1- # SOURCE: https://github.com/alexdmoss/distroless-python
1+ # SOURCES
2+ # https://github.com/alexdmoss/distroless-python
3+ # https://gitlab.com/n.ragav/python-images/-/tree/master/distroless
4+
5+ # full semver just for python base image
6+ ARG PYTHON_VERSION=3.10.7
27
38# several optimisations in python-slim images already, benefit from these
4- FROM python:3.10.7 -slim-bullseye AS builder-image
9+ FROM python:${PYTHON_VERSION} -slim-bullseye AS builder-image
510
611# avoid stuck build due to user prompt
712ARG DEBIAN_FRONTEND=noninteractive
813
914# setup standard non-root user for use downstream
1015ARG USERNAME="appuser"
1116ARG USER_GROUP=${USERNAME}
17+ ARG HOME="/home/${USERNAME}"
1218
1319RUN groupadd ${USER_GROUP}
1420RUN useradd -m ${USERNAME} -g ${USER_GROUP}
1521
16- USER ${USERNAME}
17- ENV HOME="/home/${USERNAME}"
18-
19- ENV PATH="$HOME/.local/bin:$PATH"
20-
2122# setup user environment with good python practices
2223USER ${USERNAME}
23- WORKDIR /home/${USERNAME}
24+ WORKDIR ${HOME}
25+ ENV PATH="$HOME/.local/bin:$PATH"
2426
2527# Set locale
2628ENV LANG=en_US.UTF-8
@@ -41,67 +43,51 @@ FROM gcr.io/distroless/cc AS distroless
4143# # arch: x86_64-linux-gnu / aarch64-linux-gnu
4244# ARG CHIPSET_ARCH=aarch64-linux-gnu
4345
44- # # this carries more risk than installing it fully, but makes the image a lot smaller
45- # COPY --from=builder-image /usr/local/lib/ /usr/local/lib/
46- # COPY --from=builder-image /usr/local/bin/python /usr/local/bin/python
47- # COPY --from=builder-image /etc/ld.so.cache /etc/ld.so.cache
48-
4946# # required by lots of packages - e.g. six, numpy, wsgi
5047# COPY --from=builder-image /lib/${CHIPSET_ARCH}/libz.so.1 /lib/${CHIPSET_ARCH}/
5148
5249# non-root user setup
5350ARG USERNAME="appuser"
54- ARG ${ PYTHON_VERSION:- 3.10}
51+ ARG PYTHON_VERSION= 3.10
5552ENV HOME="/home/${USERNAME}"
5653
57- COPY --from=builder-image /bin/echo /bin/echo
58- COPY --from=builder-image /bin/rm /bin/rm
59- COPY --from=builder-image /bin/sh /bin/sh
60-
61- RUN echo "${USERNAME}:x:1000:${USERNAME}" >> /etc/group
62- RUN echo "${USERNAME}:x:1001:" >> /etc/group
63- RUN echo "${USERNAME}:x:1000:1001::/home/${USERNAME}:" >> /etc/passwd
54+ # import useful bins from busybox image
55+ COPY --from=busybox:uclibc /bin/ls /bin/ls
56+ COPY --from=busybox:uclibc /bin/rm /bin/rm
57+ COPY --from=busybox:uclibc /bin/sh /bin/sh
58+ COPY --from=busybox:uclibc /bin/find /bin/find
59+ COPY --from=busybox:uclibc /bin/which /bin/which
6460
6561ENV VENV="/opt/venv"
66- COPY . /app
67- COPY --from=builder-image "${HOME}/.venv" "$VENV"
68-
69- ENV PATH="/app/.venv/bin:/app/.venv/lib/python${PYTHON_VERSION}/site-packages:$PATH"
62+ COPY --chown=${USERNAME} . /app
63+ COPY --from=builder-image --chown=${USERNAME} "${HOME}/.venv" "$VENV"
64+ COPY --from=builder-image /usr/local/lib/ /usr/local/lib/
65+ COPY --from=builder-image /usr/local/bin/python /usr/local/bin/python
66+ COPY --from=builder-image /etc/ld.so.cache /etc/ld.so.cache
7067
71- # TODO: QA runner-image before removing shell
72- # RUN rm /bin/sh /bin/echo /bin/rm
68+ ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:$PATH"
7369
74- # default to running as non-root, uid=1000
75- ARG USERNAME="appuser"
76- USER ${USERNAME}
77-
78- ARG PYTHON_VERSION=3.10
79- ENV HOME="/home/${USERNAME}"
80- ENV VENV="/opt/venv"
81- ENV PATH="$HOME/.local/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages"
82-
83- # TODO: not finding python
84- # quick validation that python still works whilst we have a shell
85- RUN python --version
70+ RUN echo "${USERNAME}:x:1000:${USERNAME}" >> /etc/group
71+ RUN echo "${USERNAME}:x:1001:" >> /etc/group
72+ RUN echo "${USERNAME}:x:1000:1001::/home/${USERNAME}:" >> /etc/passwd
8673
8774# standardise on locale, don't generate .pyc, enable tracebacks on seg faults
8875ENV LANG C.UTF-8
8976ENV LC_ALL C.UTF-8
9077ENV PYTHONDONTWRITEBYTECODE 1
9178ENV PYTHONFAULTHANDLER 1
9279
93- # ENTRYPOINT ["/usr/local/bin/python"]
80+ # remove dev bins (need sh to run `startup.sh`)
81+ RUN rm /bin/find /bin/ls /bin/rm /bin/which
9482
9583FROM distroless AS runner-image
9684
97- ARG ${ PYTHON_VERSION:- 3.10}
85+ ARG PYTHON_VERSION= 3.10
9886ARG USERNAME=appuser
9987ENV HOME="/home/${USERNAME}"
88+ ENV VENV="/opt/venv"
10089
101- COPY . /app
102- COPY --from=distroless "${HOME}/.venv" "${HOME}/.venv"
103-
104- ENV PATH="$HOME/.local/bin:${HOME}/.venv/lib/python${PYTHON_VERSION}/site-packages"
90+ ENV PATH="/usr/local/bin:${HOME}/.local/bin:/bin:/usr/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages:$PATH"
10591
10692# keeps Python from generating .pyc files in the container
10793ENV PYTHONDONTWRITEBYTECODE=1
@@ -114,6 +100,8 @@ ENV WEB_CONCURRENCY=1
114100
115101WORKDIR /app
116102
103+ USER ${USERNAME}
104+
117105# ENTRYPOINT ["python", "main.py"]
118106# CMD ["gunicorn", "-c", "config/gunicorn.conf.py", "main:app"]
119107# CMD ["/bin/sh", "startup.sh"]
0 commit comments