[WIP] ubuntu to distroless dockerfile

pythoninthegrass · pythoninthegrass · commit d8be023defc6 · 2022-10-08T11:04:43.000-05:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,111 +1,120 @@
-# using ubuntu LTS version
-FROM ubuntu:22.04 AS builder-image
+# SOURCE: https://github.com/alexdmoss/distroless-python
+
+# several optimisations in python-slim images already, benefit from these
+FROM python:3.10.7-slim-bullseye AS builder-image
 
 # avoid stuck build due to user prompt
 ARG DEBIAN_FRONTEND=noninteractive
 
-RUN apt-get -qq update \
-    && apt-get -qq install \
-    --no-install-recommends -y \
-    aptitude \
-    autoconf \
-    automake \
-    build-essential \
-    ca-certificates \
-    curl \
-    git \
-    locales \
-    libbz2-dev \
-    libffi-dev \
-    libncurses-dev \
-    libreadline-dev \
-    libsqlite3-dev \
-    libssl-dev \
-    libtool \
-    libxslt-dev \
-    libyaml-dev \
-    python3 \
-    python3-dev \
-    python3-pip \
-    sqlite3 \
-    unixodbc-dev \
-    unzip \
-    && rm -rf /var/lib/apt/lists/*
+# setup standard non-root user for use downstream
+ARG USERNAME="appuser"
+ARG USER_GROUP=${USERNAME}
+
+RUN groupadd ${USER_GROUP}
+RUN useradd -m ${USERNAME} -g ${USER_GROUP}
+
+USER ${USERNAME}
+ENV HOME="/home/${USERNAME}"
+
+ENV PATH="$HOME/.local/bin:$PATH"
+
+# setup user environment with good python practices
+USER ${USERNAME}
+WORKDIR /home/${USERNAME}
 
 # Set locale
-RUN locale-gen en_US.UTF-8
 ENV LANG=en_US.UTF-8
 ENV LANGUAGE=en_US:en
 ENV LC_ALL=en_US.UTF-8
 
-ARG USERNAME=appuser
+# poetry for use elsewhere as builder image
+RUN pip install --upgrade pip \
+    && pip install --no-cache-dir --upgrade virtualenv poetry
+
+COPY pyproject.toml poetry.lock ./
+RUN poetry config virtualenvs.in-project true \
+    && poetry install
+
+# build from distroless C or cc:debug, because lots of Python depends on C
+FROM gcr.io/distroless/cc AS distroless
+
+# # arch: x86_64-linux-gnu / aarch64-linux-gnu
+# ARG CHIPSET_ARCH=aarch64-linux-gnu
+
+# # this carries more risk than installing it fully, but makes the image a lot smaller
+# COPY --from=builder-image /usr/local/lib/ /usr/local/lib/
+# COPY --from=builder-image /usr/local/bin/python /usr/local/bin/python
+# COPY --from=builder-image /etc/ld.so.cache /etc/ld.so.cache
+
+# # required by lots of packages - e.g. six, numpy, wsgi
+# COPY --from=builder-image /lib/${CHIPSET_ARCH}/libz.so.1 /lib/${CHIPSET_ARCH}/
+
+# non-root user setup
+ARG USERNAME="appuser"
+ARG ${PYTHON_VERSION:-3.10}
 ENV HOME="/home/${USERNAME}"
-ENV PATH="$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
 
-RUN useradd --create-home $USERNAME
+COPY --from=builder-image /bin/echo /bin/echo
+COPY --from=builder-image /bin/rm /bin/rm
+COPY --from=builder-image /bin/sh /bin/sh
 
-# install asdf then python latest
-RUN bash -c "git clone --depth 1 https://github.com/asdf-vm/asdf.git $HOME/.asdf \
-    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.bashrc  \
-    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.profile"
-RUN asdf plugin-add python \
-    && asdf install python 3.10.7 \
-    && asdf global python 3.10.7
+RUN echo "${USERNAME}:x:1000:${USERNAME}" >> /etc/group
+RUN echo "${USERNAME}:x:1001:" >> /etc/group
+RUN echo "${USERNAME}:x:1000:1001::/home/${USERNAME}:" >> /etc/passwd
 
