Skip to content

docs(python3): clarify Python version compatibility and unsafe site-p… #1961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kaushalacts wants to merge 3 commits into
base: main
Choose a base branch
from
+57 −1
Open

docs(python3): clarify Python version compatibility and unsafe site-p… #1961

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
e2b87f2
docs(python3): clarify Python version compatibility and unsafe site-p…
kaushalacts Jan 4, 2026
272a9e5
docs(python3): clarify execution model and ENTRYPOINT behavior
kaushalacts Jan 4, 2026
8a46a50
Merge branch 'main' into docs/python-version-compatibility
kaushalacts Apr 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 57 additions & 1 deletion python3/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,62 @@ On debian13+ we include a pre-generated `ld.so.cache` to support user/framework

## Usage

The entrypoint of this image is set to "python", so this image expects users to supply a path to a .py file in the CMD.
This image is intended to run Python applications directly.
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should still call out what the entrypoint is.


See the Python [Hello World](../examples/python3/) directory for an example.

---

## ⚠️ Important Usage Notes

### Python Version Compatibility

The Python version included in distroless images is provided by the underlying
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this section can be compressed a little, but also add in an actual recommendation:

Use matching Debian 13 build image (e.g., python:3.13-slim-trixie) to ensure library compatibility.

Debian distribution. Users must ensure that any Python packages copied into the
image were built using the **exact same Python minor version**.

❌ Unsupported / unsafe pattern

- Installing dependencies using Python 3.12 in a builder stage
- Copying `/usr/local/lib/python3.12` or site-packages into a distroless image
that uses Python 3.11

This may result in runtime errors such as:

- `SyntaxError: Non-UTF-8 code starting with '\x80'`
- `No module named <package>`
- Segmentation faults or crashes at startup

These failures are caused by ABI incompatibilities between Python versions.

---

### Recommended Usage

Distroless Python images are best suited for:

- Pure-Python applications
- Minimal dependencies
- Environments where Python version alignment is guaranteed

For applications with native extensions (e.g. numpy, pandas, torch, ML workloads),
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the ctypes support for the debian13 images is in much better shape. I'm not a big python user but I think numpy would work. This section seems less relevant now.

consider using `python:<version>-slim` images instead.

---

### Execution Model

### Execution Model

Distroless images do not include a shell.

The `python3` image provides a default ENTRYPOINT that invokes the Python
interpreter, which allows users to supply a script directly via `CMD`
(as demonstrated in the `examples/python3` directory).

However, for maximum clarity and to avoid ambiguity—especially in more complex
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would refrain from making these recommendations. Distroless is it what it is, and users can decide on how they want to use it, but we certainly don't make this recommendation.

container configurations—it is often preferable to explicitly invoke the
interpreter using an absolute path:

```dockerfile
CMD ["/usr/bin/python3", "-m", "your_module"]
Copy link
Copy Markdown
Member

@loosebazooka loosebazooka May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not convinced this is the right usage of CMD. It feels like it would still use the ENTRYPOINT defined in the image spec.