Cryptography Python Docker multistage build

Question

I have a Python project that runs in a docker container and I am trying to convert to a multistage docker build process. My project depends on the cryptography package. My Dockerfile consists of:

# Base                                                                          
FROM python:3.6 AS base                                                         

RUN pip install cryptography                                                    

# Production                                                                    
FROM python:3.6-alpine                                                          

COPY --from=base /root/.cache /root/.cache                                      

RUN pip install cryptography \                                                  
        && rm -rf /root/.cache                                                  

CMD python

Which I try to build with eg:

docker build -t my-python-app .

This process works for a number of other Python requirements I have tested, such as pycrypto and psutil , but throws the following error for cryptography :

Step 5/6 : RUN pip install cryptography         && rm -rf /root/.cache
 ---> Running in ebc15bd61d43
Collecting cryptography
  Downloading cryptography-2.1.4.tar.gz (441kB)
Collecting idna>=2.1 (from cryptography)
  Using cached idna-2.6-py2.py3-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography)
  Using cached asn1crypto-0.24.0-py2.py3-none-any.whl
Collecting six>=1.4.1 (from cryptography)
  Using cached six-1.11.0-py2.py3-none-any.whl
Collecting cffi>=1.7 (from cryptography)
  Downloading cffi-1.11.5.tar.gz (438kB)
    Complete output from command python setup.py egg_info:

        No working compiler found, or bogus compiler options passed to
        the compiler from Python's standard "distutils" module.  See
        the error messages above.  Likely, the problem is not related
        to CFFI but generic to the setup.py of any Python package that
        tries to compile C code.  (Hints: on OS/X 10.8, for errors about
        -mno-fused-madd see http://stackoverflow.com/questions/22313407/
        Otherwise, see https://wiki.python.org/moin/CompLangPython or
        the IRC channel #python on irc.freenode.net.)

    ----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-uyh9_v63/cffi/

Obviously I was hoping not to have to install any compiler on my production image. Do I need to copy across another directory other than /root/.cache ?

Answer 1

There is no manylinux wheel for Alpine, so you need to compile it yourself. Below is pasted from documentation on installation. Install and remove build dependencies in the same command to only save the package to the docker image layer.

If you are on Alpine or just want to compile it yourself then cryptography requires a compiler, headers for Python (if you're not using pypy), and headers for the OpenSSL and libffi libraries available on your system.

Alpine Replace python3-dev with python-dev if you're using Python 2.

 $ sudo apk add gcc musl-dev python3-dev libffi-dev openssl-dev

If you get an error with openssl-dev you may have to use libressl-dev.

Docs can be found here

Answer 2

I hope, my answer will be useful.

1. You should use --user option for cryptography installing via pip in base stage. Example: RUN pip install --user cryptography . This option means, that all files will be installed in the .local directory of the current user's home directory.
2. COPY --from=base /root/.local /root/.local , because cryptography installed in /root/.local.

Thats all. Full example docker multistage

# Base                                                                          
FROM python:3.6 AS base                                                         

RUN pip install --user cryptography

# Production
FROM python:3.6-alpine

COPY --from=base /root/.local /root/.local

RUN pip install cryptography \
        && rm -rf /root/.cache

CMD python