-# TODO: test poetry via asdf
-ENV POETRY_HOME="$HOME/.poetry"
-RUN curl -sSL https://install.python-poetry.org | python3.10 -
-ENV PATH "${POETRY_HOME}/bin:$PATH"
+ENV VENV="/opt/venv"
+COPY . /app
+COPY --from=builder-image "${HOME}/.venv" "$VENV"
 
-WORKDIR $$HOME/app
-COPY pyproject.toml poetry.lock ./
-RUN python3.10 -m venv /opt/venv
+ENV PATH="/app/.venv/bin:/app/.venv/lib/python${PYTHON_VERSION}/site-packages:$PATH"
 
-# Install pip requirements
-RUN . /opt/venv/bin/activate && poetry install
+# TODO: QA runner-image before removing shell
+# RUN rm /bin/sh /bin/echo /bin/rm
 
-# TODO: dive + docker-slim
-FROM ubuntu:22.04 AS runner-image
+# default to running as non-root, uid=1000
+ARG USERNAME="appuser"
+USER ${USERNAME}
 
-ARG USERNAME=appuser
+ARG PYTHON_VERSION=3.10
 ENV HOME="/home/${USERNAME}"
-ENV VIRTUAL_ENV="/opt/venv"
-ENV PATH="${VIRTUAL_ENV}/bin:$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
+ENV VENV="/opt/venv"
+ENV PATH="$HOME/.local/bin:${VENV}/bin:${VENV}/lib/python${PYTHON_VERSION}/site-packages"
 
-RUN useradd --create-home $USERNAME \
-    && mkdir -p ${HOME}/app
+# TODO: not finding python
+# quick validation that python still works whilst we have a shell
+RUN python --version
 
-COPY --chown=${USERNAME}:${USERNAME} . $HOME/app
-COPY --from=builder-image --chown=${USERNAME}:${USERNAME} /opt/venv /opt/venv
-COPY --from=builder-image --chown=${USERNAME}:${USERNAME} $HOME/.asdf $HOME/.asdf
+# standardise on locale, don't generate .pyc, enable tracebacks on seg faults
+ENV LANG C.UTF-8
+ENV LC_ALL C.UTF-8
+ENV PYTHONDONTWRITEBYTECODE 1
+ENV PYTHONFAULTHANDLER 1
 
-# avoid stuck build due to user prompt
-ARG DEBIAN_FRONTEND=noninteractive
+# ENTRYPOINT ["/usr/local/bin/python"]
+
+FROM distroless AS runner-image
 
-RUN apt-get -qq update \
-    && apt-get -qq install \
-    --no-install-recommends -y \
-    ca-certificates \
-    curl \
-    git \
-    libsqlite3-dev \
-    sqlite3 \
-    && rm -rf /var/lib/apt/lists/*
-
-# Keeps Python from generating .pyc files in the container
+ARG ${PYTHON_VERSION:-3.10}
+ARG USERNAME=appuser
+ENV HOME="/home/${USERNAME}"
+
+COPY . /app
+COPY --from=distroless "${HOME}/.venv" "${HOME}/.venv"
+
+ENV PATH="$HOME/.local/bin:${HOME}/.venv/lib/python${PYTHON_VERSION}/site-packages"
+
+# keeps Python from generating .pyc files in the container
 ENV PYTHONDONTWRITEBYTECODE=1
 
-# Turns off buffering for easier container logging
+# turns off buffering for easier container logging
 ENV PYTHONUNBUFFERED=1
 
-# activate virtual environment
-RUN python -m venv $VIRTUAL_ENV
-
-USER appuser
+# workers per core (https://github.com/tiangolo/uvicorn-gunicorn-fastapi-docker/blob/master/README.md#web_concurrency)
+ENV WEB_CONCURRENCY=1
 
