Details

Applies the same Dockerfile optimizations as #7010 (DND-171, sandbox-executor) to the opik-python-backend image — faster builds, smaller bytecode-only dependency layer, and safer gating — scoped to this server's runtime constraints.

• Image size: bytecode-compile the venv (compileall -o 2 -b, PYTHONNODEBUGRANGES=1), delete *.py/*.pyi/__pycache__, and strip pip/setuptools/wheel/ensurepip. *.dist-info is intentionally kept — opik/litellm/tiktoken read their own version via importlib.metadata at import time.
• Runtime: consolidated env into one layer — LITELLM_MODE=PRODUCTION (avoids litellm's load_dotenv() frame inspection, which breaks under a .pyc-only layout), PYTHONNODEBUGRANGES=1, PYTHONDONTWRITEBYTECODE=1. Added # syntax=docker/dockerfile:1 and stage banners.
• Toolchain: unchanged build deps (rust/cargo for native wheels) stay in the builder stage only.
• Flaky test fix (separate commit 027799d273): test_time_shift_distances::test_demo_spans_all_shifted_to_latest_trace_date asserted shifted_span_start.date() == shifted_latest_trace_end.date(). Since the shift moves the latest trace to now(), an earlier-in-day span lands a fixed delta before now — i.e. the previous calendar day whenever the run is just after UTC midnight — failing the .date() equality despite the spans being <4h apart. Now asserts the preserved gap (shifted_latest_trace_end - shifted_span_start ≤ 1 day) instead of comparing calendar dates, making it immune to the rollover. Unrelated to the Dockerfile but folded in here because it was blocking this PR's CI.

Divergence from DND-171

This image is a long-running Flask/gunicorn server (Alpine + Docker CLI), not a one-shot scorer, so two parts of the sandbox pattern do not carry over:

• Strip scope = venv site-packages only. src/ keeps its .py: optimizer_runner.py is executed as a subprocess script and config.py is read via Flask from_pyfile — deleting app source would break optimizer jobs.
• Runs as root, no selftest.sh gate. The server needs the Docker socket to spawn sandbox-executor containers, so it can't drop to the unprivileged USER 1001 the sandbox uses; the scoring selftest.sh build-gate is sandbox-specific and N/A here.

Change checklist

• User facing
• Documentation update

Issues

• Resolves DND-172
• DND-172

AI-WATERMARK

AI-WATERMARK: yes

• Tools: Claude Code
• Model(s): Claude Opus 4.8 (1M context)
• Scope: Dockerfile refactor (bytecode strip of venv, env consolidation, syntax header), flaky-test fix, and PR authoring.
• Human verification: Author built and ran the image locally (see Testing) before requesting review.

Testing

Built and verified locally with docker buildx (colima, arm64):

• docker buildx build --load apps/opik-python-backend — builds green.
• Dep imports from the .pyc-only stripped venv succeed: flask, gunicorn, docker, litellm, opik, tiktoken, redis, rq, pydantic, opentelemetry + opik.evaluation.metrics.BaseMetric → DEPS_OK. This is the main risk in the bytecode-only layout (litellm under .pyc-only), confirmed working.
• Layout assertions in the built image: venv .py=0, .pyc=10453, .pyi=0, __pycache__=0, .dist-info=129 kept; pip/setuptools stripped; src/*.py=35 kept; optimizer_runner.py present.
• test_time_shift_distances (both tests) run locally inside the same post-midnight UTC window that failed CI earlier → 2 passed; the full backend-tests run on the fix commit is green.
• Not run locally: full gunicorn boot + end-to-end request (blocks on Redis/RQ + Docker daemon wiring) — covered in CI / a real deploy.

Documentation

No documentation changes — internal build optimization only.