| title | Contributing Docker guide |
|---|---|
| description | How to modify Dockerfiles, run container tests, and keep images lean. |
This guide covers the Docker development workflow for contributors who need to modify Dockerfiles, add dependencies, or debug container issues.
| Software | Minimum version |
|---|---|
| Docker Desktop or Docker Engine | 24.0+ |
| Docker Compose | v2.20+ (included with Docker Desktop) |
| Trivy (optional) | Latest |
# Build all images
docker compose build
# Build a single service
docker compose build platform
# Run container smoke tests (non-conflicting ports)
bun run docker:test
# Validate image structure (no secrets, OCI labels, size budgets)
bun run docker:test:image
# Vulnerability scan (requires trivy)
bun run docker:test:vulnerability
# Local development with hot-reload
docker compose -f compose.yml -f compose.dev.yml up --buildAll Python and Node.js images use multi-stage builds. The pattern is:
- Builder stage — Install all build dependencies, compile native packages
- Runtime stage — Copy only runtime artifacts into a clean base image
- Squash stage —
FROM scratch+COPY --from=runtime / /to flatten layers
The squash stage ensures that file deletions in cleanup steps actually reclaim disk space, rather than just adding masking layers. This keeps build tools (gcc, build-essential, libpq-dev) out of the final image.
Important: When using
FROM scratch, all ENV vars from upstream stages are lost and must be re-declared. Volume mountpoints must also be pre-created in the runtime stage before the squash.
Order your COPY and RUN instructions from least-frequently-changed to most-frequently-changed:
# Good: dependencies change less often than application code
COPY pyproject.toml .
RUN uv pip install --system --no-cache-dir .
COPY app/ ./app/Always use --no-cache-dir (pip/uv) and --no-install-recommends (apt-get):
RUN apt-get update && apt-get install -y --no-install-recommends curl \
&& rm -rf /var/lib/apt/lists/*
RUN uv pip install --system --no-cache-dir .Every Dockerfile must include a version label:
ARG VERSION=dev
LABEL org.opencontainers.image.version="${VERSION}"Every Dockerfile must include a HEALTHCHECK instruction:
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
CMD curl -f http://localhost:8001/health || exit 1Each image has a size budget. CI will fail if an image exceeds its budget.
| Service | Budget | Current |
|---|---|---|
| Crawler | 2,100 MB | ~1,850 MB |
| RAG | 600 MB | ~515 MB |
| Platform | 2,900 MB | ~2,580 MB |
| DB | 1,200 MB | ~1,060 MB |
| Proxy | 100 MB | ~88 MB |
- Adding a new Python dependency — Check if it pulls in large transitive deps
- Adding apt packages — Use
--no-install-recommendsand clean up afterwards - Forgetting to strip in builder — Remove
__pycache__,.pyc, test dirs,.sodebug symbols - Not using multi-stage — Build tools must stay in the builder stage
# Check what's taking space in an image
docker run --rm -it <image> du -sh /* 2>/dev/null | sort -rh | head -20
# Check Python packages
docker run --rm <image> pip list 2>/dev/null || \
docker run --rm <image> python -c "import pkg_resources; [print(f'{p.key}: {p.location}') for p in pkg_resources.working_set]"
# Dive: visual layer analysis
# Install: https://github.com/wagoodman/dive
dive <image>bun run docker:testThis runs tests/container-smoke-test.sh which:
- Builds all 5 images
- Starts services on non-conflicting ports (15432, 18001, 18002, etc.)
- Waits for health checks
- Validates HTTP endpoints
- Tests inter-service connectivity
- Tears down everything (including volumes)
bun run docker:test:imageChecks each image for:
- OCI
org.opencontainers.image.versionlabel - Non-root user (required for platform)
- No secrets baked into image env or filesystem
HEALTHCHECKinstruction present- Image size within budget
bun run docker:test:vulnerabilityRuns Trivy against each image. Reports are saved to trivy-reports/.
To suppress a known false positive, add the CVE ID to .trivyignore:
CVE-2023-12345 # false positive: function not reachable
graph LR
A["Detect changes"] --> B["Build images"]
A --> C["Smoke test"]
A --> D["Image validation"]
A --> E["Vulnerability scan (non-blocking)"]
graph LR
A["Prepare version"] --> B["Build + push (amd64 + arm64)"]
B --> C["Container test gate"]
C --> D["Create manifests"]
D --> E["Trigger CLI build"]
The container test gate pulls the just-pushed images and runs smoke tests + image validation before manifests are created.
Docker BuildKit cache corruption. Fix:
docker builder prune -fUse compose.test.yml which maps to non-conflicting ports:
docker compose -f compose.yml -f compose.test.yml --env-file .env.test -p tale-test up -dIf a package is installed in the builder but not available in the runtime stage, check that:
- You're copying from the correct path:
COPY --from=builder /usr/local/lib/python3.11/site-packages ... - The package's
.dist-infoisn't being removed if something depends on metadata at runtime - The strip step isn't removing required
.sofiles
If a module is missing after the pruner stage, check:
- Whether it's listed in
dependencies(notdevDependencies) inpackage.json - Whether the pruner step explicitly removes it in the
rm -rflist