docker image multistage build: How to create a docker image copying only python packages

Santhosh
February 5, 2022
247 views
2 votes
3 Answers

I am trying to create a python based image with some packages installed. But i want the image layer not to show anything about the packages I installed.

I am trying to use the multistage build

eg:

FROM python:3.9-slim-buster as builder
RUN pip install django # (I dont want this command to be seen when checking the docker image layers, So thats why using multistage build)

FROM python:3.9-slim-buster
# Here i want to copy all the site packages
COPY --from=builder /usr/local/lib/python3.9/site-packages /usr/local/lib/python3.9/site-packages

Now build image

docker build -t python_3.9-slim-buster_custom:latest .

and later check the image layers

dive python_3.9-slim-buster_custom:latest

this will not show the RUN pip install django line

Will this be a good way to achieve what i want (hide all the pip install commands)

Tags: docker

Answers

Chosen as BEST ANSWER
- Santhosh
- February 7, 2022 at 9:01 am
- 0 votes
0
Currently whats working for me is.
```
FROM python:3.9-slim-buster as builder
# DO ALL YOUR STUFF HERE

FROM python:3.9-slim-buster
COPY --from=builder / /
```

(Edit)

- TheFool
- February 5, 2022 at 1:01 pm
- 0 votes
0
It depends on what you are installing, if this will be sufficient or not. Some python libraries add binaries to your system on which they rely.
```
FROM python:3.9-alpine as builder
# install stuff


FROM python:3.9-alpine

# this is for sure required
COPY --from=builder /usr/local/lib/python3.9/site-packages /usr/local/lib/python3.9/site-packages

# this depends on what you are installing
COPY --from=builder /usr/local/bin /usr/local/bin
```
Login or Signup to reply.

- DavidMaze
- February 5, 2022 at 1:07 pm
- 0 votes
0
The usual approach I see for this is to use a virtual environment in an earlier build stage, then copy the entire virtual environment into the final image. Remember that virtual environments are very specific to a single Python build and installation path.

If your application has its own setup.cfg or setup.py file, then a minimal version of this could look like:
```
FROM python:3.9-slim-buster as builder

# If you need build-only tools, like build-essential for Python C
# extensions, install them first
# RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install ...

WORKDIR /src

# Create and "activate" the virtual environment
RUN python3 -m venv /app
ENV PATH=/app/bin:$PATH

# Install the application as normal
COPY requirements.txt .
RUN pip install -r requirements.txt
COPY . .
RUN pip install .

FROM python:3.9-slim-buster as builder

# If you need runtime libraries, like a database client C library,
# install them first
# RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install ...

# Copy the entire virtual environment over
COPY --from=builder /app /app
ENV PATH=/app/bin:$PATH

# Run an entry_points script from the setup.cfg as the main command
CMD ["my_app"]
```
Note that this has only minimal protection against a curious user seeing what’s in the image. The docker history or docker inspect output will show the /app container directory, you can docker run --rm the-image pip list to see the package dependencies, and the application and library source will be present in a human-readable form.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.