Produce a docker image based on distroless

element-hq · Dec 18, 2024 · db5cbc9 · db5cbc9
1 parent d113209
commit db5cbc9
Showing 1 changed file with 16 additions and 5 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -21,6 +21,7 @@
 # in `poetry export` in the past.
 
 ARG DEBIAN_VERSION=bookworm
+ARG DEBIAN_VERSION_NUMERIC=12
 ARG PYTHON_VERSION=3.12
 ARG POETRY_VERSION=1.8.3
 
@@ -109,9 +110,9 @@ RUN \
   fi
 
 ###
-### Stage 2: runtime dependencies download for ARM64 and AMD64
+## Stage 2: runtime dependencies download for ARM64 and AMD64
 ###
-FROM --platform=$BUILDPLATFORM docker.io/library/debian:${DEBIAN_VERSION} AS runtime-deps
+FROM --platform=$BUILDPLATFORM ghcr.io/astral-sh/uv:${DEBIAN_VERSION} AS runtime-deps
 
 # Tell apt to keep downloaded package files, as we're using cache mounts.
 RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
@@ -120,6 +121,15 @@ RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloa
 RUN dpkg --add-architecture arm64
 RUN dpkg --add-architecture amd64
 
+ARG PYTHON_VERSION
+RUN uv python install \
+  cpython-${PYTHON_VERSION}-linux-aarch64-gnu \
+  cpython-${PYTHON_VERSION}-linux-x86_64_v2-gnu
+
+RUN mkdir -p /install-amd64/usr/lib /install-arm64/usr/lib
+RUN mv $(uv python dir)/cpython-*-linux-aarch64-gnu/ /install-arm64/usr/local
+RUN mv $(uv python dir)/cpython-*-linux-x86_64_v2-gnu/ /install-amd64/usr/local
+
 # Fetch the runtime dependencies debs for both architectures
 RUN \
   --mount=type=cache,target=/var/cache/apt,sharing=locked \
@@ -129,8 +139,9 @@ RUN \
     mkdir -p /tmp/debs-${arch} && \
     cd /tmp/debs-${arch} && \
     apt-get download \
-      curl:${arch} \
       gosu:${arch} \
+      zlib1g:${arch} \
+      libstdc++6:${arch} \
       libjpeg62-turbo:${arch} \
       libpq5:${arch} \
       libwebp7:${arch} \
@@ -157,7 +168,7 @@ RUN \
 ### Stage 3: runtime
 ###
 
-FROM docker.io/library/python:${PYTHON_VERSION}-slim-${DEBIAN_VERSION}
+FROM gcr.io/distroless/base-nossl-debian${DEBIAN_VERSION_NUMERIC}:debug
 
 ARG TARGETARCH
 
@@ -176,4 +187,4 @@ EXPOSE 8008/tcp 8009/tcp 8448/tcp
 ENTRYPOINT ["/start.py"]
 
 HEALTHCHECK --start-period=5s --interval=15s --timeout=5s \
-  CMD curl -fSs http://localhost:8008/health || exit 1
+  CMD wget --quiet --tries=1 --spider http://localhost:8008/health || exit 1