# Chapter 20: Containerization and Deployment

Modern Python applications rarely run on individual developer machines. They are deployed to cloud servers, auto-scaling clusters, and serverless platforms where they must handle production traffic reliably. The transition from a working Python script to a production-grade service requires containerization—a technology that packages your application with its entire runtime environment into a portable unit. This chapter guides you through containerizing Python applications with Docker, orchestrating multi-service architectures, automating deployment pipelines, and deploying to modern cloud platforms.

We will emphasize security-hardened container practices, efficient build caching, and GitOps workflows that enable teams to deploy confidently and roll back instantly when issues arise.

## 20.1 Docker Basics: Containerizing Python Applications

Docker is a platform for developing, shipping, and running applications in containers—lightweight, standalone, executable packages that include everything needed to run your code: the Python interpreter, system libraries, environment variables, and your application code. Unlike virtual machines, containers share the host OS kernel, making them extremely efficient while maintaining isolation.

### Writing Production-Grade Dockerfiles

A Dockerfile is a text document containing instructions to assemble a Docker image. For Python applications, industry standards have evolved significantly beyond simple `FROM python` instructions.

```dockerfile
# Multi-stage Dockerfile for a Python web application
# Stage 1: Builder (compiles dependencies)
FROM python:3.11-slim as builder

# Prevent Python from writing pyc files and buffering stdout
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PIP_NO_CACHE_DIR=1 \
    PIP_DISABLE_PIP_VERSION_CHECK=1

# Install system dependencies required for compilation
RUN apt-get update && apt-get install -y --no-install-recommends \
    gcc \
    libpq-dev \
    && rm -rf /var/lib/apt/lists/*

# Create virtual environment (isolation even within container)
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Install Python dependencies separately for layer caching
COPY requirements.txt .
RUN pip install --upgrade pip && \
    pip install -r requirements.txt

# Stage 2: Runtime (minimal attack surface)
FROM python:3.11-slim as runtime

# Security: Create non-root user (prevent container escape vulnerabilities)
RUN groupadd -r appgroup && useradd -r -g appgroup appuser

# Install runtime dependencies only (no compilers)
RUN apt-get update && apt-get install -y --no-install-recommends \
    libpq5 \
    && rm -rf /var/lib/apt/lists/*

# Copy virtual environment from builder stage
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"

# Set working directory
WORKDIR /app

# Copy application code (after dependencies for better caching)
COPY --chown=appuser:appgroup . .

# Switch to non-root user
USER appuser

# Health check to ensure container is actually ready
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
    CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')" || exit 1

# Expose application port
EXPOSE 8000

# Run application (using exec form for proper signal handling)
CMD ["gunicorn", "--bind", "0.0.0.0:8000", "--workers", "4", "--threads", "2", "app:application"]
```

**Key Dockerfile Best Practices Explained:**

**Multi-Stage Builds:** The `builder` stage contains compilers (`gcc`) and build tools that bloat the image and create security vulnerabilities. Only the compiled virtual environment copies to the `runtime` stage, reducing the final image size by 50-70% and eliminating build-time dependencies from production.

**Layer Caching Strategy:** Docker caches each instruction layer. By copying `requirements.txt` and installing dependencies *before* copying application code, pip install is skipped unless dependencies change—a massive time-saver during development iterations.

**Non-Root User:** Running containers as root is a critical security risk. If an attacker escapes the application, they have root access to the host. The `USER appuser` instruction ensures the application runs with minimal privileges.

**`.dockerignore` File:** Prevent bloat and security leaks by excluding files from the build context:

```dockerfile
# .dockerignore
__pycache__
*.pyc
*.pyo
*.pyd
.Python
.git
.gitignore
.env
.venv
venv/
ENV/
env/
.pytest_cache
.coverage
htmlcov/
dist/
build/
*.egg-info/
.DS_Store
*.md
!README.md  # Exception: keep README
```

### Docker Build and Run Commands

```bash
# Build the image (tag it for versioning)
docker build -t myapp:v1.0 -t myapp:latest .

# Run interactively for testing
docker run -p 8000:8000 --env-file .env myapp:latest

# Run detached (production mode)
docker run -d --name myapp_container -p 8000:8000 myapp:latest

# View logs
docker logs -f myapp_container

# Execute commands inside running container
docker exec -it myapp_container /bin/sh

# Clean up stopped containers
docker container prune
```

## 20.2 Docker Compose: Multi-Container Orchestration

Real applications rarely consist of a single container. A typical Python web application requires a PostgreSQL database, Redis cache, and possibly a Celery worker for background tasks. Docker Compose allows you to define and run multi-container Docker applications using a YAML file.

