Merge pull request #21 from pythoninthegrass/distroless

Distroless

Author: pythoninthegrass

Dockerfile

@@ -1,111 +1,108 @@
-# using ubuntu LTS version
-FROM ubuntu:22.04 AS builder-image
+# SOURCES
+# https://github.com/alexdmoss/distroless-python
+# https://gitlab.com/n.ragav/python-images/-/tree/master/distroless
+
+# full semver just for python base image
+ARG PYTHON_VERSION=3.10.7
+
+# several optimisations in python-slim images already, benefit from these
+FROM python:${PYTHON_VERSION}-slim-bullseye AS builder-image
 
 # avoid stuck build due to user prompt
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get -qq update \
-    && apt-get -qq install \
-    --no-install-recommends -y \
-    aptitude \
-    autoconf \
-    automake \
-    build-essential \
-    ca-certificates \
-    curl \
-    git \
-    locales \
-    libbz2-dev \
-    libffi-dev \
-    libncurses-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libtool \
-    libxslt-dev \
-    libyaml-dev \
-    python3 \
-    python3-dev \
-    python3-pip \
-    sqlite3 \
-    unixodbc-dev \
-    unzip \
-    && rm -rf /var/lib/apt/lists/*
+# setup standard non-root user for use downstream
+ARG USERNAME="appuser"
+ARG USER_GROUP=${USERNAME}
+ARG HOME="/home/${USERNAME}"
+
+RUN groupadd ${USER_GROUP}
+RUN useradd -m ${USERNAME} -g ${USER_GROUP}
+
+# setup user environment with good python practices
+USER ${USERNAME}
+WORKDIR ${HOME}
+ENV PATH="$HOME/.local/bin:$PATH"
 
 # Set locale
-RUN locale-gen en_US.UTF-8
 ENV LANG=en_US.UTF-8
 ENV LANGUAGE=en_US:en
 ENV LC_ALL=en_US.UTF-8
 
-ARG USERNAME=appuser
+# poetry for use elsewhere as builder image
+RUN pip install --upgrade pip \
+    && pip install --no-cache-dir --upgrade virtualenv poetry
+
+COPY pyproject.toml poetry.lock ./
+RUN poetry config virtualenvs.in-project true \
+    && poetry install
+
+# build from distroless C or cc:debug, because lots of Python depends on C
+FROM gcr.io/distroless/cc AS distroless
+
+# # arch: x86_64-linux-gnu / aarch64-linux-gnu
+# ARG CHIPSET_ARCH=aarch64-linux-gnu
+
+# # required by lots of packages - e.g. six, numpy, wsgi
+# COPY --from=builder-image /lib/${CHIPSET_ARCH}/libz.so.1 /lib/${CHIPSET_ARCH}/
+
+# non-root user setup
+ARG USERNAME="appuser"
+ARG PYTHON_VERSION=3.10
 ENV HOME="/home/${USERNAME}"
-ENV PATH="$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
 
-RUN useradd --create-home $USERNAME
+# import useful bins from busybox image
+COPY --from=busybox:uclibc /bin/ls /bin/ls
+COPY --from=busybox:uclibc /bin/rm /bin/rm
+COPY --from=busybox:uclibc /bin/sh /bin/sh
+COPY --from=busybox:uclibc /bin/find /bin/find
+COPY --from=busybox:uclibc /bin/which /bin/which
 
-# install asdf then python latest
-RUN bash -c "git clone --depth 1 https://github.com/asdf-vm/asdf.git $HOME/.asdf \
-    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.bashrc  \
-    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.profile"
-RUN asdf plugin-add python \
-    && asdf install python 3.10.7 \
-    && asdf global python 3.10.7
+ENV VENV="/opt/venv"
+COPY --chown=${USERNAME} . /app
+COPY --from=builder-image --chown=${USERNAME} "${HOME}/.venv" "$VENV"
+COPY --from=builder-image /usr/local/lib/ /usr/local/lib/
+COPY --from=builder-image /usr/local/bin/python /usr/local/bin/python
+COPY --from=builder-image /etc/ld.so.cache /etc/ld.so.cache
 
-# TODO: test poetry via asdf
-ENV POETRY_HOME="$HOME/.poetry"
-RUN curl -sSL https://install.python-poetry.org | python3.10 -
-ENV PATH "${POETRY_HOME}/bin:$PATH"
+ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:$PATH"
 
-WORKDIR $$HOME/app
-COPY pyproject.toml poetry.lock ./
-RUN python3.10 -m venv /opt/venv
+RUN echo "${USERNAME}:x:1000:${USERNAME}" >> /etc/group
+RUN echo "${USERNAME}:x:1001:" >> /etc/group
+RUN echo "${USERNAME}:x:1000:1001::/home/${USERNAME}:" >> /etc/passwd
+
+# standardise on locale, don't generate .pyc, enable tracebacks on seg faults
+ENV LANG C.UTF-8
+ENV LC_ALL C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONFAULTHANDLER 1
 
-# Install pip requirements
-RUN . /opt/venv/bin/activate && poetry install
+# remove dev bins (need sh to run `startup.sh`)
+RUN rm /bin/find /bin/ls /bin/rm /bin/which
 
-# TODO: dive + docker-slim
-FROM ubuntu:22.04 AS runner-image
+FROM distroless AS runner-image
 
+ARG PYTHON_VERSION=3.10
 ARG USERNAME=appuser
 ENV HOME="/home/${USERNAME}"
-ENV VIRTUAL_ENV="/opt/venv"
-ENV PATH="${VIRTUAL_ENV}/bin:$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
+ENV VENV="/opt/venv"
 
-RUN useradd --create-home $USERNAME \
-    && mkdir -p ${HOME}/app
-
-COPY --chown=${USERNAME}:${USERNAME} . $HOME/app
-COPY --from=builder-image --chown=${USERNAME}:${USERNAME} /opt/venv /opt/venv
-COPY --from=builder-image --chown=${USERNAME}:${USERNAME} $HOME/.asdf $HOME/.asdf
-
-# avoid stuck build due to user prompt
-ARG DEBIAN_FRONTEND=noninteractive
+ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:$PATH"
 
-RUN apt-get -qq update \
-    && apt-get -qq install \
-    --no-install-recommends -y \
-    ca-certificates \
-    curl \
-    git \
-    libsqlite3-dev \
-    sqlite3 \
-    && rm -rf /var/lib/apt/lists/*
-
-# Keeps Python from generating .pyc files in the container
+# keeps Python from generating .pyc files in the container
 ENV PYTHONDONTWRITEBYTECODE=1
 
-# Turns off buffering for easier container logging
+# turns off buffering for easier container logging
 ENV PYTHONUNBUFFERED=1
 
-# activate virtual environment
-RUN python -m venv $VIRTUAL_ENV
+# workers per core (https://github.com/tiangolo/uvicorn-gunicorn-fastapi-docker/blob/master/README.md#web_concurrency)
+ENV WEB_CONCURRENCY=1
 
-USER appuser
+WORKDIR /app
 
-WORKDIR $HOME/app
+USER ${USERNAME}
 
 # ENTRYPOINT ["python", "main.py"]
 # CMD ["gunicorn", "-c", "config/gunicorn.conf.py", "main:app"]
-CMD ["/bin/bash", "startup.sh"]
-# CMD ["/bin/bash"]
+# CMD ["/bin/sh", "startup.sh"]
+CMD ["/bin/sh"]

gunicorn.conf.py

@@ -0,0 +1,4 @@
+workers = 4
+threads = 2
+bind = "0.0.0.0:3000"
+accesslog = "-"