From 883ba6aa244c0da1e0899e294a78c6b7f8dce7e8 Mon Sep 17 00:00:00 2001 From: Marco Nenciarini Date: Wed, 28 Jan 2026 19:19:58 +0100 Subject: [PATCH] fix: use wheel-based build to fix bytecode staleness The sidecar uses a read-only filesystem which prevents Python from creating bytecode at runtime. The previous approach pre-compiled bytecode in a separate base image, but timestamps were corrupted when files were copied between Docker stages, causing Python to mark the bytecode as stale and recompile on every invocation. This change builds Python dependencies as wheels in a pythonbuilder stage using BuildKit cache mounts, then installs them in the final python:3.13-slim-trixie stage using a bind mount. Wheels include pre-compiled bytecode with correct timestamps. The bind mount keeps wheels out of final layers, and the distroless complexity is eliminated. After wheel installation, we run compileall to ensure all Python bytecode is freshly compiled with correct timestamps, preventing any stale bytecode from remaining in the final image. The separate barmanbase image, its workflow, and related Renovate configuration are no longer needed and have been removed. Closes #711 Closes #735 Signed-off-by: Marco Nenciarini --- .github/workflows/barman-base-image.yml | 38 ------------------ Taskfile.yml | 28 ------------- containers/Dockerfile.barmanbase | 7 ---- containers/Dockerfile.sidecar | 52 ++++++++++++++++++------- renovate.json5 | 6 --- 5 files changed, 38 insertions(+), 93 deletions(-) delete mode 100644 .github/workflows/barman-base-image.yml delete mode 100644 containers/Dockerfile.barmanbase diff --git a/.github/workflows/barman-base-image.yml b/.github/workflows/barman-base-image.yml deleted file mode 100644 index 2bf03db..0000000 --- a/.github/workflows/barman-base-image.yml +++ /dev/null @@ -1,38 +0,0 @@ -name: Barman Base Image -on: - workflow_dispatch: - schedule: - - cron: "0 0 * * 0" - push: - branches: - - main - paths: - - 'containers/sidecar-requirements.txt' - -permissions: read-all - -jobs: - build: - runs-on: ubuntu-latest - permissions: - packages: write - contents: write - steps: - - name: Checkout - uses: actions/checkout@v6 - - name: Install QEMU static binaries - uses: docker/setup-qemu-action@v3 - - name: Install Task - uses: arduino/setup-task@v2 - - name: Install Dagger - env: - # renovate: datasource=github-tags depName=dagger/dagger versioning=semver - DAGGER_VERSION: 0.19.10 - run: | - curl -L https://dl.dagger.io/dagger/install.sh | BIN_DIR=$HOME/.local/bin sh - - name: Publish a barman-base - env: - REGISTRY_USER: ${{ github.actor }} - REGISTRY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - run: | - task publish-barman-base diff --git a/Taskfile.yml b/Taskfile.yml index cfcc12b..4140607 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -381,34 +381,6 @@ tasks: build --dir . --file containers/Dockerfile.sidecar --platform linux/amd64 --platform linux/arm64 publish --ref {{.SIDECAR_IMAGE_NAME}} --tags {{.IMAGE_VERSION}} - publish-barman-base: - desc: Build and publish a barman-cloud base container image - vars: - BARMAN_BASE_IMAGE_NAME: ghcr.io/{{.GITHUB_REPOSITORY}}-base{{if not (hasPrefix "refs/heads/main" .GITHUB_REF)}}-testing{{end}} - BARMAN_VERSION: - sh: grep "^barman" containers/sidecar-requirements.in | sed -E 's/.*==([^ ]+)/\1/' - BUILD_DATE: - sh: date +"%Y%m%d%H%M" - requires: - # We expect this to run in a GitHub workflow, so we put a few GitHub-specific vars here - # to prevent running this task locally by accident. - vars: - - CI - - GITHUB_REPOSITORY - - GITHUB_REF - - GITHUB_REF_NAME - - REGISTRY_USER - - REGISTRY_PASSWORD - env: - # renovate: datasource=git-refs depName=docker lookupName=https://github.com/purpleclay/daggerverse currentValue=main - DAGGER_DOCKER_SHA: ee12c1a4a2630e194ec20c5a9959183e3a78c192 - cmds: - - > - dagger call -m github.com/purpleclay/daggerverse/docker@${DAGGER_DOCKER_SHA} - --registry ghcr.io --username $REGISTRY_USER --password