48 lines
1.6 KiB
Docker
48 lines
1.6 KiB
Docker
# ── Stage 1: build wheel ──────────────────────────────────────────────────────
|
|
FROM python:3.11-slim AS builder
|
|
|
|
WORKDIR /build
|
|
|
|
# Install build tools
|
|
RUN pip install --no-cache-dir hatchling
|
|
|
|
COPY pyproject.toml .
|
|
COPY src/ src/
|
|
|
|
RUN pip wheel --no-cache-dir --wheel-dir /wheels .
|
|
|
|
|
|
# ── Stage 2: runtime image ────────────────────────────────────────────────────
|
|
FROM python:3.11-slim
|
|
|
|
# System packages needed at runtime:
|
|
# unixodbc-dev — pyodbc SQL Server support
|
|
# ca-certificates — TLS verification against internal CAs
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
unixodbc \
|
|
ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy the pre-built wheel and all dependencies
|
|
COPY --from=builder /wheels /wheels
|
|
RUN pip install --no-cache-dir --no-index --find-links /wheels mcp-privileged \
|
|
&& rm -rf /wheels
|
|
|
|
# Non-root service user
|
|
RUN useradd --system --no-create-home --shell /usr/sbin/nologin mcpuser
|
|
|
|
# Mount-points for runtime secrets (provided by docker secret / volume)
|
|
RUN install -d -o mcpuser -g mcpuser /run/secrets /app/certs
|
|
|
|
USER mcpuser
|
|
|
|
EXPOSE 8443
|
|
|
|
# Health check — lightweight GET /health (no auth required)
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
|
|
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8443/health')"
|
|
|
|
ENTRYPOINT ["mcp-privileged"]
|