Chainguard Container for python

Minimal Python image based on Wolfi.

Chainguard Containers are regularly-updated, secure-by-default container images.

Download this Container Image

For those with access, this container image is available on cgr.dev:

docker pull cgr.dev/ORGANIZATION/python:latest

Be sure to replace the ORGANIZATION placeholder with the name used for your organization's private repository within the Chainguard Registry.

Description

The python Chainguard Image provides a minimal Python runtime suitable for workloads such as web applications, CLI utilities, interfacing with APIs, or other tasks.

Variants

We have two image variants available:

• A python:latest-dev variant that contains the pip, uv, and apk package managers and the bash, ash, and sh shells.
• A minimal runtime variant that removes shells and package managers for additional security.

To pull the minimal runtime variant from cgr.dev:

docker pull cgr.dev/chainguard/python:latest

To pull the dev variant:

docker pull cgr.dev/chainguard/python:latest-dev

Usage Notes

The entrypoint for the python Chainguard Image is /usr/bin/python. Commands run as part of docker run or a CMD statement in a Dockerfile will be passed as arguments to python.

To access the shell in the python:latest-dev image, you'll need to include an --entrypoint option, as in the following example.

docker run -it --entrypoint /bin/bash chainguard/python:latest-dev

Also note that the python image uses the nonroot user by default. To perform operations such as installing packages with apk, run the image as root.

docker run -it --user root --entrypoint /bin/bash chainguard/python:latest-dev

We recommend against using the root user in a production environment.

Packages

If you require additional packages that can be installed with the pip package manager, we recommend using a multistage build. This process involves installing packages in a virtual environment using the latest-dev variant, then copying this environment over to the minimal runtime image.

The following is a minimal example of a Dockerfile that uses a multistage build to run an app.py script after installing dependencies listed in a requirements.txt file.

# syntax=docker/dockerfile:1

FROM cgr.dev/chainguard/python:latest-dev as dev

WORKDIR /app

RUN python -m venv venv
ENV PATH="/app/venv/bin":$PATH
COPY requirements.txt requirements.txt
RUN pip install -r requirements.txt

FROM cgr.dev/chainguard/python:latest

WORKDIR /app

COPY app.py app.py
COPY --from=dev /app/venv /app/venv
ENV PATH="/app/venv/bin:$PATH"

ENTRYPOINT ["python", "app.py"]

For a more complete example, see Getting Started with the Python Chainguard Image on Chainguard Academy.

Resources

• Getting Started with the Python Chainguard Image
• Migrating to Python Chainguard Images
• Updating a Python Microservice for Chainguard Images
• Debugging Distroless Images
• Blog Post: Securely Containerize a Python Application with Chainguard Images
• Video: How to containerize a Python application with a multi-stage build using Chainguard Images
• Learning Lab: Deploying a Flask App with Python and nginx Chainguard Images

What are Chainguard Containers?

Chainguard Containers are minimal container images that are secure by default.

In many cases, the Chainguard Containers tagged as :latest contain only an open-source application and its runtime dependencies. These minimal container images typically do not contain a shell or package manager. Chainguard Containers are built with Wolfi, our Linux undistro designed to produce container images that meet the requirements of a more secure software supply chain.

The main features of Chainguard Containers include:

• Minimal design, without unnecessary software bloat
• Daily builds to ensure container images are up-to-date with available security patches
• High quality build-time SBOMs attesting to the provenance of all artifacts within the image
• Verifiable signatures provided by Sigstore
• Reproducible builds with Cosign and apko (read more about reproducibility)

For cases where you need container images with shells and package managers to build or debug, most Chainguard Containers come paired with a -dev variant.

Although the -dev container image variants have similar security features as their more minimal versions, they feature additional software that is typically not necessary in production environments. We recommend using multi-stage builds to leverage the -dev variants, copying application artifacts into a final minimal container that offers a reduced attack surface that won’t allow package installations or logins.

Learn More

To better understand how to work with Chainguard Containers, please visit Chainguard Academy and Chainguard Courses.

In addition to Containers, Chainguard offers VMs and Libraries. Contact Chainguard to access additional products.

Trademarks

This software listing is packaged by Chainguard. The trademarks set forth in this offering are owned by their respective companies, and use of them does not imply any affiliation, sponsorship, or endorsement by such companies.