Rework docker configuration

Author: irvingpop

Dockerfile

@@ -1,93 +1,142 @@
 # syntax=docker/dockerfile:1
 
-# =============================================================================
-# Builder stage: compile dependencies
-# =============================================================================
-FROM python:3.12-alpine AS builder
-
-# Install build dependencies for compiling Python packages
-RUN apk add --no-cache \
-    gcc \
-    musl-dev \
-    libffi-dev \
-    postgresql-dev \
-    python3-dev \
-    zlib-dev \
-    jpeg-dev
-
-# Install poetry system-wide (not in venv, so it won't be copied to production)
-RUN pip install --no-cache-dir poetry
-
-# Create clean venv with upgraded pip (--upgrade-deps handles CVE-2025-8869)
-RUN python -m venv /venv --upgrade-deps
-
-WORKDIR /build
+# ============================================================================
+# Build stage: Install dependencies using Poetry
+# ============================================================================
+FROM python:3.12-slim AS builder
+
+# Install build dependencies required for compiling Python packages
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    build-essential \
+    libpq-dev \
+    curl \
+    && rm -rf /var/lib/apt/lists/*
+
+# Install Poetry
+ENV POETRY_VERSION=2.3.0 \
+    POETRY_HOME="/opt/poetry" \
+    POETRY_NO_INTERACTION=1 \
+    POETRY_VIRTUALENVS_IN_PROJECT=1 \
+    POETRY_VIRTUALENVS_CREATE=1 \
+    POETRY_CACHE_DIR=/tmp/poetry_cache
+
+RUN curl -sSL https://install.python-poetry.org | python3 - && \
+    ln -s /opt/poetry/bin/poetry /usr/local/bin/poetry
+
+WORKDIR /app
+
+# Copy dependency files first for better layer caching
 COPY pyproject.toml poetry.lock ./
 
-# Tell poetry to use our venv instead of creating its own
-ENV VIRTUAL_ENV=/venv \
-    PATH="/venv/bin:$PATH"
+# Install dependencies into a virtual environment
+# Using --mount=type=cache speeds up rebuilds significantly
+RUN --mount=type=cache,target=$POETRY_CACHE_DIR \
+    poetry install --only=main --no-interaction --no-ansi --no-root
+
+# ============================================================================
+# Development builder: Install all dependencies including dev tools
+# ============================================================================
+FROM builder AS builder-dev
+
+# Install all dependencies including dev (debug_toolbar, pytest, etc.)
+RUN --mount=type=cache,target=$POETRY_CACHE_DIR \
+    poetry install --no-interaction --no-ansi --no-root
+
+# ============================================================================
+# Development stage: Full development environment with dev tools
+# ============================================================================
+FROM python:3.12-slim AS development
+
+LABEL org.opencontainers.image.source="https://github.com/operationcode/back-end"
+LABEL org.opencontainers.image.description="Operation Code Backend - Development"
+LABEL org.opencontainers.image.licenses="MIT"
+
+# Install runtime dependencies
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libpq5 \
+    curl \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean
+
+# Create non-root user for security
+RUN groupadd -r appuser && \
+    useradd -r -g appuser -u 1000 -m -d /app appuser
+
+# Set environment variables for Python optimization
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONPATH=/app/src \
+    PATH="/app/.venv/bin:$PATH" \
+    VIRTUAL_ENV=/app/.venv
 
-# Install production dependencies only
-RUN poetry install --only=main --no-interaction --no-cache
+WORKDIR /app
 
-# =============================================================================
-# Test builder: add dev dependencies
-# =============================================================================
-FROM builder AS test-builder
+# Copy virtual environment with dev dependencies from builder-dev stage
+COPY --from=builder-dev --chown=appuser:appuser /app/.venv /app/.venv
 
-RUN poetry install --no-interaction --no-cache
+# Copy application code
+COPY --chown=appuser:appuser ./src ./src
 
-# =============================================================================
-# Runtime base: minimal image shared by test and production
-# =============================================================================
-FROM python:3.12-alpine AS runtime-base
+# Set working directory to src for running the application
+WORKDIR /app/src
 
-# Install only runtime dependencies (no build tools, no poetry)
-# Upgrade system pip to fix CVE-2025-8869 (even though app uses venv pip)
-RUN apk upgrade --no-cache && \
-    apk add --no-cache libpq libjpeg-turbo && \
-    pip install --no-cache-dir --upgrade pip
+# Switch to non-root user
+USER appuser
 
-ENV PYTHONUNBUFFERED=1 \
-    PATH="/venv/bin:$PATH"
+# Expose port for Django dev server
+EXPOSE 8000
 
-WORKDIR /app
+# Run Django development server (will be overridden by docker-compose)
+CMD ["python", "manage.py", "runserver", "0.0.0.0:8000"]
 
-# =============================================================================
-# Test stage
-# =============================================================================
-FROM runtime-base AS test
+# ============================================================================
+# Production/Runtime stage: Minimal production image (DEFAULT)
+# ============================================================================
+FROM python:3.12-slim AS runtime
 