### Defining Services Architecture

```yaml
# docker-compose.yml (Development configuration)
version: "3.8"

services:
  # Application service
  web:
    build:
      context: .
      dockerfile: Dockerfile
    ports:
      - "8000:8000"
    environment:
      - DATABASE_URL=postgresql://postgres:postgres@db:5432/myapp
      - REDIS_URL=redis://redis:6379/0
      - DEBUG=1
    volumes:
      # Mount code for hot-reload during development
      - .:/app
      # Anonymous volume prevents host's .venv from overwriting container's
      - /app/.venv
    depends_on:
      db:
        condition: service_healthy
      redis:
        condition: service_started
    command: uvicorn app.main:app --host 0.0.0.0 --port 8000 --reload
    networks:
      - backend

  # PostgreSQL database
  db:
    image: postgres:15-alpine
    environment:
      POSTGRES_USER: postgres
      POSTGRES_PASSWORD: postgres
      POSTGRES_DB: myapp
    volumes:
      # Named volume for data persistence
      - postgres_data:/var/lib/postgresql/data
    ports:
      - "5432:5432"
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]
      interval: 5s
      timeout: 5s
      retries: 5
    networks:
      - backend

  # Redis cache/queue
  redis:
    image: redis:7-alpine
    ports:
      - "6379:6379"
    volumes:
      - redis_data:/data
    networks:
      - backend

  # Background worker (Celery example)
  worker:
    build:
      context: .
      dockerfile: Dockerfile
    command: celery -A app.tasks worker --loglevel=info
    environment:
      - DATABASE_URL=postgresql://postgres:postgres@db:5432/myapp
      - REDIS_URL=redis://redis:6379/0
    depends_on:
      - db
      - redis
    volumes:
      - .:/app
    networks:
      - backend

volumes:
  postgres_data:
  redis_data:

networks:
  backend:
    driver: bridge
```

**Service Communication:** Containers on the same Docker network can communicate using service names as hostnames. The web container connects to `db:5432`, not `localhost:5432`, because each container has its own localhost.

**Volume Management:**
*   **Bind Mounts** (`./:/app`): Sync host directory with container (development only)
*   **Named Volumes** (`postgres_data`): Persistent storage managed by Docker (production data)
*   **Anonymous Volumes** (`/app/.venv`): Prevent bind mounts from overwriting container-specific directories

### Production Compose Configuration

Separate configurations prevent development tools (like hot-reload) from reaching production:

```yaml
# docker-compose.prod.yml (Production overrides)
version: "3.8"

services:
  web:
    build:
      context: .
      dockerfile: Dockerfile
      target: runtime  # Explicitly use runtime stage
    environment:
      - DEBUG=0
      - SECRET_KEY=${SECRET_KEY}  # From .env file or secrets manager
    volumes: []  # Remove bind mounts in production
    command: gunicorn app.main:app -w 4 -k uvicorn.workers.UvicornWorker --bind 0.0.0.0:8000
    restart: unless-stopped
    deploy:
      resources:
        limits:
          cpus: '1'
          memory: 512M
        reservations:
          cpus: '0.25'
          memory: 128M

  db:
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}  # From environment/secrets
    volumes:
      - postgres_data:/var/lib/postgresql/data
    restart: unless-stopped

  # Add reverse proxy for SSL termination
  nginx:
    image: nginx:alpine
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
      - ./ssl:/etc/nginx/ssl:ro
    depends_on:
      - web
    restart: unless-stopped

# Use both files: docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
```

## 20.3 CI/CD Pipelines: Automated Testing and Deployment

Continuous Integration (CI) and Continuous Deployment (CD) automate the path from code commit to production deployment. GitHub Actions has become the industry-standard platform for Python projects hosted on GitHub, offering tight integration and a marketplace of reusable workflows.

