Summary

The final stage in the Snuba Dockerfile (testing stage), which is also used as the runtime image for self-hosted deployments, copies the Rust toolchain back into the image:

COPY --from=build_rust_snuba /root/.cargo/ /root/.cargo/
COPY --from=build_rust_snuba /root/.rustup/ /root/.rustup/

This reintroduces ~800MB–1.5GB of Rust toolchain files into the final image, even though the Rust wheel is already built and installed (uv pip install /tmp/rust_wheels/*).

Why This Is a Problem

For self-hosted users (including self-hosted 25.9.0):

The runtime Snuba container does not need the Rust toolchain

It significantly increases disk usage and image pull size

The testing stage is being used as the production runtime image

Expected Behavior

There should be a runtime-only final stage that:

installs the built wheel,

does not include .rustup or .cargo,

does not reinstall any Rust toolchain.

Suggested Fix

Introduce a separate production stage, e.g.:

FROM application_base AS runtime
COPY --from=build_rust_snuba /usr/src/snuba/rust_snuba/target/wheels/ /tmp/rust_wheels/
RUN uv pip install /tmp/rust_wheels/* && rm -rf /tmp/rust_wheels/
USER snuba

And only include the Rust toolchain in the testing stage used for CI, not production.

Environment

Sentry self-hosted version: 25.9.0

Snuba container source: ghcr.io/getsentry/snuba:25.9.0

Impact

Reducing the image size from ~1.5GB → ~450MB improves:

• production deployments
• CI/CD registry storage
• bandwidth footprint
• container startup performance