Skip to content

Redone the dockerfile #1022

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ono-max merged 4 commits into from
Jun 4, 2025
Merged

Redone the dockerfile #1022

ono-max merged 4 commits into from
Jun 4, 2025

Conversation

@kohsuke
Copy link
Contributor

@kohsuke kohsuke commented Jun 4, 2025
edited
Loading

The immediate motivation for the change was from a prospect who had the opsec policy to avoid root in containers. That in turn revealed the problem that the current container is built with venv, a rather odd choise for a container!

It turns out that we probably didn't choose venv because we were clever. Rather, the base image was ubuntu and it disabled/discouraged global pip package installation as it collides with APT.

I could have ignored that warning anyway, but at this point it seems to me that Ubuntu is not helping, it's hurting. So I switched to python:3.x-slim, which appears to be built with the pip install --global xyz mindset.

The other key change was to build the package from local source tree, as opposed to install from PyPI. I expect this will be key to automate this into the release process.

@kohsuke
Redone the dockerfile
47456a3 
The immediate motivation for the change was from a prospect who had the
opsec policy to avoid root in containers. That in turn revealed the
problem that the current container is built with venv, a rather odd
choise for a container!

It turns out that we probably didn't choose venv because we were clever.
Rather, the base image was ubuntu and it disabled/discouraged global pip
package installation as it collides with APT.

I could have ignored that warning anyway, but at this point it seems to
me that Ubuntu is not helping, it's hurting. So I switched to
python:3.x-slim, which appears to be built with the `pip install
--global xyz` mindset.
@kohsuke kohsuke requested review from Copilot and ono-max June 4, 2025 18:48

This comment was marked as outdated.

Sign in to view

@kohsuke kohsuke requested a review from Copilot June 4, 2025 20:43
Copilot AI reviewed Jun 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR reworks the Dockerfile to align with updated container policies by switching from an Ubuntu base with venv to a Python slim image that better supports global pip installations, and by building the package from a local source tree.

  • Switches base image to python:3.11-slim and splits the build process into multi-stage builds.
  • Installs additional dependencies and builds a wheel from the source tree.
  • Implements running the container as a non-root user for improved security.

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jun 4, 2025

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
2 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@ono-max ono-max merged commit 47aba7d into main Jun 4, 2025
15 checks passed
@ono-max ono-max deleted the dockerfile branch June 4, 2025 21:29
@github-actions github-actions bot mentioned this pull request Jun 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@ono-max ono-max ono-max approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kohsuke @ono-max