# Multi-stage build for Dexorder user container FROM continuumio/miniconda3:latest AS builder WORKDIR /build # Install build dependencies including protobuf compiler RUN apt-get update && apt-get install -y --no-install-recommends \ gcc \ g++ \ protobuf-compiler \ && rm -rf /var/lib/apt/lists/* # Copy dependency specifications COPY environment.yml . COPY dexorder/ dexorder/ # Copy protobuf definitions (copied by bin/build from canonical /protobuf/) COPY protobuf/ protobuf/ # Compile protobufs to Python RUN mkdir -p dexorder/generated && \ protoc --python_out=dexorder/generated --proto_path=protobuf protobuf/*.proto && \ touch dexorder/generated/__init__.py # Create conda environment and install dependencies RUN conda env create -f environment.yml -p /build/env && \ conda clean -afy # ============================================================================= # Runtime stage # ============================================================================= FROM continuumio/miniconda3:latest WORKDIR /app # Install runtime dependencies only RUN apt-get update && apt-get install -y --no-install-recommends \ libzmq5 \ git \ && rm -rf /var/lib/apt/lists/* # Create non-root user RUN groupadd -r dexorder && useradd -r -g dexorder -u 1000 dexorder # Copy conda environment from builder COPY --from=builder /build/env /opt/conda/envs/dexorder # Copy application code COPY dexorder/ /app/dexorder/ COPY main.py /app/ # Copy generated protobuf code from builder COPY --from=builder /build/dexorder/generated/ /app/dexorder/generated/ # Create directories for config, secrets, and data # Note: /app will be read-only at runtime except for /app/data (mounted volume) RUN mkdir -p /app/config /app/secrets /app/data && \ chown -R root:root /app && \ chmod -R 755 /app && \ chown dexorder:dexorder /app/data && \ chmod 700 /app/data # Create writable tmp directory (read-only rootfs requirement) RUN mkdir -p /tmp && chmod 1777 /tmp # Copy entrypoint script COPY entrypoint.sh /app/ RUN chmod 755 /app/entrypoint.sh && chown root:root /app/entrypoint.sh # Switch to non-root user USER dexorder # Environment variables (can be overridden in k8s) ENV PYTHONPATH=/app \ PYTHONUNBUFFERED=1 \ MPLCONFIGDIR=/tmp \ NUMBA_CACHE_DIR=/tmp/numba_cache \ LOG_LEVEL=INFO \ CONFIG_PATH=/app/config/config.yaml \ SECRETS_PATH=/app/config/secrets.yaml \ ZMQ_XPUB_PORT=5570 \ ZMQ_GATEWAY_ENDPOINT=tcp://gateway:5571 \ MCP_SERVER_NAME=dexorder-user \ MCP_TRANSPORT=sse \ MCP_HTTP_PORT=3000 \ MCP_HTTP_HOST=0.0.0.0 \ IDLE_TIMEOUT_MINUTES=15 \ ENABLE_IDLE_SHUTDOWN=true # Health check endpoint (simple check if process is running) HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \ CMD /opt/conda/envs/dexorder/bin/python -c "import sys; sys.exit(0)" # Run the main application using conda environment via entrypoint ENTRYPOINT ["/app/entrypoint.sh"]