Docker implementation

[Jrice1317]

Description

Summary

This PR adds Docker output support to constructor via two new opt-in flows:

Flow 1: Dockerfile generation (installer_type: docker)

Generates a multi-stage Dockerfile alongside the .sh installer and stages both
into a named output directory. No Docker CLI required — the output can be used
directly or customized before building.

Output structure:

{output_dir}/<name>-<version>-<platform>/
Dockerfile
<name>-<version>-<platform>.sh

Usage:

installer_type: docker
docker_base_image: "debian:13.4-slim@sha256:..."

The generated Dockerfile uses a two-stage build: Stage 1 runs the .sh installer
in batch mode and cleans up build artifacts (.a files, __pycache__, optionally
pkgs/). Stage 2 copies the finished environment into a clean final image and optionally initializes the shell.

Flow 2: Portable image tarball (docker_image_format: tar)

Builds a Docker image from the generated Dockerfile using docker buildx and
exports it as a portable .tar file via docker save. Requires the Docker CLI
to be installed on the host. The target platform must be Linux.

Output:

{output_dir}/<name>-<version>-<platform>-docker.tar

Usage:

docker_image_format: tar
docker_base_image: "debian:13.4-slim@sha256:..."

New schema keys

Key	Description
docker_base_image	Required for all Docker features. Base image reference.
docker_image_format	Set to tar to build and export a portable image tarball.
docker_tag	Optional tag for the built image. Defaults to name:version.
docker_labels	Additional OCI labels. title and version are set automatically.

Platform support

• Target platform must be linux-* for all Docker features.
• No host-level restriction for Dockerfile-only output.
• docker_image_format: tar additionally requires the Docker CLI on the host.

initialize_conda support

Value	Behavior
false / unset	No PATH modification, no init.
condabin	Adds PREFIX/condabin to PATH only.
true / classic	Adds PREFIX/condabin and PREFIX/bin to PATH, runs conda init --all.
classic + mamba in specs	Same as above, additionally runs mamba shell init (v1/v2 detected from resolved package version).

All cases support non-interactive docker run via ENV PATH. Interactive shells are covered by conda init --all writing to shell rc files at image build time.

Notes

• docker_image_format is designed to be extendable. Additional output formats
  (gz, zst) are mentioned in the schema but not yet implemented.
• The .sh installer is always built first and reused as the Docker build
  context, keeping the two outputs consistent.
• The feature is intended to support Dockerfile generation from any host when targeting Linux, but CI currently validates the Docker flows on Linux only because we do not yet have buildx available on macOS/Windows hosts.

Changes

New:

• constructor/docker_build.py: Handles Docker output by rendering template and optionally building portable image
• constructor/dockerfile_template.tmpl: Template used to generate Dockerfile
• examples/dockerfile/construct.yaml: Example for installer_type: docker flow
• examples/docker_image_format/construct.yaml: Example for docker_image_format: tar flow

Updated:

• constructor/_schema.py: Adds docker to installer_type and adds docker_base_image, docker_tag, docker_labels, docker_image_format
• constructor/main.py: Adds docker to installer types
• tests/test_examples.py: Adds test_dockerfile_generation and test_docker_image_build to cover both flows

Checklist - did you ...

• Add a file to the news directory (using the template) for the next release's release notes?
• Add / update necessary tests?
• Add / update outdated documentation?

[lrandersson]

@Jrice1317 I'd be happy to do a review once the items from Marco have been resolved, it'll also help me understand the changes better

[lrandersson]

Is the format <name>-<version>-<platform>-<arch> true?
From what I could see in the code it looks like:

tag = info.get("docker_tag", f"{info['name'].lower()}:{info['version']}")

[lrandersson]

Should we add explicit NotImplementedError for those values that are not yet implemented? I see in the PR it says:

(gz, zst) are defined in the schema but not yet implemented.

[Jrice1317]

Good catch!

[lrandersson]

Well done Jaida! In the future I think we should split these large PRs into smaller separate ones (to simplify review) If the comments are addressed from Marco I approve!

[marcoesters]

Good changes - a few more issues to address.

[marcoesters]

That shell initialization is still not quite right.

• We don't need the PATH manipulation if no shell has been initialized, so the entire block needs a {%- if has_conda or has_mamba %} wrapper.
• The --condabin initialization option is missing.
• I don't see the purpose of the echo command. Presumably, the installer creator skipped conda and mamba on purpose, so that information seems unnecessary.

[marcoesters]

This is very hard to read but the way I read this, conda will always be initialized. But if the installer only has mamba, that would fail.

Could we put if-conditions into their own lines instead of inlining them?

[Jrice1317]

I was following what header.sh does as you suggested. See here.

How do you suggest I handle this condition? I was trying to refrain from creating separate RUN commands, but I'm not sure what the third option is here.

[marcoesters]

Hmm, I don't know if I agree with what header.sh is doing. The initialization seems to be predicated on conda being in the installer. That's out of scope for this PR.

I also just noticed that the way this is currently written, we would see an error message on mamba v1 (you'd have to redirect stderr to /dev/null). We have some fairly complex logic here with two nested branches: the condabin branch (which adds condabin, not bin. to PATH) and the classic branch. I think Python may be the appropriate way to describe some of it instead of trying to force it into Jinja.

[marcoesters]

Alternatively, the -c option is available. While this doesn't initialize all shells, I'd be okay with punting that to another PR instead of introducing complex shell initialization template logic.

