distroless-python images

Latest Build
Source	https://github.com/autumnjolitz/distroless-python
Issues	https://github.com/autumnjolitz/distroless-python/issues
DockerHub	https://hub.docker.com/r/autumnjolitz/distroless-python

Images

DockerHub:

• 3.12-alpine3.20
• 3.11-alpine3.20
• 3.10-alpine3.20
• 3.9-alpine3.20
• 3.8-alpine3.20

Github Container Repository:

• ghcr.io/autumnjolitz/distroless-python:3.12-alpine3.20
• ghcr.io/autumnjolitz/distroless-python:3.11-alpine3.20
• ghcr.io/autumnjolitz/distroless-python:3.10-alpine3.20
• ghcr.io/autumnjolitz/distroless-python:3.9-alpine3.20
• ghcr.io/autumnjolitz/distroless-python:3.8-alpine3.20

About

A distroless image is one that has the bare minimum to run the application.

By definition, a distroless image is secure as it has less code, less entrypoints.

distroless-python builds off of the official DockerHub python images, which means that as the official images are updated, a refresh is a simple CI/CD run away to get any updates or bugfixes.

$  docker images | grep -E \
>   '^(REPO|gcr.io/distroless/python3|autumnjolitz/distroless-python|python)' | \
>   grep -E 'REPO|latest|3.12-alpine3.20' | sort
REPOSITORY                       TAG                IMAGE ID       CREATED         SIZE
autumnjolitz/distroless-python   3.12-alpine3.20    4a335b955cb1   54 years ago    27.8MB
gcr.io/distroless/python3        latest             e83c6b1e2ef3   N/A             52.8MB
python                           3.12-alpine3.20    2ec26f9329f2   5 days ago      55.3MB

a distroless-python image provides:

• python3
• dash
• ca-certificates (NB: Use update-ca-certificates to update them)

To save space, the standard library has been byte-compiled and compressed into a zip file which is imported by the interpreter.

ensurepip is replaced with a no-op to allow venv to continue functioning.

Development

For each image, there is a -buildroot companion package. You may FROM $SOURCE-buildroot AS builder in your own Dockerfile``s and add to the new root at ``$BUILD_ROOT!

The following is an example demonstrating the installation of a PyPI package (httpie) into a minimal image.

Given the following Dockerfile, we will add httpie to the image and reference just that!

#syntax=docker/dockerfile:1
FROM autumnjolitz/distroless-python:3.12-alpine3.20-buildroot AS buildroot
RUN python -m pip install \
        --no-cache \
        --prefix "$BUILD_ROOT/usr/local" \
        httpie

FROM autumnjolitz/distroless-python:3.12-alpine3.20
COPY --from=buildroot \
    /$BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/site-packages \
    /usr/local/lib/python$PYTHON_VERSION/site-packages
COPY --from=buildroot \
    /$BUILD_ROOT/usr/local/bin/http \
    /usr/local/bin/http

ENTRYPOINT ["http"]

Build and test the image!

$ docker build -t httpie =f Dockerfile .
$ docker run --rm -it httpie pie.dev/get
HTTP/1.1 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: *
Connection: keep-alive
Content-Encoding: gzip
Content-Type: application/json
Date: Sat, 03 Aug 2024 07:00:04 GMT
Transfer-Encoding: chunked
alt-svc: h3=":443"; ma=86400

{
    "args": {},
    "headers": {
        "Accept": "*/*",
        "Accept-Encoding": "gzip",
        "Connection": "Keep-Alive",
        "Host": "pie.dev",
        "User-Agent": "HTTPie/3.2.3"
    },
    "origin": "[suppressed]",
    "url": "http://pie.dev/get"
}
$ docker images test
REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
httpie         latest    7c6811df800d   3 minutes ago   43.3MB

Isn't that neat? Tiny images!

Another example may be found at examples/simple-flask/!