Skip to content

python-container

Create Python Dockerfiles using Optum golden images and the standard multi-stage build pattern. Use when asked to author or update Dockerfiles for Python services that must comply with Optum golden image standards.

active
IDE:
claude
codex
vscode
Version:
1.0.0
Owner:pcorazao
docker
golden-image
containerization
podman

Python Container (Optum Golden Images)

Use this skill when the user wants a Dockerfile for a Python app that must follow Optum golden image standards.

Workflow

  1. Confirm the app entrypoint, port, and dependency file (usually requirements.txt).
  2. Determine the current supported Python image tags before choosing a build and runtime base image.
  3. Start from the Optum golden images:
    • Default floating tags:
      • Build stage: edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:3.14-latest-dev
      • Runtime stage: edgeinternal1uhg.optum.com:443/glb-docker-uhg-loc/uhg-goldenimages/python:3.14-latest
    • When you need to pin to the current supported Python major.minor, use the discovery steps below and prefer versioned tags such as python:3.14-latest-dev and python:3.14-latest.
  4. Use multi-stage build, install deps with pip --user in builder, and copy /home/nonroot/.local into runtime.
  5. Set WORKDIR /app, copy app code, and set ENV PATH=/home/nonroot/.local/bin:$PATH.
  6. Run as the default non-root user in the golden image (avoid USER root).
  7. Add EXPOSE and ENTRYPOINT/CMD based on the app’s server.
  8. Optional: add a healthcheck if the service exposes a simple HTTP endpoint.

Find Latest Python Image Version

Use the scripts in scripts/ to inspect the Golden Image Navigator API directly.

  1. Run scripts/01-python-product.sh to list supported Python versions.
  2. Choose the highest supported concrete version instead of relying on search=python.
  3. Use the matching concrete image scripts to verify the exact runtime and build tags:
    • scripts/02-python-image-3.14-latest.sh
    • scripts/03-python-image-3.14-latest-dev.sh
    • scripts/08-python-image-3.13-latest.sh
    • scripts/09-python-image-3.13-latest-dev.sh
  4. Use the floating tag scripts only when you explicitly want the tracked aliases:
    • scripts/04-python-image-latest.sh
    • scripts/05-python-image-latest-dev.sh
  5. Run scripts/06-python-image-3.14-slim-latest.sh only as a support check. The current API response shows that tag as unsupported, so it should not be used as a runtime base.
  6. Run scripts/07-python-image-search.sh only for exploration. It is useful for discovering the current tag set, but the product endpoint is the authoritative source for picking the latest supported concrete version.

Current API behavior discovered from these scripts:

  • /api/products/python returns supported versions 3.14, 3.13, 3.12, 3.11, 3.10, and latest.
  • The highest supported concrete Python version is currently 3.14.
  • The concrete tags currently verified are 3.14-latest and 3.14-latest-dev.
  • The floating aliases latest and latest-dev are tracked tags, but they are separate API entries from 3.14-latest and 3.14-latest-dev.
  • The current python:3.14-slim-latest endpoint responds, but it is marked is_supported: false with image_status: UNKNOWN, so do not select it.

Recommended selection flow:

  1. Query /api/products/python.
  2. Pick the highest supported non-latest version.
  3. Use <version>-latest for runtime and <version>-latest-dev for the build stage.
  4. Treat slim variants as opt-in only after confirming they are supported for the selected version.

Template

Use templates/Dockerfile.template as the starting point and adjust:

  • files copied into /app
  • port and entrypoint
  • dependency install command if not using pip install --user -r requirements.txt
  • healthcheck (include only if the user asks or if a clear endpoint exists)

References

../../instructions/docker.instructions.md ../../instructions/optum-golden-containers.instructions.md

Related Assets