fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore (#827)
* fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore - Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`: API keys should never be baked into image layers, even as empty strings. Added comments documenting runtime secret passing patterns. - Added explicit UID/GID (1000:1000) for the `deepseek` user: Makes filesystem ownership unambiguous when mounting volumes and avoids the default auto-assigned UID shifting between hosts. - Added `.dockerignore`: Prevents accidental inclusion of .env files, local runtime state, documentation, dev configs, and build artifacts into the build context, keeping the image smaller and avoiding secret leaks. * fix(docker): keep nested build inputs in context --------- Co-authored-by: Hunter Bown <hmbown@gmail.com>
This commit is contained in:
Ziang Xie
@@ -0,0 +1,65 @@
|
||||
# Build artifacts
|
||||
/target/
|
||||
*.pdb
|
||||
*.dll
|
||||
*.so
|
||||
*.dylib
|
||||
*.rlib
|
||||
|
||||
# Sensitive environment files
|
||||
.env
|
||||
.env.*
|
||||
|
||||
# Development
|
||||
/node_modules/
|
||||
/.vscode/
|
||||
/.idea/
|
||||
*.swp
|
||||
*.swo
|
||||
*~
|
||||
.DS_Store
|
||||
|
||||
# Git
|
||||
/.git/
|
||||
/.gitignore
|
||||
/.gitattributes
|
||||
|
||||
# CI/CD
|
||||
/.github/
|
||||
|
||||
# Python
|
||||
__pycache__/
|
||||
*.py[cod]
|
||||
.pytest_cache/
|
||||
venv/
|
||||
.venv/
|
||||
|
||||
# Logs
|
||||
*.log
|
||||
|
||||
# Generated
|
||||
/outputs/
|
||||
/tmp/
|
||||
|
||||
# Local runtime state
|
||||
/.deepseek/
|
||||
|
||||
# Claude Code artifacts
|
||||
/.claude/
|
||||
/.ace-tool/
|
||||
|
||||
# Documentation (not needed at runtime)
|
||||
/docs/
|
||||
/website/
|
||||
/*.md
|
||||
!/README.md
|
||||
|
||||
# Assets (screenshots, etc.)
|
||||
/assets/
|
||||
|
||||
# Scripts
|
||||
/scripts/
|
||||
|
||||
# Development configs
|
||||
/.devcontainer/
|
||||
/config.example.toml
|
||||
+8
-5
@@ -7,6 +7,11 @@
|
||||
# The image ships both binaries (deepseek dispatcher + deepseek-tui runtime)
|
||||
# in a minimal runtime layer. No MCP servers or heavy toolchains are included
|
||||
# — keep it slim.
|
||||
#
|
||||
# API keys MUST be passed at runtime (never baked into the image):
|
||||
# docker run --rm -it -e DEEPSEEK_API_KEY deepseek-tui
|
||||
# Or mount an env file:
|
||||
# docker run --rm -it --env-file .env deepseek-tui
|
||||
|
||||
ARG RUST_VERSION=1.88
|
||||
|
||||
@@ -50,8 +55,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
libdbus-1-3 \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Non-root user.
|
||||
RUN useradd --create-home --shell /bin/bash deepseek
|
||||
# Non-root user with explicit UID/GID for filesystem ownership clarity.
|
||||
RUN groupadd --gid 1000 deepseek \
|
||||
&& useradd --create-home --shell /bin/bash --uid 1000 --gid 1000 deepseek
|
||||
USER deepseek
|
||||
WORKDIR /home/deepseek
|
||||
|
||||
@@ -61,8 +67,5 @@ COPY --from=builder --chown=deepseek:deepseek /out/deepseek-tui /usr/local/bin/d
|
||||
# The dispatcher expects to find its companion binary next to it.
|
||||
# Both are in /usr/local/bin — no further path setup needed.
|
||||
|
||||
ENV DEEPSEEK_API_KEY=""
|
||||
ENV DEEPSEEK_NO_COLOR=""
|
||||
|
||||
ENTRYPOINT ["deepseek"]
|
||||
CMD []
|
||||
|
||||
Reference in New Issue
Block a user