Allow for read-only container run

gcarothers · gcarothers · commit cc8c266f0ada · 2025-11-19T12:42:57.000-08:00
* Requires adding tmpfs for writable paths
* uv run with --no-sync and --no-cache for read-only FS
* Docker compose updated for read-only mode matching expected k8s usage
diff --git a/Dockerfile b/Dockerfile
@@ -38,4 +38,4 @@ RUN uv sync --frozen
 
 EXPOSE 10011
 
-ENTRYPOINT ["uv", "run", "uvicorn", "--host", "0.0.0.0", "--port", "10011", "--factory", "lexmachina_agent.server:app"]
+ENTRYPOINT ["uv", "run", "--no-sync", "--no-cache", "uvicorn", "--host", "0.0.0.0", "--port", "10011", "--factory", "lexmachina_agent.server:app"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -13,6 +13,9 @@ services:
     env_file:
       - .env  # Optional: load environment variables from .env file
     restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:10011/.well-known/agent-card.json"]
       interval: 30s

Original file line number	Diff line number	Diff line change
`@@ -38,4 +38,4 @@ RUN uv sync --frozen`
`38`	`38`
`39`	`39`	`EXPOSE 10011`
`40`	`40`
`41`		`-ENTRYPOINT ["uv", "run", "uvicorn", "--host", "0.0.0.0", "--port", "10011", "--factory", "lexmachina_agent.server:app"]`
	`41`	`+ENTRYPOINT ["uv", "run", "--no-sync", "--no-cache", "uvicorn", "--host", "0.0.0.0", "--port", "10011", "--factory", "lexmachina_agent.server:app"]`