[Jrice1317]

I have a few clarifying questions:

1. For -c — are you suggesting we use -c now and defer the complex init logic (condabin, mamba v1/v2, --all) to a separate PR? Or are you suggesting we defer -c itself to a separate PR?
2. For condabin — the ENV PATH="${PREFIX}/bin:${PATH}" line in Stage 2 adds bin unconditionally, which seems wrong for condabin. Should I do something like if initialize_conda != 'condabin': <ENV_PATH_command>``, or should condabin support be deferred to a follow-up PR entirely?
3. For moving complex logic to Python — is the mamba version check and stderr redirect what you had in mind for moving to Python, or did you mean moving the entire init block out of the template?
4. For scope — when you say the init being predicated on conda is out of scope, do you mean I should remove the conda init call entirely for this PR, or condition it solely on whether _has_conda is true rather than following header.sh's assumption that conda is always present?

[marcoesters]

1. Use -c now, defer the rest to a separate PR.
2. Your assessment is correct. I don't think we should defer this since using bin for condabin is incorrect whereas using -c is just incomplete.
3. The init block since this has too many logical branches.
4. You correctly pointed out that your current solution is mimicking what the SH installer does. While I don't think the logic is correct, I think consistency with the SH installer is more important. Fixing the logic is out of scope - keep it consistent with the SH installer for this PR.

[lrandersson]

@Jrice1317 are the 2 open threads the last remaining tasks in this PR? Also let me know if you need help with rebasing, there are many changes on main since the MSI PR was merged so you have some merge conflicts at the moment, I'd probably squash all of your commits into 1 before attempting to rebase.

[lrandersson]

Well done Jaida! I'm approving because I saw you fixed the conflict. Let Marco have the final approval before merging since he has done the heavy-lifting in this review.

[marcoesters]

Some style/efficiency suggestions and one error left to fix.

[marcoesters]

Suggested change

	else:
	result = subprocess.run(
	["docker", "run", "--rm", image_name, "/bin/bash", "-c", "echo 'Hello, World!'"],
	capture_output=True,
	text=True,
	)
	assert "Hello, World!" in result.stdout
	result = subprocess.run(
	["docker", "run", "--rm", image_name, "/bin/bash", "-c", "echo 'Hello, World!'"],
	capture_output=True,
	text=True,
	)
	assert "Hello, World!" in result.stdout

Since this should work no matter the initialization level, we can remove the else.

[marcoesters]

Suggested change

	if init == "mamba_v1":
	config["specs"] += ["mamba <2.0.0"]
	else:
	config["specs"] += ["mamba"]
	if init == "mamba_v1":
	config["specs"].append("mamba <2.0.0")
	else:
	config["specs"].append("mamba >=2.0.0")

I find append more semantic. Either way, let's make sure we get mamba v2 by pinning it.

[marcoesters]

Suggested change

	ENV PATH="${PREFIX}/condabin:${PREFIX}/bin:${PATH}"
	ENV PATH="${PREFIX}/bin:${PREFIX}/condabin:${PATH}"

bin comes before condabin

[marcoesters]

Suggested change

	def _build_init_run_block(info):
	from .conda_interface import MatchSpec
	specs = {MatchSpec(spec).name for spec in info.get("specs", ())}
	has_mamba = "mamba" in specs
	has_conda = "conda" in specs
	initialize_conda = info.get("initialize_conda")
	if not (has_conda or has_mamba) or not initialize_conda or initialize_conda == "condabin":
	return ""
	run = 'RUN "${PREFIX}/bin/conda" init --all'
	if has_mamba:
	mamba_version = None
	for record in info.get("_all_pkg_records", ()):
	if record.name == "mamba":
	mamba_version = record.version
	break
	if check_version(mamba_version, min_version="2.0.0"):
	run += ' && "${PREFIX}/bin/mamba" shell init --shell bash'
	else:
	run += ' && "${PREFIX}/bin/python" -m mamba.mamba init --all'
	return run
	def _build_init_run_block(info):
	if not info.get("_has_conda"):
	return ""
	initialize_conda = info.get("initialize_conda")
	if not initialize_conda or initialize_conda == "condabin":
	return ""
	run = 'RUN "${PREFIX}/bin/conda" init --all'
	for record in info.get("_all_pkg_records", ()):
	if not record.name == "mamba":
	continue
	if check_version(record.version, min_version="2.0.0"):
	run += ' && "${PREFIX}/bin/mamba" shell init --shell bash'
	else:
	run += ' && "${PREFIX}/bin/python" -m mamba.mamba init --all'
	break
	return run

This avoids an unnecessary imports and is more efficient by returning early.

[Jrice1317]

Ah, I see, but why separate if has_conda and initialize_conda when they both return "" and we're focusing on the init?

[Jrice1317]

Should it be removed since if there is no conda, the init will fail early?

"it" being the has_conda check

[marcoesters]

That should have been if not info.get("_has_conda"), sorry. I fixed it in my suggestion.

I chose the separation to just return early. I find multiple returns that use different pieces of information easier to read than a more complex if condition.

[marcoesters]

Suggested change

	COPY --from=builder /root/.conda /root/.conda
	COPY --from=builder ${HOME}/.conda ${HOME}/.conda

Can we use $HOME here in case the base image uses a different default user?