-
Notifications
You must be signed in to change notification settings - Fork 18
Expand file tree
/
Copy pathDockerfile.sandbox.python
More file actions
64 lines (49 loc) · 2.32 KB
/
Copy pathDockerfile.sandbox.python
File metadata and controls
64 lines (49 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
# syntax=docker/dockerfile:1.9.0
# Python sandbox for ephemeral worker
# Executes Python scripts in a sandboxed gRPC server
FROM ghcr.io/superblocksteam/python:3.10.20-slim-trixie AS builder
WORKDIR /build
# Install build tools needed to compile C extensions (psutil, cvxpy, numpy, etc.)
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update && apt-get install -y --no-install-recommends \
cmake \
g++ \
gcc \
libopenblas-dev \
linux-libc-dev \
python3-dev
# Install Python dependencies (C extensions compiled here)
COPY workers/ephemeral/python-sandbox/requirements.txt .
RUN --mount=type=cache,target=/root/.cache/pip pip install -r requirements.txt
# Runtime stage — clean base without build tools
FROM ghcr.io/superblocksteam/python:3.10.20-slim-trixie
# Install only the runtime libraries that compiled extensions link against
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
--mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
apt-get update && apt-get install -y --no-install-recommends \
libopenblas0 \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy pre-built Python packages from the builder
ARG PYTHON_MINOR=3.10
COPY --from=builder /usr/local/lib/python${PYTHON_MINOR}/site-packages /usr/local/lib/python${PYTHON_MINOR}/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin
# Copy sandbox-specific source files
COPY workers/ephemeral/python-sandbox/main.py ./
COPY workers/ephemeral/python-sandbox/src ./src
# Copy generated protobuf types
COPY workers/ephemeral/python-sandbox/gen ./gen
RUN groupadd -r -g 1000 sandbox && useradd -r -u 1000 -g sandbox sandbox \
&& chown -R sandbox:sandbox /app
# Must be numeric: the ephemeral sandbox pod runs with RunAsNonRoot=true and no
# explicit runAsUser, so the kubelet validates the image's USER against root. A
# non-numeric name (e.g. "sandbox") cannot be resolved to a UID by the kubelet,
# which then refuses to start the container with CreateContainerConfigError. The
# numeric form (uid:gid created above) lets the kubelet verify it is non-root.
USER 1000:1000
ENV PYTHONPATH=/app/gen:/app
ENV PYTHONDONTWRITEBYTECODE=1
ENV SUPERBLOCKS_WORKER_SANDBOX_EXECUTOR_TRANSPORT_GRPC_PORT=50051
EXPOSE 50051
CMD ["python", "main.py"]