Python Docker base images

Requirements on Python container base images

Choice of base images can have a non-trivial impact on overall long term success of a Python based project. Some of the typical requirements concern:

1. Compatibility
   1. Version of the Python interpreter version
   2. Binary our source-code compatibility of compiled components
2. Security
   1. Traceability & trustability of code
   2. Updates for discovered security bugs
   3. System hardening
3. Performance
4. Maintainability

There is a nice discussion by Itamar Turner-Trauring of some of the ways these requirements can be satisfied and traded off at https://pythonspeed.com/articles/base-image-python-docker-images/

Reproducing official images or making customised images

Often the official Python docker images are sufficient. But if you have specialised requirements such as below we can help:

1. Removing unnecessary features to reduce the attack surface
2. Building from your own Python source for maximum supply chain assurance
3. Building with patches against official source
4. Enabling or disabling specific optimisations or CPU instructions

Tools:

1. Official Python docker files
2. Docker & Pyenv:
   1. https://www.bnikolic.co.uk/blog/python/2023/03/23/pyenvdocker.html
   2. https://github.com/dhermes/python-multi/blob/main/src/Dockerfile
3. How to dockerize
4. How to make your Python Docker images secure, fast & small

Hardening of Python deployment containers

One available option is using Cython to compile some or all of the Python source code into binary executable code.

Tools:

1. Cythonpackage

Copyright and published by: Software Build Factory (C) 2024 Contact info@softwarebuildfactory.com