-COPY --from=test-builder /venv /venv
-COPY src ./src
-COPY .dev ./src/.dev
-COPY pytest.ini ./
+LABEL org.opencontainers.image.source="https://github.com/operationcode/back-end"
+LABEL org.opencontainers.image.description="Operation Code Backend - Django API"
+LABEL org.opencontainers.image.licenses="MIT"
 
-WORKDIR /app/src
+# Install only runtime dependencies (no build tools)
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    libpq5 \
+    curl \
+    && rm -rf /var/lib/apt/lists/* \
+    && apt-get clean
 
-ENV DJANGO_ENV=testing \
-    ENVIRONMENT=TEST
+# Create non-root user for security
+RUN groupadd -r appuser && \
+    useradd -r -g appuser -u 1000 -m -d /app appuser
 
-CMD ["pytest", "-v"]
+# Set environment variables for Python optimization
+ENV PYTHONUNBUFFERED=1 \
+    PYTHONPATH=/app/src \
+    PATH="/app/.venv/bin:$PATH" \
+    VIRTUAL_ENV=/app/.venv
 
-# =============================================================================
-# Production stage
-# =============================================================================
-FROM runtime-base AS production
+WORKDIR /app
+
+# Copy virtual environment from builder stage (production deps only)
+COPY --from=builder --chown=appuser:appuser /app/.venv /app/.venv
 
-COPY --from=builder /venv /venv
-COPY src ./src
+# Copy application code
+COPY --chown=appuser:appuser ./src ./src
 
-# Pre-compile Python bytecode for faster cold starts
+# Pre-compile Python bytecode for faster startup
 RUN python -m compileall -q ./src/
 
+# Set working directory to src for running the application
 WORKDIR /app/src
 
-ENV DJANGO_ENV=production \
-    DB_ENGINE=django.db.backends.postgresql
+# Switch to non-root user
+USER appuser
 
+# Expose port for Gunicorn
 EXPOSE 8000
 
+# Health check endpoint
+HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
+    CMD curl -f http://localhost:8000/healthz || exit 1
+
 # Run background task processor and gunicorn
-CMD ["sh", "-c", "python manage.py qcluster & gunicorn operationcode_backend.wsgi -c /app/src/gunicorn_config.py"]
+CMD ["sh", "-c", "python manage.py qcluster & gunicorn operationcode_backend.wsgi -c gunicorn_config.py"]

docker-compose.yml

@@ -18,11 +18,11 @@ services:
   backend:
     build:
       context: .
-      target: test
+      target: development
+    env_file:
+      - .env
     environment:
-      - SECRET_KEY=dev-secret-key-not-for-production
-      - DJANGO_ENV=development
-      - DEBUG=True
+      # Override .env database settings to use PostgreSQL container
       - DB_ENGINE=django.db.backends.postgresql
       - DB_NAME=operationcode
       - DB_USER=operationcode
@@ -33,10 +33,10 @@ services:
       - "8000:8000"
     volumes:
       - ./src:/app/src
-      - ./.dev:/app/src/.dev
     depends_on:
       db:
         condition: service_healthy
+    working_dir: /app/src
     command: >
       sh -c "python manage.py migrate &&
              python manage.py runserver 0.0.0.0:8000"

example.env

@@ -50,7 +50,7 @@ SENTRY_SEND_DEFAULT_PII=[True]
 
 
 # Creds needed to use AWS S3 for serving static assets
-AWS_STORAGE_BUCKET_NAME=[BUCKET_NAMAE]
+AWS_STORAGE_BUCKET_NAME=[BUCKET_NAME]
 BUCKET_REGION_NAME=[REGION_NAME]
 AWS_ACCESS_KEY_ID=[ACCESS_KEY_ID]
 AWS_SECRET_ACCESS_KEY=[SECRET_ACCESS_KEY]

poetry.toml

@@ -0,0 +1,22 @@
+# Poetry configuration for consistent development environment across team
+# https://python-poetry.org/docs/configuration/
+
+[virtualenvs]
+# Create .venv in project directory for easier IDE integration and visibility
+in-project = true
+
+# Use Python version from pyproject.toml, not active shell Python
+# Ensures consistency across team members
+prefer-active-python = false
+
+[installer]
+# Enable parallel installation for faster dependency resolution (default in 2.x)
+parallel = true
+
+# Limit concurrent workers to prevent resource exhaustion
+max-workers = 10
+
+[experimental]
+# Use system git client instead of dulwich for better performance
+# Helpful if you have git dependencies
+system-git-client = true

src/gunicorn_config.py

@@ -69,6 +69,7 @@
 worker_connections = 1000
 timeout = 30
 keepalive = 2
+worker_tmp_dir = "/dev/shm"
 
 #   preload_app - Load application code before forking worker processes.
 #       This conserves memory and speeds up server boot times by loading