This document discusses best practices for building Python applications in containers. It recommends containers be fast, small, secure, and usable. Specific strategies covered include using binary wheels to minimize build steps, building Python from source in a separate stage for caching, using multi-stage builds to optimize layers and size, and generating self-contained binary wheels. The conclusion emphasizes thinking through container strategies before implementation to achieve performance and portability.

1. Building Containers for Python Applications
Moshe Zadka – https://cobordism.com
2021

2. Acknowledgement of Country
Belmont (in San Francisco Bay Area Peninsula)
Ancestral homeland of the Ramaytush Ohlone people

3. What is good

4. What is good
I To crush your enemies

5. What is good
I To crush your enemies
I To see them driven before you

6. What is good
I To crush your enemies
I To see them driven before you
I Um, wrong slides

7. What is good
I Fast

8. What is good
I Fast
I Small

9. What is good
I Fast
I Small
I Secure

10. What is good
I Fast
I Small
I Secure
I Usable

11. Specifying the requirements
Let’s be more concrete
I Keep up to date

12. Specifying the requirements
Let’s be more concrete
I Keep up to date
I Reproducible builds

13. Specifying the requirements
Let’s be more concrete
I Keep up to date
I Reproducible builds
I No compilers in prod

14. Specifying the requirements
Let’s be more concrete
I Keep up to date
I Reproducible builds
I No compilers in prod
I Keep size (reasonably) small

15. Up to date
Install security updates

16. Up to date
Install security updates
But when?

17. Up to date
Install security updates
But when? Depends!

18. Reproducible builds
Same code gives same results

19. Reproducible builds
Same code gives same results
...mostly

20. No compilers in prod
A common anti-pattern

21. No compilers in prod
A common anti-pattern
...surprisingly easy to get wrong!

22. Size
I Diminishing returns

23. Size
I Diminishing returns
I Cost savings

24. Support binary wheels
Installing and building

25. Support binary wheels
Installing and building
Faster

26. Support binary wheels
Installing and building
Faster
Simplifies images

27. Not run as root
General hygiene

28. Minimal privileges
Especially avoid permissions to pip install

29. Fast rebuilds
Responsiveness!

30. Base OS
The distro wars are back?

31. Base - size
Most modern distros have a decent minimal server

32. Base - size
Most modern distros have a decent minimal server
...but Debian is easiest to get smallest.

33. Base - LTS/support
Usually around 5 years

34. Base - LTS/support
Usually around 5 years
Gives you time to upgrade!

35. Base - Volatility
How much change?
Security? Backports? Fixes?

36. Debian
LTS: 5 years
Conservative

37. Ubuntu
LTS: 5 years
(Universe, Multiverse, etc...)
Fairly conservative

38. Alpine (probably not)
Uses musl, not manylinux compatible

39. Rolling releases (probably not)
Up to date, but...

40. Rolling releases (probably not)
Up to date, but...
updates can change major versions!

41. CentOS
Rolling release!

42. How to get Python?
So many options...

43. Not system Python
Distros aim Python at distro packages

44. Not system Python
Distros aim Python at distro packages
not user programs.

45. Appropriate repositories
Famous examples: deadsnakes PPA for Ubuntu

46. pyenv
Builds and installs Python

47. python-build
Builds and installs Python

48. Source
RUN c o n f i g u r e [ . . . ]
RUN make
RUN make i n s t a l l

49. Source
RUN c o n f i g u r e [ . . . ]
RUN make
RUN make i n s t a l l
Build from source + Debian?

50. Source
RUN c o n f i g u r e [ . . . ]
RUN make
RUN make i n s t a l l
Build from source + Debian?python: images are basically that!

51. Trade-offs
Control vs. Work vs. Problems

52. Versions
Support multiple for upgrade path

53. Versions
Support multiple for upgrade path
2-3

54. Container multistage build (quick recap)
Only one stage output

55. Container multistage build (quick recap)
Only one stage output
other stages help

56. FROM
Use previous stage as starting image

57. COPY –from
Copy files from previous stage

58. Stages a as modules
FROM ubuntu as s e c u r i t y −updates
RUN add−apt−r e p o s i t o r y ppa : deadsnakes /ppa
RUN apt−get update
RUN apt−get upgrade
FROM s e c u r i t y −updates as with −38
RUN apt−get i n s t a l l python3 .8
FROM s e c u r i t y −updates as with −39
RUN apt−get i n s t a l l python3 .9

59. Separate build and runtime
Especially when building from source!

60. Separate build and runtime
Especially when building from source!
FROM ubuntu as b u i l d e r
# i n s t a l l b u i l d dependencies
# b u i l d Python i n t o / opt /myorg/ python
FROM ubuntu as as runtime
COPY −−from=b u i l d e r
/ opt /myorg/ python
/ opt /myorg/ python

61. Optimizing layers
Put everything under /opt/myorg
Use one COPY −−from=...

62. Optimizing size
After building Python, remove:
I Tests
I Builder dependencies (in runtime)
I ....and more

63. Binary wheels
I Build with builder
I Copy to runtime
I Install in virtual environment

64. Binary wheels (alt)
I Build with builder
I Install in virtual environment
I Copy virtual environment to runtime

65. Patchelf
Used to make wheels self-contained
Newest version needed

66. Auditwheel
Use pip to install

67. Self-contained binary wheels
Run
auditwheel r e p a i r −−platform l i n u x x 8 6 6 4

68. Self-contained binary wheels
Run
auditwheel r e p a i r −−platform l i n u x x 8 6 6 4
No need for binary dependencies!

69. Portable binary wheels
I Oldest supported?

70. Portable binary wheels
I Oldest supported?
Example:
auditwheel r e p a i r −−platform manylinux 2 27 x86 64

71. Generating binary wheels
Build instructions in docs

72. Generating binary wheels
Build instructions in docs
Build dependencies

73. Optimizing layers
Reduce copies

74. Optimizing layers
Reduce copies
Prep

75. Optimizing caching
Where to build wheel?

76. Optimizing caching
Where to build wheel?
What invalidates caching?

77. Conclusion
I Wrong easier than right

78. Conclusion
I Wrong easier than right
I But right is amazing

79. Conclusion
I Wrong easier than right
I But right is amazing
I Think before you docker

80. Further Resources
Itamar’s series – https://pythonspeed.com/docker/