From dc454eeb3ead2bac6c6c58d7f8f2b549a37421cf Mon Sep 17 00:00:00 2001 From: Alexander Tarasov Date: Fri, 22 May 2026 00:39:44 +0200 Subject: [PATCH] build: try ghcr.io/oioki/python-base-image for distroless targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Swap the application-distroless and application-distroless-debug FROMs from ghcr.io/getsentry/dhi/python:3.13-debian13(-dev) to ghcr.io/oioki/python-base-image/python:3.13-debian13(-dev). The replacement is a drop-in: same /opt/python layout, same LD_LIBRARY_PATH, same CA bundle path. Multi-arch images (amd64+arm64) are published from https://github.com/oioki/python-base-image and built by walking CPython's shared-library closure rather than apko/ melange-style exclusion lists. For showcase only — draft. Co-Authored-By: Claude Opus 4.7 (1M context) --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 21e49d39c5..34f86ad1d7 100644 --- a/Dockerfile +++ b/Dockerfile @@ -163,7 +163,7 @@ RUN ln -sf /opt/python/bin/python3 /.venv/bin/python3 && \ RUN find /.venv -name "*.so" -exec ldd {} \; 2>&1 | grep "not found" && exit 1 || true # Distroless production image — minimal attack surface, no shell -FROM ghcr.io/getsentry/dhi/python:3.13-debian13 AS application-distroless +FROM ghcr.io/oioki/python-base-image/python:3.13-debian13 AS application-distroless COPY --from=distroless_prep /.venv /.venv COPY --from=distroless_prep /usr/src/snuba /usr/src/snuba @@ -187,7 +187,7 @@ ENTRYPOINT ["python3", "/usr/src/snuba/docker_entrypoint.py"] CMD ["api"] # Debug distroless image — includes busybox (sh, ls, cat, wget, env, etc.) -FROM ghcr.io/getsentry/dhi/python:3.13-debian13-dev AS application-distroless-debug +FROM ghcr.io/oioki/python-base-image/python:3.13-debian13-dev AS application-distroless-debug COPY --from=distroless_prep /.venv /.venv COPY --from=distroless_prep /usr/src/snuba /usr/src/snuba