Add build stage to Dockerfile #155
Conversation
|
@alexgleith according to the commit logs it was you who removed the previously existing build-stage of the Dockerfile. What do you say about re-introducing it? There's a substantial saving in image size, and a fair amount of fewer security vulnerabilities flagged by Trivy. This PR builds the binary wheels in the build stage of the container and installs them in the "real" container. I'm not sure how to put the wheels in the requirements.txt so it works with pip-compile, or if we perhaps could drop the pip-compile step completely (which would reduce the number of releases required since a rebuild of the image would give security updates). And as a general remark, I cannot understand how the CI tests did not trigger the eodatasets3 distutils dependency problem until now. |
There was a problem hiding this comment.
Looks good to me. Does it reduce the image size significantly?
The reason I like single-stage builds is that it keep things simpler... but this looks neat and tidy, and with Python 12 requiring virtual environments, it's a good way to do it.
One idea, and it's kinda complex too, is to use uv to do the installing... it's super fast. Does introduce a new change, though. Example here for doing that: https://github.com/auspatious/ldn-land-productivity/blob/main/Dockerfile
index/Dockerfile
Outdated
| @@ -37,26 +68,30 @@ RUN apt-get update \ | |||
| ENV VIRTUAL_ENV=/virtualenv/python3.12 \ | |||
There was a problem hiding this comment.
You could set this earlier, and use it in the previous step.
pjonsson
force-pushed
the
split-docker-file
branch
2 times, most recently
from
f98f867 to
70a2b23
Compare
|
According to "docker images", the image is now 966MB instead of 1.43GB, which I think should be considered respectable savings. I would like to make a release of this repository when the don't-hang-on-empty-stac-files fix has appeared in a release on PyPi, so I'll update uv.lock and version.txt in a separate PR when that time comes. |
pjonsson
force-pushed
the
split-docker-file
branch
from
70a2b23 to
5ec50f7
Compare
The image currently has 840 security vulnerabilities according to Trivy. Many of those vulnerabilities are in the development packages, so add a build stage to the Dockerfile so the development packages do not end up in the final image. This reduces the final image size by roughly 1/3 of its size. Since everything is being changed, also replace wget with curl, so we get error messages on HTTP failures (wget -q silences everything including error printouts, and the behavior cannot be overridden).
pjonsson
force-pushed
the
split-docker-file
branch
from
5ec50f7 to
9abae8d
Compare
|
Seems the build failed for the job that pushes the image. I have no idea what is causing it, but I filed bug report on the action (whoan/docker-build-with-cache-action#161) and made a PR that adds Dependabot for Github actions/Dockerfile updates (whoan/docker-build-with-cache-action#162) in case it is related to the Docker version the action uses. |
The image currently has 840 security
vulnerabilities according to Trivy.
Many of those vulnerabilities are
in the development packages, so
add a build stage to the Dockerfile
so the development packages do not
end up in the final image. This reduces
the final image size by roughly
1/3 of its size.
Since everything is being changed,
also replace wget with curl, so we
get error messages on HTTP failures
(wget -q silences everything including
error printouts, and the behavior
cannot be overridden).