agent/Dockerfile.sandbox.python at main · superblocksteam/agent · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# syntax=docker/dockerfile:1.9.0

# Python sandbox for ephemeral worker
# Executes Python scripts in a sandboxed gRPC server

FROM ghcr.io/superblocksteam/python:3.10.20-slim-trixie AS builder

WORKDIR /build

# Install build tools needed to compile C extensions (psutil, cvxpy, numpy, etc.)
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
    apt-get update && apt-get install -y --no-install-recommends \
    cmake \
    g++ \
    gcc \
    libopenblas-dev \
    linux-libc-dev \
    python3-dev

# Install Python dependencies (C extensions compiled here)
COPY workers/ephemeral/python-sandbox/requirements.txt .
RUN --mount=type=cache,target=/root/.cache/pip pip install -r requirements.txt

# Runtime stage — clean base without build tools
FROM ghcr.io/superblocksteam/python:3.10.20-slim-trixie

# Install only the runtime libraries that compiled extensions link against
RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
    --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
    apt-get update && apt-get install -y --no-install-recommends \
    libopenblas0 \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Copy pre-built Python packages from the builder
ARG PYTHON_MINOR=3.10
COPY --from=builder /usr/local/lib/python${PYTHON_MINOR}/site-packages /usr/local/lib/python${PYTHON_MINOR}/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin

# Copy sandbox-specific source files
COPY workers/ephemeral/python-sandbox/main.py ./
COPY workers/ephemeral/python-sandbox/src ./src

# Copy generated protobuf types
COPY workers/ephemeral/python-sandbox/gen ./gen

ENV PYTHONPATH=/app/gen:/app
ENV SUPERBLOCKS_WORKER_SANDBOX_EXECUTOR_TRANSPORT_GRPC_PORT=50051

EXPOSE 50051

CMD ["python", "main.py"]