本文由 AI 分析生成
建立時間: 2026-03-28 來源: https://myapollo.com.tw/blog/python-multi-stage-builds-and-distroless/
Summary
Amo Chen demonstrates how to progressively reduce Python Docker image size using multi-stage builds and ultimately Google’s distroless base images. Unlike compiled languages (Go) that can produce tiny single-binary images, Python’s interpreter dependency means the floor is higher — but multi-stage builds still yield significant reductions by separating build-time dependencies from runtime. Distroless images further reduce attack surface and size by stripping the OS to its minimum.
本文示範如何透過多階段建置(multi-stage builds)和 Google distroless 映像逐步縮小 Python Docker 映像大小。Python 因需直譯器故有基本大小下限,但多階段建置仍能顯著減小,而 distroless 映像進一步去除 OS 層以降低攻擊面與大小。
Key Points
- Multi-stage builds: use a builder stage with full Python for compiling wheels, then copy only the wheels to a slim final stage
pip wheel --wheel-dir /app/wheels -r requirements.txtin builder, thenpip install --no-index --find-links=/wheelsin final stage- Distroless: Google’s minimal container images containing only runtime libraries — no shell, no package manager, no unnecessary OS components
- Distroless reduces both image size and security attack surface (fewer tools for attackers to exploit)
- Python distroless is more complex to configure than Go because you need the Python runtime included
Insights
The multi-stage pattern for Python mirrors the pattern for compiled languages but for a different reason: compiled languages separate build tools from the final binary, while Python separates build-time system dependencies (gcc, libpq-dev) from the wheels they produce. The distroless insight is security-relevant: a container with no shell means attackers who gain code execution can’t easily pivot to interactive exploitation.
Connections
Raw Excerpt
優化 Docker image size 仍可以為部署(deployment)速度帶來優勢,同時也能減少網路傳輸所需付出的費用成本。