY . . @@ -19,7 +25,6 @@ COPY . . RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app USER appuser -# Expose port EXPOSE 8000 # Run migrations and start server