### Comprehensive GitHub Actions Workflow

```yaml
# .github/workflows/main.yml
name: CI/CD Pipeline

on:
  push:
    branches: [main, develop]
    tags: ['v*']
  pull_request:
    branches: [main]

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  # Stage 1: Code Quality and Testing
  test:
    runs-on: ubuntu-latest
    strategy:
      matrix:
        python-version: ["3.10", "3.11", "3.12"]
    
    services:
      postgres:
        image: postgres:15
        env:
          POSTGRES_PASSWORD: postgres
          POSTGRES_DB: test_db
        options: >-
          --health-cmd pg_isready
          --health-interval 10s
          --health-timeout 5s
          --health-retries 5
        ports:
          - 5432:5432

    steps:
      - uses: actions/checkout@v4

      - name: Set up Python ${{ matrix.python-version }}
        uses: actions/setup-python@v5
        with:
          python-version: ${{ matrix.python-version }}
          cache: 'pip'

      - name: Install dependencies
        run: |
          python -m pip install --upgrade pip
          pip install -r requirements.txt
          pip install -r requirements-dev.txt

      - name: Lint with Ruff
        run: |
          ruff check .
          ruff format --check .

      - name: Type check with mypy
        run: mypy app/

      - name: Test with pytest
        env:
          DATABASE_URL: postgresql://postgres:postgres@localhost:5432/test_db
        run: |
          pytest --cov=app --cov-report=xml --cov-report=term

      - name: Upload coverage to Codecov
        uses: codecov/codecov-action@v3
        with:
          file: ./coverage.xml
          fail_ci_if_error: true

  # Stage 2: Security Scanning
  security:
    runs-on: ubuntu-latest
    needs: test
    steps:
      - uses: actions/checkout@v4
      
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        with:
          scan-type: 'fs'
          scan-ref: '.'
          format: 'sarif'
          output: 'trivy-results.sarif'

      - name: Upload Trivy scan results
        uses: github/codeql-action/upload-sarif@v2
        with:
          sarif_file: 'trivy-results.sarif'

  # Stage 3: Build and Push Container
  build:
    runs-on: ubuntu-latest
    needs: [test, security]
    if: github.event_name != 'pull_request'
    permissions:
      contents: read
      packages: write
    
    steps:
      - uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log in to Container Registry
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            type=ref,event=branch
            type=semver,pattern={{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Build and push Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64

  # Stage 4: Deploy to Staging
  deploy-staging:
    runs-on: ubuntu-latest
    needs: build
    if: github.ref == 'refs/heads/develop'
    environment:
      name: staging
      url: https://staging.example.com
    
    steps:
      - name: Deploy to Staging Server
        uses: appleboy/ssh-action@v1.0.0
        with:
          host: ${{ secrets.STAGING_HOST }}
          username: ${{ secrets.STAGING_USER }}
          key: ${{ secrets.STAGING_SSH_KEY }}
          script: |
            cd /opt/myapp
            docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:develop
            docker-compose -f docker-compose.yml -f docker-compose.prod.yml up -d
            docker system prune -f

  # Stage 5: Deploy to Production (Manual Approval)
  deploy-production:
    runs-on: ubuntu-latest
    needs: build
    if: startsWith(github.ref, 'refs/tags/v')
    environment:
      name: production
      url: https://example.com
    
    steps:
      - name: Deploy to Production
        uses: some-deployment-action@v1
        with:
          # Specific deployment logic depends on your platform
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
```

**Pipeline Explanation:**
1.  **Matrix Testing:** Tests against Python 3.10, 3.11, and 3.12 simultaneously with a real PostgreSQL service container.
2.  **Security:** Trivy scans for known vulnerabilities in dependencies and OS packages.
3.  **Caching:** `cache: 'pip'` and `type=gha` (GitHub Actions cache) dramatically speed up builds by reusing previous layers.
4.  **Multi-architecture:** Builds for both AMD64 (Intel/AMD servers) and ARM64 (Apple Silicon, AWS Graviton) processors.
5.  **GitOps:** Production deployments trigger only on version tags (`v1.0.0`), while staging auto-deploys from the develop branch.

## 20.4 Cloud Deployment Strategies

Containerized Python applications deploy to various platforms, each offering different trade-offs between control and convenience.

### Platform-as-a-Service (PaaS)

PaaS providers manage the underlying infrastructure, allowing you to focus on code. They are ideal for web applications and APIs.

**Render** (Modern Heroku alternative):
```yaml
# render.yaml (Infrastructure as Code)
services:
  - type: web
    name: my-python-api
    runtime: python
    plan: standard
    buildCommand: "pip install -r requirements.txt"
    startCommand: "gunicorn app:app"
    envVars:
      - key: DATABASE_URL
        fromDatabase:
          name: postgres-db
          property: connectionString
      - key: PYTHON_VERSION
        value: 3.11.0

databases:
  - name: postgres-db
    plan: starter
    ipAllowList: []  # Allow access from anywhere (use with caution)
```

**Railway** (Developer-focused):
Railway automatically detects your `Dockerfile` or `Procfile` and deploys from GitHub with automatic HTTPS, environment variables management, and managed databases.

