Friday, May 15, 2026

Tips for Creating hardened docker images for production

1. Multi-Stage Docker Builds

Use multi-stage builds. Typically, the first stage installs all dependencies into a dedicated folder, while the final production stage copies only the dependency folder and application code.

2. Hardened Docker Images

Use hardened container images from dhi.io for improved security and reduced attack surface.

3. Secure Python Runtime Environment

Use environment variables such as:

ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
  • PYTHONDONTWRITEBYTECODE → Prevents creation of .pyc files.
  • PYTHONUNBUFFERED → Enables immediate log flushing for containers.
4. Avoid Running as Root

In the production stage, always switch to a non-root / less privileged user.

5. Secure API Key Management

Never hardcode or bake API keys into Dockerfiles or image layers using ENV or ARG.

Pass secrets securely at runtime using environment variables provided by your orchestrator.

Docker Run Example
docker run --env-file .env -p 8080:8080 my-hardened-app
Docker Compose Example

Use environment: blocks mapped to local .env files.

Ensure .env is listed in .gitignore.

6. Uvicorn Production Defenses
Setting Purpose
--workers 4 Restricts process spawning to a fixed, predictable resource footprint.
--proxy-headers Safely handles trusted proxy headers when behind Nginx, Cloudflare, AWS ALB, etc.
--reload Do NOT use in production. Prevents code injection and unsafe hot-reload behavior.
Example Hardened Dockerfile (Python + NumPy + Uvicorn) 
# ==============================================================================
# STAGE 1: Builder
# ==============================================================================

# FROM dhi.io/python:3.13-dev AS builder
FROM python:3.13-slim AS builder

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1

WORKDIR /build

RUN apt-get update && apt-get install -y --no-install-recommends \
    build-essential \
    gcc \
    python3-dev \
    && rm -rf /var/lib/apt/lists/*

COPY requirements.txt .

RUN pip install --no-cache-dir --target=/build/deps -r requirements.txt

# ==============================================================================
# STAGE 2: Secure Runtime
# ==============================================================================

FROM dhi.io/python:3.13-minimal AS runtime

ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PYTHONPATH=/app/deps

WORKDIR /app

RUN groupadd -g 10001 appgroup && \
    useradd -u 10001 -g appgroup -m -s /sbin/nologin appuser

COPY --from=builder --chown=appuser:appgroup /build/deps /app/deps
COPY --chown=appuser:appgroup . /app/

USER appuser

EXPOSE 8080

ENTRYPOINT ["python", "-m", "uvicorn", "main:app",
            "--host", "0.0.0.0",
            "--port", "8080",
            "--workers", "4",
            "--proxy-headers"]
For RS Chandras Tech Blog By -

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

What is Pydantic

Pydantic Pydantic is a data validation and settings management library for Python. ...