Skip to content

Professional Docker setup: pinned builds, healthcheck, dev/prod compo…#3

Merged
ak4code merged 1 commit into
mainfrom
claude/nifty-euler-my09oj
Jun 12, 2026
Merged

Professional Docker setup: pinned builds, healthcheck, dev/prod compo…#3
ak4code merged 1 commit into
mainfrom
claude/nifty-euler-my09oj

Conversation

@ak4code

@ak4code ak4code commented Jun 12, 2026

Copy link
Copy Markdown
Owner

…se split

Dockerfile:

  • Add .dockerignore (no more .git/.env/.venv leaking into the image)
  • Pin uv image (0.11) instead of :latest, install with --locked so the build fails on a stale uv.lock
  • BuildKit cache mount for uv, bytecode precompilation, UV_LINK_MODE=copy
  • venv moved to root-owned /opt/venv: the app user cannot modify its own dependencies
  • Non-root user with nologin shell, app dir prepared via install -d
  • Image-level HEALTHCHECK probing /health/ (no curl dependency)
  • OCI image labels, dedicated production target with code baked in

Compose:

  • Split into docker-compose.yml (shared base), docker-compose.override.yml (dev: source bind-mount, DB ports on localhost only) and docker-compose.prod.yml (production target, resource limits, DB ports unpublished)
  • json-file log rotation on all services, init: true for django
  • Drop unused uv_cache/logs/www mounts and MODE variable

Settings:

  • prod: allow 127.0.0.1 host and exempt /health/ from SSL redirect so the container healthcheck works behind TLS-terminating proxies

Tooling: make up-prod/down-prod/logs-prod, README Docker section, ignore staticfiles/ in git

…se split

Dockerfile:
- Add .dockerignore (no more .git/.env/.venv leaking into the image)
- Pin uv image (0.11) instead of :latest, install with --locked so the
  build fails on a stale uv.lock
- BuildKit cache mount for uv, bytecode precompilation, UV_LINK_MODE=copy
- venv moved to root-owned /opt/venv: the app user cannot modify
  its own dependencies
- Non-root user with nologin shell, app dir prepared via install -d
- Image-level HEALTHCHECK probing /health/ (no curl dependency)
- OCI image labels, dedicated production target with code baked in

Compose:
- Split into docker-compose.yml (shared base), docker-compose.override.yml
  (dev: source bind-mount, DB ports on localhost only) and
  docker-compose.prod.yml (production target, resource limits,
  DB ports unpublished)
- json-file log rotation on all services, init: true for django
- Drop unused uv_cache/logs/www mounts and MODE variable

Settings:
- prod: allow 127.0.0.1 host and exempt /health/ from SSL redirect so
  the container healthcheck works behind TLS-terminating proxies

Tooling: make up-prod/down-prod/logs-prod, README Docker section,
ignore staticfiles/ in git

https://claude.ai/code/session_01YZr4TbzTw6EkkFqZz2onTF
@ak4code ak4code merged commit b1cd586 into main Jun 12, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants