Use sysconfig.get_path('stdlib') to dynamically determine the Python
standard library path instead of hardcoding python3.13. Also remove
architecture-specific comment since this is a multiarch image.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Move compileall to the final distroless stage and run it as root
to ensure all Python files are pre-compiled, including the system
standard library. This avoids runtime compilation errors when the
filesystem is read-only.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Replace the manual library exclusion list with automated dependency
resolution using apt-cache. The approach queries the dependency tree
of packages in the distroless base image (from GoogleContainerTools
distroless configs) and excludes them from our requirements.
This reduces the image to 260MB (down from 270MB) by avoiding
duplicate libraries already present in the distroless base. Only 7
packages are now downloaded instead of manually maintaining a list
of 13 exclusions.
The package list is sourced from distroless upstream configs and
documented with URLs, making it maintainable as distroless evolves.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Switch from python:3.13-slim-trixie to distroless/python3-debian13
for the sidecar container. The virtualenv approach now extracts
runtime libraries from Debian packages using dpkg, eliminating the
need for apt and package management tools in the final image.
The image is 44% smaller (260MB vs 463MB on main, or 31% vs 377MB
from the previous commit) with 70% fewer packages (35 vs 115) while
maintaining zero HIGH/CRITICAL vulnerabilities. There is no shell
or package manager in the final image, reducing the attack surface
significantly.
Based on Google's distroless best practices.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Barman-cloud requires lz4 and snappy compression libraries for
backup and WAL compression. The pythonbuilder stage needs the
development headers (liblz4-dev, libsnappy-dev) to compile the
Python C-extensions into wheels, and the final runtime image
needs the shared libraries (liblz4-1, libsnappy1v5) for the
extensions to function.
Without these dependencies, backups fail when attempting to
compress data, causing the backup to enter a failed state.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
The sidecar uses a read-only filesystem which prevents Python from
creating bytecode at runtime. The previous approach pre-compiled
bytecode in a separate base image, but timestamps were corrupted
when files were copied between Docker stages, causing Python to
mark the bytecode as stale and recompile on every invocation.
This change builds Python dependencies as wheels in a pythonbuilder
stage using BuildKit cache mounts, then installs them in the final
python:3.13-slim-trixie stage using a bind mount. Wheels include
pre-compiled bytecode with correct timestamps. The bind mount keeps
wheels out of final layers, and the distroless complexity is
eliminated.
After wheel installation, we run compileall to ensure all Python
bytecode is freshly compiled with correct timestamps, preventing
any stale bytecode from remaining in the final image.
The separate barmanbase image, its workflow, and related Renovate
configuration are no longer needed and have been removed.
Closes#711Closes#735
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | | patch | `1.25.2` -> `1.25.3` |
| golang | stage | patch | `1.25.2` -> `1.25.3` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
We were using debian trixie as a building environment for barman-cloud,
but we were still using bookworm as a base image. This caused
inconsistencies in the sidecar image.
Now we always use bookworm.
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Rework the Dockerfile to list Python dependencies.
Those can be updated using renovate.
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Adds support for building and publishing Docker images for both amd64 and arm64 architectures.
Ensures compatibility across multiple platforms by using cross-compilation.
Updates relevant configuration files for CI/CD to handle the new build process.
Fixes issues related to Python version conflicts and ensures the correct directory structure in the final image.
Signed-off-by: Francesco Canovai <francesco.canovai@enterprisedb.com>
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Signed-off-by: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V. <jonathan.abdiel@gmail.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
