Is it possible to build a python web image in more flexable way which will following some python docker best practice.

[hackrole]

I have build our docker image in follow fold layers now.

RUN create user webapp 1000(uid) 1000(gid)
USER 1000
WORKDIR  /code
RUN python -m venv /code/.venv
COPY requirement.txt /code/requirements.txt
RUN /code/.venv/bin/pip install -r  requirements.txt
COPY app/ main.py /code

how to make such layer in rules_oci?

After following example, I got a image which is hard to use.

For example, We would like to add ddtrace-run command prefix in k8s cluster, but this seems hard to done in the built image.

And If sometimes we need to exec into contains to do some debugging, The layout and script entry seems hard for our debug process.

[thesayyn]

Please see: https://github.com/bazel-contrib/rules_oci/blob/main/docs/python.md

[hackrole]

Please see: https://github.com/bazel-contrib/rules_oci/blob/main/docs/python.md

Yes, I have seen this link and followed it to build out the image, but the file layput of the result image is bad for me.
I would like to have a file layout like what I have described in this issue.

I am just following bazel and rules_python tutorial to make bazel works in our repository. I am not sure If it is possible to make a
image as I wanted, As bazel generate a python entrypoint to do many things, like PYTHON_PATH, EXEC with python toolchains.

Also I not aware what the runfiles means to be in bazel, So I am here for some advice.
To me, the result image from the oci_python example is far away from good image, even the build process is very fast.

And I have following asepct/rules_py to build a image, Its file layout is better, as It use bash to bootstrap. But still feel bad to me.

[thesayyn]

good image

could you elaborate more what you mean by this?

the dockerfile you posted above is how you build a python image when you are not dealing with Bazel, but when using Bazel, some of those commands are replaced by rulesets such as rules_py.

For instance pip install becomes, pip.parse( in your MODULE.bazel, python -m venv becomes py_venv from rules_py.

Most people don't care about how files laid out in the container filesystem, therefore they simply use what Bazel calls runfiles so that the behavior of the container matches the py_binary.

That said, if you have some specific filesystem layouts constraints you can use tar rule to put things where you want.

[hackrole]

first, good image

good image

I would like to list the issues I faced now. I build oci image follow this example

bazel rules_python entryscript and runfiles import difficulty to customize the container running.

My container is a fastapi webapp. In bazel local, I create a main.py so bazel run :app can start a local app for developments.
But while deploy into k8s clusters, I would like to use uvicorn run app:app cause uvicorn provide many options for customization. As bazel rules_python py_binary have different file strurcture, This seems hard to be done now.

Also, I would like to add ddtrace-run prefix in product environment to enable datadog monitor, but disabled on test environment to save money. In origin image, all I need to do is modify the k8s yaml to set command line from uvicorn app:app to ddtrace-run uvicorn app:app. It seems hard now.

two python installed and image size much bigger.

It seems be the bug of rules_python, see this bug.
So I use python:3.9-slim as baze_image. But as rules_python need to copy the python toolchains into images. So I have
two python installed in the image, the result image is about 200MB bigger.

I cannot use aspect rules_py cause of we have some developers using windows system as their work environments. The rules_py used bash to do its works, It seems unable to work on windows.

second, dockefile in bazel

dockerfile command replace in bazel

I have go through the rule_oci documents and gain a basic knowledge on how rules_oci works. I understand almost all dockerfile command can be replaced by some equal bazel rules or actions. But it seems to me there are some things hard or impossible to be done cause of bazel mechanisms, like bazel runfiles destroys the origin project structure or the generate python entrypoint need to setup PYTHON_PATH environment and others things to make py_binary works. This import many difficulty to arange image file structure.

last rules_py py_venv

rules_py py_venv

Thanks for you advice. After check the implementation code of py_venv, It seems to be a execuable bazel rules. It create a venv while called from bazel run. So Its cannot be used as dependence of a bazel build rules, like oci_image, right?

Also we have many different images now, which belongs to different teams. I am trying to introduce bazel rules_oci to replace the docker build process in our CI, as we have decided to migrate to bazel. So it is better not to change the result image file layout. But construct the same file layout in bazel seems really hard now.

As additional, I realized rules_oci build docker image much faster, this is amazing feature to us. But the result file layout is not satisfied.

[thesayyn]

I understand the concern, but unfortunately there nothing here we can fix in rules_oci. What you are talking about is Runfiles which is necessary when using rules_py so that everything that works in py_binary also works inside the container.

If you want to have a filesystem layout that similar to standard python setups outside Bazel, then you can do that yourself by using tar or pkg_tar rule.

As for python dependency, that issue belongs to rules_python, not rules_oci.

Thanks for filing the issue, but i don't there is anything here we can fix.