| Latest Build |  |
|---|---|
| Source | github.com/autumnjolitz/distroless-python |
| Issues | github.com/autumnjolitz/distroless-python/issues |
| DockerHub | autumnjolitz/distroless-python |
DockerHub:
Github Container Repository:
ghcr.io/autumnjolitz/distroless-python:3.12-alpine3.20ghcr.io/autumnjolitz/distroless-python:3.11-alpine3.20ghcr.io/autumnjolitz/distroless-python:3.10-alpine3.20ghcr.io/autumnjolitz/distroless-python:3.9-alpine3.20ghcr.io/autumnjolitz/distroless-python:3.8-alpine3.20
A distroless image is one that has the bare minimum to run the application.
By definition, a distroless image is secure as it has less code, less entrypoints.
distroless-python builds off of the official DockerHub python images, which means that as the official images are updated, a refresh is a simple CI/CD run away to get any updates or bugfixes.
$ docker images | grep -E \ >'^(REPO|gcr.io/distroless/python3|autumnjolitz/distroless-python|python)'| \ > grep -E 'REPO|latest|3.12-alpine3.20'| sort REPOSITORY TAG IMAGE ID CREATED SIZE autumnjolitz/distroless-python 3.12-alpine3.20 4a335b955cb1 54 years ago 27.8MB gcr.io/distroless/python3 latest e83c6b1e2ef3 N/A 52.8MB python 3.12-alpine3.20 2ec26f9329f2 5 days ago 55.3MBa distroless-python image provides:
- python3
- dash
- ca-certificates (NB: Use
update-ca-certificatesto update them)
To save space, the standard library has been byte-compiled and compressed into a zip file which is imported by the interpreter.
ensurepip is replaced with a no-op to allow venv to continue functioning.
For each image, there is a -buildroot companion package. You may FROM $SOURCE-buildroot AS builder in your own Dockerfile``s and add to the new root at ``$BUILD_ROOT!
The following is an example demonstrating the installation of a PyPI package (httpie) into a minimal image.
Given the following Dockerfile, we will add httpie to the image and reference just that!
#syntax=docker/dockerfile:1FROM autumnjolitz/distroless-python:3.12-alpine3.20-buildroot AS buildroot RUN python -m pip install \ --no-cache \ --prefix "$BUILD_ROOT/usr/local" \ httpie FROM autumnjolitz/distroless-python:3.12-alpine3.20 COPY --from=buildroot \ /$BUILD_ROOT/usr/local/lib/python$PYTHON_VERSION/site-packages \ /usr/local/lib/python$PYTHON_VERSION/site-packages COPY --from=buildroot \ /$BUILD_ROOT/usr/local/bin/http \ /usr/local/bin/http ENTRYPOINT ["http"]As an additional helper, the chroot-apk command in the buildroot environment can be used to install apk packages.
Build and test the image!
$ docker build -t httpie =f Dockerfile . $ docker run --rm -it httpie pie.dev/get HTTP/1.1 200 OK Access-Control-Allow-Credentials: true Access-Control-Allow-Origin: * Connection: keep-alive Content-Encoding: gzip Content-Type: application/json Date: Sat, 03 Aug 2024 07:00:04 GMT Transfer-Encoding: chunked alt-svc: h3=":443"; ma=86400{"args":{}, "headers":{"Accept": "*/*", "Accept-Encoding": "gzip", "Connection": "Keep-Alive", "Host": "pie.dev", "User-Agent": "HTTPie/3.2.3" }, "origin": "[suppressed]", "url": "http://pie.dev/get" } $ docker images test REPOSITORY TAG IMAGE ID CREATED SIZE httpie latest 7c6811df800d 3 minutes ago 43.3MBIsn't that neat? Tiny images!
Another example may be found at examples/simple-flask/!