mistercrunch commented on code in PR #31385:
URL: https://github.com/apache/superset/pull/31385#discussion_r1881215526
##########
Dockerfile:
##########
@@ -121,47 +141,45 @@ RUN --mount=type=bind,source=./docker,target=/docker \
libecpg-dev \
libldap2-dev \
&& touch superset/static/version_info.json \
- && chown -R superset:superset ./* \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*
# Copy required files for Python build
-COPY --chown=superset:superset pyproject.toml setup.py MANIFEST.in README.md ./
-COPY --chown=superset:superset superset-frontend/package.json
superset-frontend/
-COPY --chown=superset:superset requirements/base.txt requirements/
-COPY --chown=superset:superset scripts/check-env.py scripts/
+COPY pyproject.toml setup.py MANIFEST.in README.md ./
+COPY superset-frontend/package.json superset-frontend/
+COPY requirements/base.txt requirements/
+COPY scripts/check-env.py scripts/
+COPY docker/*.sh /app/docker/
+COPY --chmod=755 ./docker/run-server.sh /usr/bin/
# Install Python dependencies using docker/pip-install.sh
-RUN --mount=type=bind,source=./docker,target=/docker \
- --mount=type=cache,target=/root/.cache/pip \
- /docker/pip-install.sh --requires-build-essential -r requirements/base.txt
+RUN --mount=type=cache,target=/root/.cache/pip \
+ /app/docker/pip-install.sh --requires-build-essential -r
requirements/base.txt
# Copy the compiled frontend assets from the node image
-COPY --chown=superset:superset --from=superset-node
/app/superset/static/assets superset/static/assets
+COPY --from=superset-node /app/superset/static/assets superset/static/assets
# Copy the main Superset source code
-COPY --chown=superset:superset superset superset
+COPY superset superset
# Install Superset itself using docker/pip-install.sh
-RUN --mount=type=bind,source=./docker,target=/docker \
- --mount=type=cache,target=/root/.cache/pip \
- /docker/pip-install.sh -e .
+RUN --mount=type=cache,target=/root/.cache/pip \
+ uv pip install .
# Copy .json translations from the node image
-COPY --chown=superset:superset --from=superset-node /app/superset/translations
superset/translations
+COPY --from=superset-node /app/superset/translations superset/translations
# Compile backend translations and clean up
COPY ./scripts/translations/generate_mo_files.sh ./scripts/translations/
RUN if [ "$BUILD_TRANSLATIONS" = "true" ]; then \
- ./scripts/translations/generate_mo_files.sh \
- && chown -R superset:superset superset/translations; \
+ ./scripts/translations/generate_mo_files.sh; \
fi \
&& rm -rf superset/translations/messages.pot \
- superset/translations/*/LC_MESSAGES/*.po
+ superset/translations/*/LC_MESSAGES/*.po;
# Add server run script
-COPY --chmod=755 ./docker/run-server.sh /usr/bin/
# Set user and healthcheck
+RUN chown -R superset:superset /app && chmod -R 775 /app
Review Comment:
Changing things so that `superset` user can't modify things, it's going to
have pretty much just readonly the the whole image, execute on a few things it
needs, and write on its home directory
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