**Key PaaS Characteristics:**
*   **Git-based deployment:** Push to GitHub triggers automatic build and deploy
*   **Managed databases:** PostgreSQL/Redis with automatic backups
*   **Horizontal scaling:** Increase instance count via dashboard or CLI
*   **Zero-downtime deploys:** Health checks ensure new containers are ready before routing traffic

### Serverless: AWS Lambda with Container Images

For event-driven workloads (image processing, data transformation, APIs with sporadic traffic), AWS Lambda offers pay-per-invocation pricing. Modern Lambda supports container images up to 10GB, allowing complex ML dependencies.

```dockerfile
# Dockerfile for AWS Lambda
FROM public.ecr.aws/lambda/python:3.11

# Install dependencies
COPY requirements.txt .
RUN pip install -r requirements.txt -t ${LAMBDA_TASK_ROOT}

# Copy function code
COPY app/lambda_handler.py ${LAMBDA_TASK_ROOT}

# Set the CMD to your handler (file_name.function_name)
CMD ["lambda_handler.handler"]
```

```python
# app/lambda_handler.py
import json
import logging
from typing import Any, Dict

logger = logging.getLogger()
logger.setLevel(logging.INFO)

def handler(event: Dict[str, Any], context: Any) -> Dict[str, Any]:
    """
    AWS Lambda handler function.
    
    Args:
        event: API Gateway event or direct invocation payload
        context: Lambda runtime context (memory, time remaining, etc.)
    """
    try:
        logger.info(f"Received event: {json.dumps(event)}")
        
        # Your processing logic here
        result = process_data(event)
        
        return {
            'statusCode': 200,
            'body': json.dumps({'result': result}),
            'headers': {
                'Content-Type': 'application/json'
            }
        }
    except Exception as e:
        logger.error(f"Error processing request: {str(e)}")
        return {
            'statusCode': 500,
            'body': json.dumps({'error': 'Internal server error'})
        }

def process_data(event: Dict[str, Any]) -> str:
    """Business logic here."""
    return "processed"
```

**Deployment via AWS SAM (Serverless Application Model):**
```yaml
# template.yaml
AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31

Resources:
  PythonFunction:
    Type: AWS::Serverless::Function
    Properties:
      PackageType: Image
      ImageUri: your-ecr-repo/image:latest
      MemorySize: 1024
      Timeout: 30
      Events:
        ApiEvent:
          Type: Api
          Properties:
            Path: /process
            Method: post
```

### Kubernetes (Container Orchestration)

For large-scale applications requiring complex orchestration (auto-scaling, rolling updates, service mesh), Kubernetes is the industry standard. However, for most Python applications, managed services like AWS ECS (Elastic Container Service) or Google Cloud Run provide Kubernetes benefits without operational complexity.

```yaml
# kubernetes-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: python-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: python-app
  template:
    metadata:
      labels:
        app: python-app
    spec:
      containers:
      - name: app
        image: myapp:v1.0
        ports:
        - containerPort: 8000
        env:
        - name: DATABASE_URL
          valueFrom:
            secretKeyRef:
              name: db-secret
              key: url
        resources:
          requests:
            memory: "256Mi"
            cpu: "250m"
          limits:
            memory: "512Mi"
            cpu: "500m"
        livenessProbe:
          httpGet:
            path: /health
            port: 8000
          initialDelaySeconds: 30
          periodSeconds: 10
```

## Summary

Containerization and deployment represent the final transformation of Python code from development artifact to running service. You have learned to build secure, optimized Docker images using **multi-stage builds** that minimize attack surfaces and image sizes. You mastered **Docker Compose** for local multi-service orchestration, including database persistence and inter-service networking.

Your **CI/CD pipeline** now automatically tests code across Python versions, scans for security vulnerabilities, builds multi-architecture container images, and deploys to staging and production environments with appropriate safeguards. You understand the landscape of deployment targets—from **PaaS** platforms like Render and Railway that optimize developer experience, to **serverless** Lambda functions for event-driven architectures, to **Kubernetes** for enterprise-scale orchestration.

With your application now running in production, performance becomes the critical concern. Slow response times and resource exhaustion directly impact user experience and infrastructure costs. The next chapter explores profiling tools, algorithmic optimization, and caching strategies that ensure your Python applications run efficiently under production load.

**Next Chapter**: Chapter 21: Performance Optimization.

<div style='width:100%; display:flex; justify-content:space-between; align-items:center; margin: 1em 0;'>
  <a href='19. dependency_management.ipynb' style='font-weight:bold; font-size:1.05em;'>&larr; Previous</a>
  <a href='../TOC.md' style='font-weight:bold; font-size:1.05em; text-align:center;'>Table of Contents</a>
  <a href='21. performance_optimization.ipynb' style='font-weight:bold; font-size:1.05em;'>Next &rarr;</a>
</div>
