Upgrade Dockerfile to use Docker hardened image as base

Author: ropable

.github/dependabot.yml

@@ -1,4 +1,11 @@
 version: 2
+registries:
+  docker-hardened-images:
+    type: docker-registry
+    url: https://dhi.io
+    username: ${{secrets.DOCKERHUB_USERNAME}}
+    password: ${{secrets.DOCKERHUB_PASSWORD}}
+    replaces-base: true
 updates:
   - package-ecosystem: 'uv'
     directory: '/'
@@ -13,6 +20,7 @@ updates:
     commit-message:
       prefix: '[actions] '
   - package-ecosystem: 'docker'
+    registries: '*'
     directory: '/'
     schedule:
       interval: 'weekly'

.github/workflows/multi-build.yaml

@@ -218,7 +218,7 @@ jobs:
             network=host
 
       - name: Login to GitHub Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
         # This step logs in to the GitHub Container Registry (GHCR) using the docker/login-action.
         # It uses the GitHub actor's username and the GITHUB_TOKEN secret for authentication.
         # The login is necessary to push the merged manifest list to GHCR.
@@ -227,6 +227,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Log in to Docker Hardened Images Registry
+        # This step logs into the Docker Hardened Images Registry in order to download the required images.
+        # It uses Actions secrets that must be set on the repository in GitHub.
+        uses: docker/login-action@v4
+        with:
+          registry: dhi.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
       - name: Get execution timestamp with RFC3339 format
         # This step gets the current execution timestamp in RFC3339 format.
         # It uses the date command to get the current UTC time and formats it as a string.

Dockerfile

@@ -1,51 +1,34 @@
 # syntax=docker/dockerfile:1
-# Prepare the base environment.
-FROM python:3.13 AS builder_base
-
-# This approximately follows this guide: https://hynek.me/articles/docker-uv/
-# Which creates a standalone environment with the dependencies.
-# - Silence uv complaining about not being able to use hard links,
-# - tell uv to byte-compile packages for faster application startups,
-# - prevent uv from accidentally downloading isolated Python builds,
-# - pick a Python,
-# - and finally declare `/app` as the target for `uv sync`.
-ENV UV_LINK_MODE=copy \
-  UV_COMPILE_BYTECODE=1 \
-  UV_PYTHON_DOWNLOADS=never \
-  UV_PROJECT_ENVIRONMENT=/app/.venv
-
-COPY --from=ghcr.io/astral-sh/uv:0.9 /uv /uvx /bin/
-
-# Since there's no point in shipping lock files, we move them
-# into a directory that is NOT copied into the runtime image.
-# The trailing slash makes COPY create `/_lock/` automagically.
-WORKDIR /_lock
-COPY pyproject.toml uv.lock /_lock/
-
-# Synchronize dependencies.
-# This layer is cached until uv.lock or pyproject.toml change.
-RUN --mount=type=cache,target=/root/.cache uv sync --frozen --no-group dev
-
-##################################################################################
-
-FROM python:3.13
+FROM dhi.io/python:3.13-debian13-dev AS build-stage
 LABEL org.opencontainers.image.authors=asi@dbca.wa.gov.au
 LABEL org.opencontainers.image.source=https://github.com/dbca-wa/ssslite
 
-# Create a non-root user.
-RUN groupadd -r -g 1000 app \
-  && useradd -r -u 1000 -d /app -g app -N app
+# Install system packages required to install the project
+RUN apt-get update -y \
+  # Python package dependencies: gunicorn_h1c requires gcc
+  && apt-get install -y --no-install-recommends gcc g++ \
+  # Run shared library linker after installing packages
+  && ldconfig \
+  && rm -rf /var/lib/apt/lists/*
 
+# Copy and configure uv, to install dependencies
+COPY --from=ghcr.io/astral-sh/uv:0.11 /uv /bin/
 WORKDIR /app
-COPY --from=builder_base --chown=app:app /app /app
-# Make sure we use the virtualenv by default
-ENV PATH="/app/.venv/bin:$PATH" \
-  # Run Python unbuffered:
-  PYTHONUNBUFFERED=1
-
-# Install the project.
+# Install project dependencies
+COPY pyproject.toml uv.lock ./
+RUN uv sync --no-group dev --link-mode=copy --compile-bytecode --no-python-downloads --frozen \
+  # Remove uv and lockfile after use
+  && rm -rf /bin/uv \
+  && rm uv.lock
+
+# Environment variables
+ENV PYTHONUNBUFFERED=1
+ENV PATH="/app/.venv/bin:$PATH"
+
+# Copy the remaining project files to finish building the project
 COPY gunicorn.py ibp.html todaysburns.html pyproject.toml ssslite.py ./
 COPY static ./static
-USER app
+
+# Image runs as the nonroot user
 EXPOSE 8080
 CMD ["gunicorn", "ssslite", "--config", "gunicorn.py"]

gunicorn.py

@@ -2,9 +2,12 @@
 
 bind = ":8080"
 workers = 2
-# Give workers an expiry:
+worker_connections = 1000  # Max connections per worker
 max_requests = 2048
 max_requests_jitter = 256
 preload_app = True
+keepalive = 5  # Keepalive timeout
+graceful_timeout = 30  # Graceful shutdown timeout
 # Disable access logging.
 accesslog = None
+control_socket = "/tmp/gunicorn.ctl"