Switch from python:3.13-slim-trixie to distroless/python3-debian13
for the sidecar container. The virtualenv approach now extracts
runtime libraries from Debian packages using dpkg, eliminating the
need for apt and package management tools in the final image.
The image is 44% smaller (260MB vs 463MB on main, or 31% vs 377MB
from the previous commit) with 70% fewer packages (35 vs 115) while
maintaining zero HIGH/CRITICAL vulnerabilities. There is no shell
or package manager in the final image, reducing the attack surface
significantly.
Based on Google's distroless best practices.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Barman-cloud requires lz4 and snappy compression libraries for
backup and WAL compression. The pythonbuilder stage needs the
development headers (liblz4-dev, libsnappy-dev) to compile the
Python C-extensions into wheels, and the final runtime image
needs the shared libraries (liblz4-1, libsnappy1v5) for the
extensions to function.
Without these dependencies, backups fail when attempting to
compress data, causing the backup to enter a failed state.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
The sidecar uses a read-only filesystem which prevents Python from
creating bytecode at runtime. The previous approach pre-compiled
bytecode in a separate base image, but timestamps were corrupted
when files were copied between Docker stages, causing Python to
mark the bytecode as stale and recompile on every invocation.
This change builds Python dependencies as wheels in a pythonbuilder
stage using BuildKit cache mounts, then installs them in the final
python:3.13-slim-trixie stage using a bind mount. Wheels include
pre-compiled bytecode with correct timestamps. The bind mount keeps
wheels out of final layers, and the distroless complexity is
eliminated.
After wheel installation, we run compileall to ensure all Python
bytecode is freshly compiled with correct timestamps, preventing
any stale bytecode from remaining in the final image.
The separate barmanbase image, its workflow, and related Renovate
configuration are no longer needed and have been removed.
Closes#711Closes#735
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
This PR contains the following updates:
| Package | Type | Update | Change |
|---|---|---|---|
| golang | | patch | `1.25.2` -> `1.25.3` |
| golang | stage | patch | `1.25.2` -> `1.25.3` |
---
### Configuration
📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Never, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/cloudnative-pg/plugin-barman-cloud).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE0My4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJhdXRvbWF0ZWQiLCJuby1pc3N1ZSJdfQ==-->
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
The Renovate pip-compile provider is not running due to some options in
the requirements.txt that are set to `None`, which is the actual default.
```
DEBUG: pip-compile: extracted command from header (repository=local)
"fileName": "containers/sidecar-requirements.txt",
"argv": [
"pip-compile",
"--allow-unsafe",
"--cert=None",
"--client-cert=None",
"--generate-hashes",
"--index-url=None",
"--output-file=sidecar-requirements.txt",
"--pip-args=None",
"--strip-extras",
"sidecar-requirements.in"
],
"commandType": "pip-compile"
DEBUG: pip-compile: option not handled (repository=local)
"option": "--allow-unsafe"
WARN: pip-compile error (repository=local)
"matchedFile": "containers/sidecar-requirements.txt",
"errorMessage": "Option --cert=None not supported (yet)"
```
Removing the options fixes the run.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
We build a new image every week with the necessary base packages
for the sidecar.
This aims to reduce the time required for each CI process to run.
Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
Co-authored-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
We were using debian trixie as a building environment for barman-cloud,
but we were still using bookworm as a base image. This caused
inconsistencies in the sidecar image.
Now we always use bookworm.
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
The sidecar-requirements.txt was out-dated, after the update we close
a few security issues.
Closes#437
Signed-off-by: Jonathan Gonzalez V. <jonathan.gonzalez@enterprisedb.com>
Due to an issue with pip-tools invocation, renovate has failed to update setuptools to v80.4.0 in #341. This patch fixes the issue.
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
