refactor: migrate to distroless multi-stage Docker build

Dockerfile

@@ -1,20 +1,41 @@
-FROM python:3.11
+# Multi-stage build to create a distroless image
+FROM python:3.11 AS builder
 
-RUN install -o www-data -g www-data -d -m 0755 /var/www
+# Install poetry and the export plugin
+# RUN pip install poetry poetry-plugin-export
 
-USER www-data
+# Create working directory
+WORKDIR /app
 
-RUN curl -sSL https://install.python-poetry.org | python3 -
+# Copy dependency files
+COPY requirements.txt ./
 
-ENV PATH=/var/www/.local/bin:/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
+# Export dependencies to requirements.txt
+# RUN poetry export -f requirements.txt --output requirements.txt --without-hashes
 
-COPY README.md pyproject.toml poetry.lock docker-entrypoint.sh index.html favicon.ico /var/www/
-COPY myice /var/www/myice
+# Install dependencies to a target directory that we can copy to the distroless image
+RUN pip install --no-cache-dir --target=/app/site-packages -r requirements.txt
 
-WORKDIR /var/www
+# Create distroless image
+FROM gcr.io/distroless/python3-debian12
 
-RUN poetry install && . $(poetry env info -p)
+# Copy installed packages and application from builder stage
+COPY --from=builder /app/site-packages /app/site-packages
 
+# Copy application code
+COPY index.html favicon.ico /app/
+COPY myice /app/myice
+
+# Set PYTHONPATH so Python can find our installed packages
+ENV PYTHONPATH=/app/site-packages
+
+# Set working directory
+WORKDIR /app
+
+# Expose port
 EXPOSE 8000
 
-ENTRYPOINT [ "/var/www/docker-entrypoint.sh" ]
+USER nonroot
+
+# Run the application directly with Python using the distroless entrypoint
+ENTRYPOINT ["/usr/bin/python3", "-m", "uvicorn", "myice.webapi:app", "--host", "0.0.0.0", "--port", "8000"]

docker-entrypoint.sh

@@ -1,3 +0,0 @@
-#!/bin/sh
-
-exec /var/www/.local/bin/poetry run fastapi run myice/webapi.py

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "myice"
-version = "v0.5.7"
+version = "v0.5.8"
 description = "myice parsing"
 authors = [
     { name = "Rene Luria", "email" = "<rene@luria.ch>"},

requirements.txt

@@ -0,0 +1,42 @@
+--extra-index-url https://pypi.purple.infomaniak.ch
+
+annotated-types==0.7.0 ; python_version >= "3.11"
+anyio==4.8.0 ; python_version >= "3.11"
+certifi==2024.12.14 ; python_version >= "3.11"
+charset-normalizer==3.4.1 ; python_version >= "3.11"
+click==8.1.8 ; python_version >= "3.11"
+colorama==0.4.6 ; (platform_system == "Windows" or sys_platform == "win32") and python_version >= "3.11"
+dnspython==2.7.0 ; python_version >= "3.11"
+email-validator==2.2.0 ; python_version >= "3.11"
+fastapi-cli==0.0.7 ; python_version >= "3.11"
+fastapi==0.115.11 ; python_version >= "3.11"
+h11==0.14.0 ; python_version >= "3.11"
+httpcore==1.0.7 ; python_version >= "3.11"
+httptools==0.6.4 ; python_version >= "3.11"
+httpx==0.28.1 ; python_version >= "3.11"
+idna==3.10 ; python_version >= "3.11"
+jinja2==3.1.6 ; python_version >= "3.11"
+markdown-it-py==3.0.0 ; python_version >= "3.11"
+markupsafe==3.0.2 ; python_version >= "3.11"
+mdurl==0.1.2 ; python_version >= "3.11"
+pydantic-core==2.27.2 ; python_version >= "3.11"
+pydantic==2.10.6 ; python_version >= "3.11"
+pygments==2.19.1 ; python_version >= "3.11"
+pypdf2==3.0.1 ; python_version >= "3.11"
+python-dotenv==1.0.1 ; python_version >= "3.11"
+python-multipart==0.0.20 ; python_version >= "3.11"
+pyyaml==6.0.2 ; python_version >= "3.11"
+requests==2.32.3 ; python_version >= "3.11"
+rich-toolkit==0.13.2 ; python_version >= "3.11"
+rich==13.9.4 ; python_version >= "3.11"
+rl-ai-tools==1.14.2 ; python_version >= "3.11"
+shellingham==1.5.4 ; python_version >= "3.11"
+sniffio==1.3.1 ; python_version >= "3.11"
+starlette==0.46.1 ; python_version >= "3.11"
+typer==0.15.1 ; python_version >= "3.11"
+typing-extensions==4.12.2 ; python_version >= "3.11"
+urllib3==2.3.0 ; python_version >= "3.11"
+uvicorn==0.34.0 ; python_version >= "3.11"
+uvloop==0.21.0 ; sys_platform != "win32" and sys_platform != "cygwin" and platform_python_implementation != "PyPy" and python_version >= "3.11"
+watchfiles==1.0.4 ; python_version >= "3.11"
+websockets==15.0.1 ; python_version >= "3.11"