Docker multi-stage build for slim Python images

<p>My Docker image for a FastAPI app is 2GB and takes 5 minutes to build. I need a multi-stage Dockerfile producing a slim production image, using layer caching effectively to avoid reinstalling packages on every code change.</p>

<p>Multi-stage Dockerfile with uv:</p> <div class="highlight"><pre><span></span><code><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span> <span class="k">WORKDIR</span><span class="w"> </span><span class="s">/build</span> <span class="k">COPY</span><span class="w"> </span>--from<span class="o">=</span>ghcr.io/astral-sh/uv:0.5<span class="w"> </span>/uv<span class="w"> </span>/usr/local/bin/uv <span class="k">COPY</span><span class="w"> </span>pyproject.toml<span class="w"> </span>uv.lock<span class="w"> </span>./ <span class="k">RUN</span><span class="w"> </span>uv<span class="w"> </span>sync<span class="w"> </span>--frozen<span class="w"> </span>--no-install-project<span class="w"> </span>--no-dev <span class="k">FROM</span><span class="w"> </span><span class="s">python:3.12-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">runtime</span> <span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span> <span class="k">COPY</span><span class="w"> </span>--from<span class="o">=</span>builder<span class="w"> </span>/build/.venv<span class="w"> </span>/app/.venv <span class="k">RUN</span><span class="w"> </span>addgroup<span class="w"> </span>--system<span class="w"> </span>app<span class="w"> </span><span class="o">&amp;&amp;</span><span class="w"> </span>adduser<span class="w"> </span>--system<span class="w"> </span>--ingroup<span class="w"> </span>app<span class="w"> </span>app <span class="k">USER</span><span class="w"> </span><span class="s">app</span> <span class="k">COPY</span><span class="w"> </span>--chown<span class="o">=</span>app:app<span class="w"> </span>.<span class="w"> </span>. <span class="k">ENV</span><span class="w"> </span><span class="nv">PATH</span><span class="o">=</span><span class="s2">"/app/.venv/bin:</span><span class="nv">$PATH</span><span class="s2">"</span><span class="w"> </span><span class="nv">PYTHONDONTWRITEBYTECODE</span><span class="o">=</span><span class="m">1</span><span class="w"> </span><span class="nv">PYTHONUNBUFFERED</span><span class="o">=</span><span class="m">1</span> <span class="k">EXPOSE</span><span class="w"> </span><span class="s">8000</span> <span class="k">CMD</span><span class="w"> </span><span class="p">[</span><span class="s2">"uvicorn"</span><span class="p">,</span><span class="w"> </span><span class="s2">"app.main:app"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--host"</span><span class="p">,</span><span class="w"> </span><span class="s2">"0.0.0.0"</span><span class="p">,</span><span class="w"> </span><span class="s2">"--port"</span><span class="p">,</span><span class="w"> </span><span class="s2">"8000"</span><span class="p">]</span> </code></pre></div> <p>Key points: - Copy pyproject.toml + uv.lock before source code — cache only invalidates on dep changes - --no-install-project installs deps without the project (faster) - Multi-stage: builder can have gcc; runtime is slim - Run as non-root — reduces attack surface</p>