-WORKDIR $HOME/app
+WORKDIR /app
 
 # ENTRYPOINT ["python", "main.py"]
 # CMD ["gunicorn", "-c", "config/gunicorn.conf.py", "main:app"]
-CMD ["/bin/bash", "startup.sh"]
-# CMD ["/bin/bash"]
+# CMD ["/bin/sh", "startup.sh"]
+CMD ["/bin/sh"]
diff --git a/Dockerfile.og b/Dockerfile.og
@@ -0,0 +1,111 @@
+# using ubuntu LTS version
+FROM ubuntu:22.04 AS builder-image
+
+# avoid stuck build due to user prompt
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update \
+    && apt-get -qq install \
+    --no-install-recommends -y \
+    aptitude \
+    autoconf \
+    automake \
+    build-essential \
+    ca-certificates \
+    curl \
+    git \
+    locales \
+    libbz2-dev \
+    libffi-dev \
+    libncurses-dev \
+    libreadline-dev \
+    libsqlite3-dev \
+    libssl-dev \
+    libtool \
+    libxslt-dev \
+    libyaml-dev \
+    python3 \
+    python3-dev \
+    python3-pip \
+    sqlite3 \
+    unixodbc-dev \
+    unzip \
+    && rm -rf /var/lib/apt/lists/*
+
+# Set locale
+RUN locale-gen en_US.UTF-8
+ENV LANG=en_US.UTF-8
+ENV LANGUAGE=en_US:en
+ENV LC_ALL=en_US.UTF-8
+
+ARG USERNAME=appuser
+ENV HOME="/home/${USERNAME}"
+ENV PATH="$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
+
+RUN useradd --create-home $USERNAME
+
+# install asdf then python latest
+RUN bash -c "git clone --depth 1 https://github.com/asdf-vm/asdf.git $HOME/.asdf \
+    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.bashrc  \
+    && echo '. $HOME/.asdf/asdf.sh' >> $HOME/.profile"
+RUN asdf plugin-add python \
+    && asdf install python 3.10.7 \
+    && asdf global python 3.10.7
+
+# TODO: test poetry via asdf
+ENV POETRY_HOME="$HOME/.poetry"
+RUN curl -sSL https://install.python-poetry.org | python3.10 -
+ENV PATH "${POETRY_HOME}/bin:$PATH"
+
+WORKDIR $$HOME/app
+COPY pyproject.toml poetry.lock ./
+RUN python3.10 -m venv /opt/venv
+
+# Install pip requirements
+RUN . /opt/venv/bin/activate && poetry install
+
+# TODO: dive + docker-slim
+FROM ubuntu:22.04 AS runner-image
+
+ARG USERNAME=appuser
+ENV HOME="/home/${USERNAME}"
+ENV VIRTUAL_ENV="/opt/venv"
+ENV PATH="${VIRTUAL_ENV}/bin:$HOME/.asdf/bin:$HOME/.asdf/shims:$PATH"
+
+RUN useradd --create-home $USERNAME \
+    && mkdir -p ${HOME}/app
+
+COPY --chown=${USERNAME}:${USERNAME} . $HOME/app
+COPY --from=builder-image --chown=${USERNAME}:${USERNAME} /opt/venv /opt/venv
+COPY --from=builder-image --chown=${USERNAME}:${USERNAME} $HOME/.asdf $HOME/.asdf
+
+# avoid stuck build due to user prompt
+ARG DEBIAN_FRONTEND=noninteractive
+
+RUN apt-get -qq update \
+    && apt-get -qq install \
+    --no-install-recommends -y \
+    ca-certificates \
+    curl \
+    git \
+    libsqlite3-dev \
+    sqlite3 \
+    && rm -rf /var/lib/apt/lists/*
+
+# Keeps Python from generating .pyc files in the container
+ENV PYTHONDONTWRITEBYTECODE=1
+
+# Turns off buffering for easier container logging
+ENV PYTHONUNBUFFERED=1
+
+# activate virtual environment
+RUN python -m venv $VIRTUAL_ENV
+
+USER appuser
+
+WORKDIR $HOME/app
+
+# ENTRYPOINT ["python", "main.py"]
+# CMD ["gunicorn", "-c", "config/gunicorn.conf.py", "main:app"]
+CMD ["/bin/bash", "startup.sh"]
+# CMD ["/bin/bash"]
