Skip to content

feat: secure, small, multi-stage Dockerfile #596

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pfarikrispy wants to merge 3 commits into
base: master
Choose a base branch
from
Open

feat: secure, small, multi-stage Dockerfile #596

pfarikrispy wants to merge 3 commits into from

Conversation

@pfarikrispy
Copy link

@pfarikrispy pfarikrispy commented Nov 21, 2025

  • separate build into stage
  • isolate base image and apt-get
  • isolate the app build
  • copy only the app into a secure Chainguard Python image that's updated frequently
  • group stmnts for less layers
  • use image tag SHAs for more (supply chain) security
  • make non-root user explicit in final stage
  • smaller image that's also more secure

@coveralls
Copy link
Collaborator

coveralls commented Nov 25, 2025
edited
Loading

Coverage Status

coverage: 90.591% (+1.0%) from 89.619%
when pulling 5fe0656 on pfarikrispy:multistage
into f01e5ec on chiefonboarding:master.

GDay
GDay reviewed Nov 26, 2025
View reviewed changes
Copy link
Member

@GDay GDay left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! First time hearing about chainguard, looks good. One question before I merge this.

@pfarikrispy
Copy link
Author

pfarikrispy commented Nov 26, 2025 via email
edited
Loading

@pfarikrispy
Copy link
Author

pfarikrispy commented Dec 4, 2025

I found Google's distroless containers
Not sure which version, not that familiar with Bazel. Seems to use python 3.11. :(

However, from the thread there asking for other python versions, I was led to nvidia's collection of distroless containers for various version of python and dual arch builds (amd and arm!)
https://catalog.ngc.nvidia.com/orgs/nvidia/teams/distroless/containers/python?version=3.13-v3.1.1
They even have a build with a shell built-in and one without for production.

@pfarikrispy
use nvidia distroless python 3.13 image
5fe0656 
replace chainguard's latest python container (3.14) with a distroless build from nvidia that uses python 3.13
@GDay
Copy link
Member

GDay commented Dec 4, 2025

Thank you! This is great, except I get an error when deploying:

panic: exec: "/usr/bin/supervisord": stat /usr/bin/supervisord: no such file or directory

It looks like they also stripped supervisord from the nvidia image.

@pfarikrispy
Copy link
Author

pfarikrispy commented Dec 4, 2025
edited
Loading

Ah yes, I see. supervisord must be copied into the distroless image as well.

I don't fully understand your app nor python. I'm more an engineer than a developer. Sorry. Wanted to make a smaller, more secure container image than the current one. I would like to isolate functionality into their own layers:

  • supervisord
  • the app

then copy the results into a distroless image with python.

@pfarikrispy
Update multi-stage Dockerfile
f41ed1b 
redo layers:
- use debian 13 (trixie) to install supervisord
- use python 3.13 with trixie to build the app
- copy everything into the distroless python image from nvidia
@pfarikrispy
Copy link
Author

pfarikrispy commented Dec 5, 2025

@GDay I'm sorry but I'm having troubles redesigning the Dockerfile so that it become a secure multi-stage file because I don't understand Python building enough. I'm expecting a requirements.txt somewhere or a pyproject.toml. I do find the Pipfile but I don't know how to deal with that.

I have tried several iterations of the layers locally but each time pipenv complains with the same error:

Dockerfile:17
--------------------
  15 |     COPY ./back/ /app
  16 |     WORKDIR /app
  17 | >>> RUN pipenv install --system
  18 |     RUN django-admin compilemessages 
  19 |     
--------------------
ERROR: failed to build: failed to solve: process "/bin/sh -c pipenv install --system" did not complete successfully: exit code: 2

I'd love to help you get an improved container spec but I need some assistance with Python building.

I also tried to just use one layer to build the app and then copy artifacts into the distroless container, but it's not building the app (yet).

# syntax=docker/dockerfile:1
# python images are based off of Debian
FROM python:3.13-slim-trixie AS app
ENV PYTHONUNBUFFERED=1
USER root
RUN mkdir /var/run/supervisord && mkdir /var/log/supervisord
# trunk-ignore(hadolint/DL3008)
RUN apt-get -y update && apt-get install -y --no-install-recommends \
  gettext \
  supervisor \
  && rm -rf /var/lib/apt/lists/*
# trunk-ignore(hadolint/DL3013)
RUN python -m pip install --no-cache-dir pipenv
RUN mkdir -p /app
COPY ./back/ /app
WORKDIR /app
RUN pipenv install --system
RUN django-admin compilemessages 

# checkov:skip=CKV_DOCKER_7: zero-CVE fresh image every build
FROM nvcr.io/nvidia/distroless/python:3.13-v3.1.1
USER root
HEALTHCHECK NONE
WORKDIR /
COPY ./supervisord.conf /etc/supervisor/conf.d/supervisord.conf
COPY --from=app /var/log/supervisord /var/run/supervisord ./
COPY --from=app /usr/bin/supervisord /usr/bin/supervisord
COPY --from=app /app /app
USER 65532
CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/conf.d/supervisord.conf"]

Do you have any ideas to make that work?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@GDay GDay GDay left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pfarikrispy @coveralls @GDay