env:REGISTRY_PASSWORD - build --dir . --file containers/Dockerfile.barmanbase --platform linux/amd64 --platform linux/arm64 - publish --ref {{.BARMAN_BASE_IMAGE_NAME}} --tags "{{.BARMAN_VERSION}}-{{.BUILD_DATE}}" - controller-gen: desc: Run controller-gen run: once diff --git a/containers/Dockerfile.barmanbase b/containers/Dockerfile.barmanbase deleted file mode 100644 index cc01748..0000000 --- a/containers/Dockerfile.barmanbase +++ /dev/null @@ -1,7 +0,0 @@ -FROM python:3.13-slim-bookworm -COPY containers/sidecar-requirements.txt . -RUN apt-get update && \ - apt-get install -y postgresql-common build-essential && \ - /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ - apt-get install -y libpq-dev && \ - pip install -r sidecar-requirements.txt diff --git a/containers/Dockerfile.sidecar b/containers/Dockerfile.sidecar index 7b42d32..31d2773 100644 --- a/containers/Dockerfile.sidecar +++ b/containers/Dockerfile.sidecar @@ -2,7 +2,7 @@ # The container needs to provide and build two components: # * barman-cloud # * instance plugin -# Both components are built before going into a distroless container +# Both components are built before going into the final container # Build the manager binary FROM --platform=$BUILDPLATFORM golang:1.25.6 AS gobuilder @@ -33,19 +33,27 @@ COPY ../internal/ internal/ RUN --mount=type=cache,target=/go/pkg/mod --mount=type=cache,target=/root/.cache/go-build \ CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o manager cmd/manager/main.go -# Use plugin-barman-cloud-base to get the dependencies. -# pip will build everything inside /usr, so we copy every file into a new -# destination that will then be copied into the distroless container -FROM ghcr.io/cloudnative-pg/plugin-barman-cloud-base:3.17.0-202601131704 AS pythonbuilder -# Prepare a new /usr/ directory with the files we'll need in the final image -RUN mkdir /new-usr/ && \ - cp -r --parents /usr/local/lib/ /usr/lib/*-linux-gnu/ /usr/local/bin/ \ - /new-usr/ +# Build wheel files for Python dependencies +FROM python:3.13-slim-trixie AS pythonbuilder +WORKDIR /build -# Joint process -# Now we put everything that was build from the origin into our -# distroless container -FROM gcr.io/distroless/python3-debian12:nonroot +# Install build dependencies +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + postgresql-common \ + build-essential && \ + /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ + apt-get install -y --no-install-recommends libpq-dev + +# Copy requirements +COPY containers/sidecar-requirements.txt . + +# Build wheels with pip cache mount +RUN --mount=type=cache,target=/root/.cache/pip \ + pip wheel --wheel-dir=/wheels -r sidecar-requirements.txt + +# Final sidecar image +FROM python:3.13-slim-trixie ENV SUMMARY="CloudNativePG Barman plugin" \ DESCRIPTION="Container image that provides the barman-cloud sidecar" @@ -60,7 +68,23 @@ LABEL summary="$SUMMARY" \ version="" \ release="1" -COPY --from=pythonbuilder /new-usr/* /usr/ +# Install runtime dependencies +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + postgresql-common && \ + /usr/share/postgresql-common/pgdg/apt.postgresql.org.sh -y && \ + apt-get install -y --no-install-recommends libpq5 && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +# Install wheels using bind mount (wheels not included in final layers) +# and ensure all Python bytecode is freshly compiled with correct timestamps +RUN --mount=type=bind,from=pythonbuilder,source=/wheels,target=/wheels \ + pip install --no-cache-dir /wheels/*.whl && \ + python -m compileall -q + +# Copy Go manager binary COPY --from=gobuilder /workspace/manager /manager + USER 26:26 ENTRYPOINT ["/manager"] diff --git a/renovate.json5 b/renovate.json5 index 29276e7..1aaa515 100644 --- a/renovate.json5 +++ b/renovate.json5 @@ -79,12 +79,6 @@ enabled: false, }, packageRules: [ - { - matchPackageNames: [ - 'ghcr.io/cloudnative-pg/plugin-barman-cloud-base', - ], - versioning: 'loose', - }, { matchDatasources: [ 'go',