From 4cab8f826ba74313ed08d00aa588958f4ff19109 Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Thu, 29 Jan 2026 14:20:34 +0100 Subject: [PATCH] fix: compile all Python bytecode in final stage as root Move compileall to the final distroless stage and run it as root to ensure all Python files are pre-compiled, including the system standard library. This avoids runtime compilation errors when the filesystem is read-only. Signed-off-by: Marco Nenciarini --- containers/Dockerfile.sidecar | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/containers/Dockerfile.sidecar b/containers/Dockerfile.sidecar index 61bf670..0b8df35 100644 --- a/containers/Dockerfile.sidecar +++ b/containers/Dockerfile.sidecar @@ -59,11 +59,9 @@ RUN apt-get update && \ COPY containers/sidecar-requirements.txt . # Create virtualenv and install dependencies -# Compileall ensures all bytecode is freshly compiled with correct timestamps RUN python3 -m venv /venv && \ /venv/bin/pip install --upgrade pip setuptools wheel && \ - /venv/bin/pip install --no-cache-dir -r sidecar-requirements.txt && \ - /venv/bin/python -m compileall -q /venv + /venv/bin/pip install --no-cache-dir -r sidecar-requirements.txt # Download and extract runtime library packages and their dependencies # Using apt-cache to automatically resolve dependencies, filtering out packages @@ -91,7 +89,7 @@ RUN mkdir -p /dependencies /build/downloads && \ done # Final sidecar image -# Using distroless base for minimal attack surface (no shell, no package manager) +# Using distroless base for minimal size and less extra packages FROM gcr.io/distroless/python3-debian13:nonroot ENV SUMMARY="CloudNativePG Barman plugin" \ @@ -118,5 +116,9 @@ COPY --from=pythonbuilder /dependencies/usr/lib /usr/lib # Copy Go manager binary COPY --from=gobuilder /workspace/manager /manager +# Compile all Python bytecode as root to avoid runtime compilation +USER 0:0 +RUN ["/venv/bin/python3", "-m", "compileall", "-q", "/usr/lib/python3.13", "/venv"] + USER 26:26 ENTRYPOINT ["/manager"]