Production-ready Docker packaging
Docker packaging guide for Python
The broken status quo
Broken by default: why you should avoid most Dockerfile examples
Most Dockerfile examples you’ll find on the Web are broken. And that’s a problem.
A review of the official Dockerfile best practices: good, bad, and insecure
The official Docker documentation’s Dockerfile best practices are mostly good—but they omit some important information.
Connection refused? Docker networking and how it impacts your image
A command that runs fine on your computer may fail with connection refused when run in a container. You’ll learn why that happens, and how to prevent it.
Faster or slower: the basics of Docker build caching
Docker’s layer caching can speed up your image build—if you write your Dockerfile correctly.
Base image and dependencies
The best Docker base image for your Python application (April 2020)
Ubuntu? Official Python images? Alpine Linux? Here’s how to choose a good base image.
Using Alpine can make Python Docker builds 50× slower
Alpine Linux is often recommended as a smaller, faster base image. But if you’re using Python, it will actually do the opposite.
When to switch to Python 3.8
Python 3.8 is out now—when should you start using it?
Building on solid ground: ensuring reproducible Docker builds for Python
You want to be able to rebuild the same Docker image from the same source code across different computers and different points in time. Here’s how to get reproducible builds.
Push and pull: when and why to update your dependencies
When should you update your project’s dependencies? There are two rhythms to updates: security and critical bug fixes, and broader updates.
Installing system packages in Docker with minimal bloat
Your Docker build needs to update system packages for security, and perhaps to install them for additional dependencies. Here’s how to do it without making your image too large, on Debian, Ubuntu, CentOS and RHEL.
Less capabilities, more security: minimizing privilege escalation in Docker
To reduce the security risk from your Docker image, you should run it as a non-root user. You should also reduce it capabilities: learn what, why, and how.
Avoiding insecure images from Docker build caching
Docker’s layer caching is great for speeding up builds—but you need to be careful or it’ll cause you to have insecure dependencies.
Docker build secrets, the sneaky way
When you’re building Docker images you often need some secrets: a password, an SSH key. For now, Docker lacks a good mechanism to pass in secrets in a secure way, which means you need to get sneaky.
Build secrets in Docker Compose, the secure way
Builds secrets are used to build your image, but if you’re not careful they will get embedded into your image, leaking them to adversaries. Learn how to use build secrets in Docker Compose without leaking your secrets.
Security scanners for Python and Docker: from code to dependencies
How do you know your code is secure? How about your Docker image? Learn how to catch problems is using security scanners running in your CI setup.
Fast builds, small images
The high cost of slow Docker builds
A slow Docker build on the critical path for developer feedback is a lot more expensive than you think.
Faster Docker builds with pipenv, poetry, or pip-tools
Installing dependencies separately from your code allows you to take advantage of Docker’s layer caching. Here’s how to do it with pipenv, poetry, or pip-tools.
Elegantly activating a virtualenv in a Dockerfile
How to activate a virtualenv in a Dockerfile without repeating yourself—plus, you’ll learn what activating a virtualenv actually does.
Multi-stage builds #1: Smaller images for compiled code
You’re building a Docker image for a Python project with compiled code (C/C++/Rust/whatever), and somehow without quite realizing it you’ve created a Docker image that is 917MB… only 1MB of which is your code!
Multi-stage builds #2: Python specifics—virtualenv, –user, and other methods
Now that you understand multi-stage builds, here’s how to implement them for Python applications.
Multi-stage builds #3: Why your build is surprisingly slow, and how to speed it up
Multi-stage builds give you small images and fast builds—in theory. In practice, they require some tricks if you want your builds to actually be fast.
Applications and runtime
Configuring Gunicorn for Docker
Running in a container isn’t the same as running on a virtual machine or physical server: you need to configure Gunicorn (and other servers) appropriately.
Activating a Conda environment in your Dockerfile
Learn how to activate a conda environment in your Dockerfile.
Decoupling database migrations from server startup: why and how
It’s tempting to migrate your database schema when your application container starts up—here’s some reasons to rethink that choice.
What’s running in production? Making your Docker images identifiable
It’s difficult to debug production problems if you don’t know what image is running in production.
A Python prompt into a running process: debugging with Manhole
Your Python process is acting strange—wouldn’t it be useful to get a live Python interpreter prompt inside your running process?
Packaging as a process
A thousand little details: developing software for ops
Some thoughts on how to build software for ops, a domain that suffers from historical complexity and problem space complexity. And in particular, buildng a better way to do Docker packaging.
Your Docker build needs a smoke test
If you don’t test your Docker image before you push it, you’ll waste time (and maybe break production).
Where’s that log file? Debugging failed Docker builds
Your Docker build just failed, and the reason is buried a log file—which is somewhere inside the build process. How do you read that log file?
“Let’s use Kubernetes!” Now you have 8 problems
For smaller teams, Kubernetes is usually the wrong solution.
- Docker vs. Singularity for data processing: UIDs and filesystem access
For data processing, where you just read in some files and then write them out, containers provide reproducibility. Docker may not be the ideal container implementation for this use case, however, so we’ll also take a look at Singularity.
Products and Services
Open-enrollment class: Production-ready Docker packaging for Python, June 11th+12th
Learn what it takes to package a Python application for production with Docker, from security to reproducibility to speed, with this live, two half-days online class.
When you’ve used Docker before, you learned just enough command-line basics to get your work done.
But now you need to start packaging your application, which means doing everything from from writing
Dockerfiles to debugging broken builds—and your basic knowledge isn’t enough.
Quickly learn the mental models and debugging techniques you need to package your Python application in Docker, by reading Just Enough Docker Packaging.
Packaging your Python application for production with Docker requires best practices, so you don’t risk security breaches or waste expensive developer time on slow builds. But doing the research will also use up days of developer time.
Save time and money, by quickly learning the best practices you need—including security, fast builds, small images, reproducability, and much more—from the Python on Docker Production Checklist.
Instead of wasting days of expensive developer time implementing and testing your own Docker packaging infrastructure, you can ship your Docker images with confidence—in just hours!—by using the Production-Ready Python Containers template.
Make you team more productive by upgrading their skills. Whether it’s the basics of Docker packaging, or the best practices you need to run in production, consider one of my Docker packaging training courses.