Dockerfile: add build stage

The image currently has 840 security vulnerabilities according to Trivy. Many of those vulnerabilities are in the development packages, so add a build stage to the Dockerfile so the development packages do not end up in the final image. This reduces the final image size by roughly 1/3 of its size. Since everything is being changed, also replace wget with curl, so we get error messages on HTTP failures (wget -q silences everything including error printouts, and the behavior cannot be overridden).
opendatacube · Nov 21, 2024 · f98f867 · f98f867
1 parent 4d4c757
commit f98f867
Show file tree

Hide file tree

Showing 4 changed files with 1,876 additions and 399 deletions.
diff --git a/index/Dockerfile b/index/Dockerfile
@@ -1,25 +1,27 @@
-FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0
+# syntax=docker/dockerfile:1
+FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0 AS builder
+
+ARG UV=https://github.com/astral-sh/uv/releases/download/0.5.4/uv-x86_64-unknown-linux-gnu.tar.gz
 
-ENV DEBIAN_FRONTEND=noninteractive \
-    LC_ALL=C.UTF-8 \
-    LANG=C.UTF-8
+ENV LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    UV_LINK_MODE=copy \
+    UV_COMPILE_BYTECODE=0 \
+    UV_PYTHON_DOWNLOADS=never \
+    UV_PYTHON=python3.12 \
+    UV_PROJECT_ENVIRONMENT=/app
 
-RUN apt-get update \
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
     && apt-get upgrade -y \
-    # Python virt environment
-    && apt-get install -y --no-install-recommends \
-        virtualenv \
-    && mkdir /virtualenv \
-    && virtualenv /virtualenv/python3.12 \
-    && . /virtualenv/python3.12/bin/activate \
     # Developer convenience
     && apt-get install -y --no-install-recommends \
-        git \
-        fish \
-        wget \
         unzip \
-        # Build tools\
+        # Build tools
         build-essential \
+        libffi-dev \
         python3-dev \
         # For Psycopg2
         libpq-dev \
@@ -28,35 +30,62 @@ RUN apt-get update \
         lsb-release \
         # for shapely with --no-binary
         libgeos-dev \
-        postgresql-client-16 \
     # Cleanup
     && apt-get autoclean \
     && apt-get autoremove \
     && rm -rf /var/lib/{apt,dpkg,cache,log}
 
-ENV VIRTUAL_ENV=/virtualenv/python3.12 \
-    PATH=/virtualenv/python3.12/bin:$PATH
+WORKDIR /build
 
-COPY requirements.txt constraints.txt version.txt /conf/
+ADD --checksum=sha256:c5b63d1cd0a894246195250c034f9d82d646dc8f718f1f424cec2bb1a42e7b17 --chown=root:root --chmod=644 --link $UV uv.tar.gz
 
-RUN cat /conf/version.txt \
-  && pip install --no-cache-dir --upgrade pip \
-  && pip install --no-cache-dir \
-    -r /conf/requirements.txt \
-    -c /conf/constraints.txt
+RUN tar xf uv.tar.gz -C /usr/local/bin --strip-components=1 --no-same-owner
+
+COPY --link pyproject.toml version.txt uv.lock /build/
 
-RUN pip freeze
+RUN --mount=type=cache,target=/root/.cache \
+    uv sync --locked --no-dev --no-install-project \
+      --no-binary-package fiona \
+      --no-binary-package rasterio \
+      --no-binary-package shapely
+
+FROM ghcr.io/osgeo/gdal:ubuntu-small-3.10.0
+
+ENV LC_ALL=C.UTF-8 \
+    LANG=C.UTF-8 \
+    PATH=/app/bin:$PATH \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1
+
+RUN export DEBIAN_FRONTEND=noninteractive \
+    && apt-get update \
+    && apt-get upgrade -y \
+    # Developer convenience
+    && apt-get install -y --no-install-recommends \
+        unzip \
+        # For Psycopg2
+        libpq5 \
+        lsb-release \
+        postgresql-client-16 \
+    # Cleanup
+    && apt-get autoclean \
+    && apt-get autoremove \
+    && rm -rf /var/lib/{apt,dpkg,cache,log}
+
+WORKDIR /conf
+
+COPY --from=builder --link --chown=ubuntu:ubuntu /app /app
+COPY --from=builder --link /build/*.txt /conf/
 
 # Copy Datacube bootstrapping and other scripts
-ADD ./assets /code
-RUN wget -q https://github.com/opendatacube/datacube-dataset-config/archive/refs/heads/main.zip \
-    -O /tmp/datacube-dataset-config.zip \
+COPY --link ./assets /code
+RUN cat /conf/version.txt \
+    && curl -L -fsS https://github.com/opendatacube/datacube-dataset-config/archive/refs/heads/main.zip \
+    -o /tmp/datacube-dataset-config.zip \
     && unzip -q /tmp/datacube-dataset-config.zip -d /tmp \
     && cp -r /tmp/datacube-dataset-config-main/odc-product-delete /code/odc-product-delete \
-    && rm -r /tmp/datacube-dataset-config-main /tmp/datacube-dataset-config.zip
-
-## Do some symlinking
-RUN ln -s /code/bootstrap-odc.sh /usr/local/bin/bootstrap-odc.sh
+    && rm -r /tmp/datacube-dataset-config-main /tmp/datacube-dataset-config.zip \
+    && ln -s /code/bootstrap-odc.sh /usr/local/bin/bootstrap-odc.sh
 
 # Smoke test
 RUN s3-to-dc --help