Production-ready Docker images

Docker packaging guide for Python

The basics

  1. Broken by default: why you should avoid most Dockerfile examples
    Most Dockerfile examples you’ll find on the Web are broken. And that’s a problem.

  2. A review of the official Dockerfile best practices: good, bad, and insecure
    The official Docker documentation’s Dockerfile best practices are mostly good—but they omit some important information.

  3. The best Docker base image for your Python application (July 2019)
    Ubuntu? Official Python images? Alpine Linux? Here’s how to choose a good base image.

  4. Connection refused? Docker networking and how it impacts your image
    A command that runs fine on your computer may fail with connection refused when run in a container. You’ll learn why that happens, and how to prevent it.

  5. Faster or slower: the basics of Docker build caching
    Docker’s layer caching can speed up your image build—if you write your Dockerfile correctly.

Security

  1. Avoiding insecure images from Docker build caching
    Docker’s layer caching is great for speeding up builds—but you need to be careful or it’ll cause you to have insecure dependencies.

  2. Less capabilities, more security: minimizing privilege escalation in Docker
    To reduce the security risk from your Docker image, you should run it as a non-root user. You should also reduce it capabilities: learn what, why, and how.

  3. Docker build secrets, the sneaky way
    When you’re building Docker images you often need some secrets: a password, an SSH key. For now, Docker lacks a good mechanism to pass in secrets in a secure way, which means you need to get sneaky.

Fast builds, small images

  1. The high cost of slow Docker builds
    A slow Docker build on the critical path for developer feedback is a lot more expensive than you think.

  2. Faster Docker builds with pipenv, poetry, or pip-tools
    Installing dependencies separately from your code allows you to take advantage of Docker’s layer caching. Here’s how to do it with pipenv, poetry, or pip-tools.

  3. Elegantly activating a virtualenv in a Dockerfile
    How to activate a virtualenv in a Dockerfile without repeating yourself—plus, you’ll learn what activating a virtualenv actually does.

  4. Multi-stage builds #1: Smaller images for compiled code
    You’re building a Docker image for a Python project with compiled code (C/C++/Rust/whatever), and somehow without quite realizing it you’ve created a Docker image that is 917MB… only 1MB of which is your code!

  5. Multi-stage builds #2: Python specifics—virtualenv, –user, and other methods
    Now that you understand multi-stage builds, here’s how to implement them for Python applications.

  6. Multi-stage builds #3: Why your build is surprisingly slow, and how to speed it up
    Multi-stage builds give you small images and fast builds—in theory. In practice, they require some tricks if you want your builds to actually be fast.

Applications and runtime

  1. Configuring Gunicorn for Docker
    Running in a container isn’t the same as running on a virtual machine or physical server: you need to configure Gunicorn (and other servers) appropriately.

  2. Decoupling database migrations from server startup: why and how
    It’s tempting to migrate your database schema when your application container starts up—here’s some reasons to rethink that choice.

  3. What’s running in production? Making your Docker images identifiable
    It’s difficult to debug production problems if you don’t know what image is running in production.

  4. A Python prompt into a running process: debugging with Manhole
    Your Python process is acting strange—wouldn’t it be useful to get a live Python interpreter prompt inside your running process?

Packaging as a process

  1. A thousand little details: developing software for ops
    Some thoughts on how to build software for ops, a domain that suffers from historical complexity and problem space complexity. And in particular, buildng a better way to do Docker packaging.

  2. Your Docker build needs a smoke test
    If you don’t test your Docker image before you push it, you’ll waste time (and maybe break production).

Products and Services

Secure, fast images—in just an hour or two

You want fast builds, small and secure images, and operational correctness.

Instead of reading and applying every article above, spending days debugging your build process, and fighting slow builds, you can ship your Docker images with confidence—in just hours!—by using the Production-Ready Python Containers template.

Custom Docker packaging

Do you need custom Docker packaging for your application, and don’t have the time or expertise to do so yourself? I can help you with the build infrastructure, processes, and configuration necessary to create a production-ready Docker image.

Interested? Send me an email.