-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathDockerfile
More file actions
83 lines (65 loc) · 3.22 KB
/
Dockerfile
File metadata and controls
83 lines (65 loc) · 3.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
###############################################################################
# Build stage
###############################################################################
# Default arguments
# This version is hardcoded but ideally it should pull from the `.python-version`
# When bumping Python versions, we currently have to update the `.python-version` file and this `ARG`
ARG PYTHON_VERSION=3.12.13
# this debian version needs to match the version of the distroless image we are using below
FROM python:${PYTHON_VERSION}-slim-bookworm AS build
WORKDIR /code
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1
# Install required system packages
RUN apt-get update \
&& apt-get -y install --no-install-recommends \
bash zsh coreutils libcap2 libtinfo6 gcc libpq-dev python3-dev \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*
# Copy the production-only dependencies into place.
COPY requirements-prod.txt /code/requirements-prod.txt
COPY requirements-prod-ingestion.txt /code/requirements-prod-ingestion.txt
# Install Python production dependencies into /code/.venv. This layer depends only
# on the base image, system packages and requirements files.
RUN python3 -m venv /code/.venv \
&& /code/.venv/bin/pip install --upgrade pip \
&& /code/.venv/bin/pip install --no-cache-dir -r /code/requirements-prod.txt
# Collect shared-library deps for the distroless runtime.
COPY docker/collect_shared_libs.sh /usr/local/bin/collect_shared_libs.sh
RUN bash /usr/local/bin/collect_shared_libs.sh
# Remove build-time-only packages now that dependencies are installed and
# shared libraries have been collected.
RUN apt-get purge -y --auto-remove gcc libpq-dev python3-dev \
&& rm -rf /var/lib/apt/lists/* /var/cache/apt/*
# Application source code.
COPY . /code
###############################################################################
# Production stage (distroless, root)
# NOTE:
# The distroless base image is pinned to a specific digest for reproducible
# builds. When updating, refresh the digest via `docker pull` + `docker inspect`.
###############################################################################
FROM gcr.io/distroless/cc-debian12@sha256:329e54034ce498f9c6b345044e8f530c6691f99e94a92446f68c0adf9baa8464 AS production
WORKDIR /code
# Copy dependencies and app code from the `build` stage.
COPY --from=build /usr/local/lib/ /usr/local/lib/
COPY --from=build /usr/local/bin/ /usr/local/bin/
COPY --from=build /deps/ /
# zsh, bash and minimal coreutils required by our entrypoint tooling
# bash is needed for kaleido's wrapper script
COPY --from=build /usr/bin/zsh /usr/bin/zsh
COPY --from=build /bin/bash /bin/bash
COPY --from=build /usr/bin/dirname /usr/bin/dirname
COPY --from=build /usr/bin/uname /usr/bin/uname
# Application code
COPY --from=build /code /code
ENV PYTHONFAULTHANDLER=1
ENV PATH=/usr/local/bin:/usr/bin:/bin
ENV HOME=/tmp
ENV XDG_CACHE_HOME=/tmp
ENV GUNICORN_CMD_ARGS="--pid /tmp/gunicorn.pid --worker-tmp-dir /tmp --access-logfile - --error-logfile -"
EXPOSE 8000
# Opens a shell on the entrypoint.
# This allows the `./docker/entrypoint.sh` shell script or any other tooling to be ran from the container
ENTRYPOINT ["/usr/bin/zsh"]
# Runs the production server by default
CMD ["./docker/entrypoint.sh"]