################################################################################ # PyGuardian Optimized Multi-stage Dockerfile # Optimized for production deployment with minimal size and security ################################################################################ # Build stage - for compiling dependencies FROM python:3.11-slim as builder WORKDIR /build # Install build dependencies RUN apt-get update && apt-get install -y \ build-essential \ libffi-dev \ libssl-dev \ pkg-config \ && rm -rf /var/lib/apt/lists/* # Copy requirements and install to wheels COPY requirements.txt . RUN pip wheel --no-cache-dir --no-deps --wheel-dir /build/wheels -r requirements.txt # Base runtime stage FROM python:3.11-slim as runtime-base # Create pyguardian user and group RUN groupadd -r pyguardian && useradd -r -g pyguardian -s /bin/false pyguardian # Install runtime system dependencies RUN apt-get update && apt-get install -y \ iptables \ iputils-ping \ openssh-client \ curl \ sudo \ procps \ net-tools \ && rm -rf /var/lib/apt/lists/* \ && apt-get autoremove -y \ && apt-get autoclean # Install Python dependencies from wheels COPY --from=builder /build/wheels /wheels COPY requirements.txt . RUN pip install --no-cache-dir --no-index --find-links /wheels -r requirements.txt \ && rm -rf /wheels requirements.txt # Set up working directory WORKDIR /opt/pyguardian # Copy application code COPY src/ ./src/ COPY config/ ./config/ COPY main.py . COPY deployment/scripts/entrypoint.sh /entrypoint.sh # Create necessary directories RUN mkdir -p /opt/pyguardian/{data,logs,temp} \ && chown -R pyguardian:pyguardian /opt/pyguardian \ && chmod +x /entrypoint.sh # Set environment variables ENV PYTHONPATH=/opt/pyguardian \ PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 \ PIP_NO_CACHE_DIR=1 # Production Controller Stage FROM runtime-base as controller # Expose API and monitoring ports EXPOSE 8443 8444 # Add sudo permissions for iptables (controller needs firewall access) RUN echo "pyguardian ALL=(root) NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables" >> /etc/sudoers USER pyguardian # Health check for controller API HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ CMD curl -f -k https://localhost:8443/health || exit 1 # Default environment for controller ENV PYGUARDIAN_MODE=controller \ PYGUARDIAN_LOG_LEVEL=INFO \ PYGUARDIAN_API_HOST=0.0.0.0 \ PYGUARDIAN_API_PORT=8443 ENTRYPOINT ["/entrypoint.sh"] CMD ["controller"] # Production Agent Stage FROM runtime-base as agent # Add sudo permissions for monitoring (agent needs system access) RUN echo "pyguardian ALL=(root) NOPASSWD: /usr/sbin/iptables, /usr/sbin/ip6tables, /bin/systemctl" >> /etc/sudoers USER pyguardian # Health check for agent connectivity HEALTHCHECK --interval=60s --timeout=15s --start-period=30s --retries=3 \ CMD python -c "import psutil; exit(0 if psutil.boot_time() else 1)" || exit 1 # Default environment for agent ENV PYGUARDIAN_MODE=agent \ PYGUARDIAN_LOG_LEVEL=INFO ENTRYPOINT ["/entrypoint.sh"] CMD ["agent"] # Standalone Mode (Development/Testing) FROM runtime-base as standalone # Expose API port EXPOSE 8443 # Add sudo permissions for full functionality RUN echo "pyguardian ALL=(root) NOPASSWD: ALL" >> /etc/sudoers USER pyguardian # Health check for standalone mode HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \ CMD python -c "import requests; requests.get('http://localhost:8443/health', timeout=5)" || exit 1 # Default environment for standalone ENV PYGUARDIAN_MODE=standalone \ PYGUARDIAN_LOG_LEVEL=DEBUG \ PYGUARDIAN_API_HOST=0.0.0.0 \ PYGUARDIAN_API_PORT=8443 ENTRYPOINT ["/entrypoint.sh"] CMD ["standalone"] # Development Mode (with dev tools) FROM runtime-base as development # Install development tools RUN apt-get update && apt-get install -y \ vim \ htop \ strace \ tcpdump \ && rm -rf /var/lib/apt/lists/* # Install development Python packages RUN pip install --no-cache-dir \ pytest \ pytest-cov \ black \ flake8 \ ipython \ jupyter # Expose additional ports for development EXPOSE 8443 8888 8080 # Add sudo permissions RUN echo "pyguardian ALL=(root) NOPASSWD: ALL" >> /etc/sudoers USER pyguardian # Development environment ENV PYGUARDIAN_MODE=development \ PYGUARDIAN_LOG_LEVEL=DEBUG \ PYGUARDIAN_DEBUG=true ENTRYPOINT ["/entrypoint.sh"] CMD ["development"]