From a8b272689c9932fa664fcaf9f4edb9c9fb6cf2ae Mon Sep 17 00:00:00 2001
From: Mike Gehard <mike.gehard@gmail.com>
Date: Sat, 18 Jan 2025 14:28:58 -0500
Subject: [PATCH] refactor: Optimize Dockerfile

Security, performance, and non-root user workflow
---
 aider/website/docs/install/docker.md |  4 +-
 docker/Dockerfile                    | 83 ++++++++++++++--------------
 2 files changed, 42 insertions(+), 45 deletions(-)

diff --git a/aider/website/docs/install/docker.md b/aider/website/docs/install/docker.md
index f63a413c4ad..5142b7d4814 100644
--- a/aider/website/docs/install/docker.md
+++ b/aider/website/docs/install/docker.md
@@ -21,14 +21,14 @@ launch the aider core container.
 
 ```
 docker pull paulgauthier/aider
-docker run -it --user $(id -u):$(id -g) --volume $(pwd):/app paulgauthier/aider --openai-api-key $OPENAI_API_KEY [...other aider args...]
+docker run -it --volume $(pwd):/home/appuser/app paulgauthier/aider --openai-api-key $OPENAI_API_KEY [...other aider args...]
 ```
 
 ### Full version
 
 ```
 docker pull paulgauthier/aider-full
-docker run -it --user $(id -u):$(id -g) --volume $(pwd):/app paulgauthier/aider-full --openai-api-key $OPENAI_API_KEY [...other aider args...]
+docker run -it --volume $(pwd):/home/appuser/app paulgauthier/aider-full --openai-api-key $OPENAI_API_KEY [...other aider args...]
 ```
 
 ## How to use it
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 43a61fa4757..958f4afa436 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,74 +1,71 @@
 FROM python:3.10-slim AS base
 
-# Install system dependencies
+# Create non-root user first
+RUN useradd -m -u 1000 -s /bin/bash appuser
+ENV HOME=/home/appuser
+
+RUN mkdir -p \
+    $HOME/.aider \
+    $HOME/.cache \
+    $HOME/pw-browsers \
+    $HOME/app \
+    $HOME/venv
+
+
 RUN apt-get update && \
-    apt-get install --no-install-recommends -y build-essential git libportaudio2 pandoc && \
+    apt-get install -y --no-install-recommends \
+    build-essential \
+    git \
+    libportaudio2 \
+    pandoc && \
+    apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Create app user with UID 1000
-RUN useradd -m -u 1000 -s /bin/bash appuser
-
-WORKDIR /app
+WORKDIR $HOME/app
 
-# Create virtual environment
-RUN python -m venv /venv
-ENV PATH="/venv/bin:$PATH"
+# Set up Python environment and Playwright settings
+ENV PATH="$HOME/venv/bin:$PATH" \
+    PLAYWRIGHT_BROWSERS_PATH=$HOME/pw-browsers \
+    PLAYWRIGHT_SKIP_BROWSER_GC=1
 
-# Playwright browser settings
-ENV PLAYWRIGHT_BROWSERS_PATH=/home/appuser/pw-browsers
-ENV PLAYWRIGHT_SKIP_BROWSER_GC=1
+RUN python -m venv $HOME/venv && \
+    pip install --no-cache-dir --upgrade pip
 
-# Create directories with proper permissions
-RUN mkdir -p /home/appuser/.aider /home/appuser/.cache /home/appuser/pw-browsers && \
-    chown -R appuser:appuser /home/appuser /app /venv
+COPY --chown=appuser:appuser . $HOME/aider
 
-# So git doesn't complain about unusual permissions
-RUN git config --system --add safe.directory /app
+RUN git config --global --add safe.directory $HOME/app
 
 #########################
 FROM base AS aider-full
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider-full
 
-COPY . /tmp/aider
+# Install extra dependencies
+RUN pip install --no-cache-dir $HOME/aider[playwright,help,browser] \
+    --extra-index-url https://download.pytorch.org/whl/cpu && \
+    playwright install --with-deps chromium
 
-# Install dependencies as root
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
-    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[help,browser,playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu && \
-    rm -rf /tmp/aider
+RUN rm -rf $HOME/aider
 
-# Install playwright browsers
-RUN /venv/bin/python -m playwright install --with-deps chromium
+RUN chown -R appuser:appuser $HOME
 
-# Fix site-packages permissions
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
-
-# Switch to appuser
 USER appuser
 
-ENTRYPOINT ["/venv/bin/aider"]
+ENTRYPOINT ["aider"]
 
 #########################
 FROM base AS aider
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider
 
-COPY . /tmp/aider
-
-# Install dependencies as root
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
-    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu && \
-    rm -rf /tmp/aider
+RUN pip install --no-cache-dir $HOME/aider[playwright] \
+    --extra-index-url https://download.pytorch.org/whl/cpu && \
+    playwright install --with-deps chromium
 
-# Install playwright browsers
-RUN /venv/bin/python -m playwright install --with-deps chromium
+RUN rm -rf $HOME/aider
 
-# Fix site-packages permissions
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
+RUN chown -R appuser:appuser $HOME
 
-# Switch to appuser
 USER appuser
 
-ENTRYPOINT ["/venv/bin/aider"]
+ENTRYPOINT ["aider"]