Build a Python app

Python’s wheels and build tooling make a clean split worthwhile. Compile and install everything into a self-contained virtualenv in the build stage, then copy that one directory onto a slim python base for the runtime. The compilers and headers some packages need at install time never reach the image you deploy.

These build on ghcr.io/quenchworks/images/python:3.13. For dependency resolution there is ghcr.io/quenchworks/images/uv (a fast installer and resolver) and ghcr.io/quenchworks/images/poetry.

The multi-stage Dockerfile

1
# Build stage: build a venv with everything installed into it.
2
FROM ghcr.io/quenchworks/images/python:3.13 AS build
3
WORKDIR /app
4
ENV VIRTUAL_ENV=/opt/venv \
5
    PATH="/opt/venv/bin:$PATH"
6

7
RUN ["python", "-m", "venv", "/opt/venv"]
8
COPY requirements.txt ./
9
RUN ["pip", "install", "--no-cache-dir", "-r", "requirements.txt"]
10
COPY . .
11

12
# Runtime stage: copy the venv onto a clean python base, run nonroot.
13
FROM ghcr.io/quenchworks/images/python:3.13 AS runtime
14
WORKDIR /app
15
ENV VIRTUAL_ENV=/opt/venv \
16
    PATH="/opt/venv/bin:$PATH" \
17
    PYTHONUNBUFFERED=1
18
COPY --from=build /opt/venv /opt/venv
19
COPY --from=build /app /app
20
USER 1001
21
EXPOSE 8000
22
CMD ["python", "-m", "app"]

1
# Build stage: uv resolves and installs into a project venv, fast.
2
FROM ghcr.io/quenchworks/images/uv:0.11 AS build
3
WORKDIR /app
4
ENV UV_PROJECT_ENVIRONMENT=/opt/venv \
5
    UV_COMPILE_BYTECODE=1
6

7
# Install dependencies first (cached) from the lockfile, then the project.
8
COPY pyproject.toml uv.lock ./
9
RUN ["uv", "sync", "--frozen", "--no-install-project", "--no-dev"]
10
COPY . .
11
RUN ["uv", "sync", "--frozen", "--no-dev"]
12

13
FROM ghcr.io/quenchworks/images/python:3.13 AS runtime
14
WORKDIR /app
15
ENV PATH="/opt/venv/bin:$PATH" \
16
    PYTHONUNBUFFERED=1
17
COPY --from=build /opt/venv /opt/venv
18
COPY --from=build /app /app
19
USER 1001
20
EXPOSE 8000
21
CMD ["python", "-m", "app"]

1
# Build stage: Poetry installs into a venv at a known path.
2
FROM ghcr.io/quenchworks/images/poetry:2 AS build
3
WORKDIR /app
4
ENV POETRY_VIRTUALENVS_IN_PROJECT=true \
5
    POETRY_NO_INTERACTION=1
6

7
COPY pyproject.toml poetry.lock ./
8
RUN ["poetry", "install", "--only", "main", "--no-root"]
9
COPY . .
10
RUN ["poetry", "install", "--only", "main"]
11

12
FROM ghcr.io/quenchworks/images/python:3.13 AS runtime
13
WORKDIR /app
14
ENV PATH="/app/.venv/bin:$PATH" \
15
    PYTHONUNBUFFERED=1
16
COPY --from=build /app/.venv /app/.venv
17
COPY --from=build /app /app
18
USER 1001
19
EXPOSE 8000
20
CMD ["python", "-m", "app"]

What each stage does

Build. Create a virtualenv at a fixed path and install every dependency into it. This stage carries the resolver, any build backends, and the wheels’ build dependencies. Installing dependencies before copying the rest of the source keeps that layer cached when only your code changes.
Runtime. Start fresh from python:3.13, copy the venv and the app in, put the venv on the PATH, drop to uid 1001, and start. Nothing from the build toolchain ships.

Serving with a WSGI/ASGI server? Put it in the venv (gunicorn, uvicorn) and call it directly in exec form: CMD ["gunicorn", "app:app", "--bind", "0.0.0.0:8000"].
Pin by digest so each build runs exactly the base that was scanned and signed.

Edit this page on GitHub

Build a Python app

The multi-stage Dockerfile

What each stage does

Next