marco/plugin-barman-cloud
1
0
Fork 0
mirror of https://github.com/cloudnative-pg/plugin-barman-cloud.git synced 2026-03-09 20:22:20 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: compile all Python bytecode in final stage as root

Browse Source 
Move compileall to the final distroless stage and run it as root
to ensure all Python files are pre-compiled, including the system
standard library. This avoids runtime compilation errors when the
filesystem is read-only.

Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This commit is contained in:
Marco Nenciarini 2026-01-29 14:20:34 +01:00
parent c8220fb3a9
commit 4cab8f826b
No known key found for this signature in database
GPG Key ID: 589F03F01BA55038
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
containers/Dockerfile.sidecar
View File

@ -59,11 +59,9 @@ RUN apt-get update && \
COPY containers/sidecar-requirements.txt . COPY containers/sidecar-requirements.txt .
# Create virtualenv and install dependencies # Create virtualenv and install dependencies
# Compileall ensures all bytecode is freshly compiled with correct timestamps
RUN python3 -m venv /venv && \ RUN python3 -m venv /venv && \
/venv/bin/pip install --upgrade pip setuptools wheel && \ /venv/bin/pip install --upgrade pip setuptools wheel && \
/venv/bin/pip install --no-cache-dir -r sidecar-requirements.txt && \ /venv/bin/pip install --no-cache-dir -r sidecar-requirements.txt
/venv/bin/python -m compileall -q /venv
# Download and extract runtime library packages and their dependencies # Download and extract runtime library packages and their dependencies
# Using apt-cache to automatically resolve dependencies, filtering out packages # Using apt-cache to automatically resolve dependencies, filtering out packages
@ -91,7 +89,7 @@ RUN mkdir -p /dependencies /build/downloads && \
done done
# Final sidecar image # Final sidecar image
# Using distroless base for minimal attack surface (no shell, no package manager) # Using distroless base for minimal size and less extra packages
FROM gcr.io/distroless/python3-debian13:nonroot FROM gcr.io/distroless/python3-debian13:nonroot
ENV SUMMARY="CloudNativePG Barman plugin" \ ENV SUMMARY="CloudNativePG Barman plugin" \
@ -118,5 +116,9 @@ COPY --from=pythonbuilder /dependencies/usr/lib /usr/lib
# Copy Go manager binary # Copy Go manager binary
COPY --from=gobuilder /workspace/manager /manager COPY --from=gobuilder /workspace/manager /manager
# Compile all Python bytecode as root to avoid runtime compilation
USER 0:0
RUN ["/venv/bin/python3", "-m", "compileall", "-q", "/usr/lib/python3.13", "/venv"]
USER 26:26 USER 26:26
ENTRYPOINT ["/manager"] ENTRYPOINT ["/manager"]