There are opportunities to improve the helix Dockerfiles.

• Make the Dockerfiles non-root: The Dockerfiles define a non-root user, but install sudo and give that user sudoer permissions. That means that the resultant container images are effectively root images. That's not great.
• Base on runtime-deps: We already have official images for running .NET code in containers w/baseline dependencies. We should use them and not guess. Where we don't have the correct runtime-deps image, we should ask for one.
• Limit dependencies: This Alma Dockerfile works so why does this Debian Dockerfile install so many packages? We should define the min set and stick to that.
• Use Python idiomatically: There are multiple opportunities to improve how we use Python. Those are listed later.

Opportunities to improve Python use:

• Install pip one way: First, we install pip via apt, then install pip via curl, and then upgrade pip via pip.
• Adopt venv: venv seems to have replaced virtualenv for most use cases. venv comes with Python. In the case of Debian, we can install it via python3-venv in recent Debian versions. Also, if you use venv, you don't need to separately install pip.
• Use the standard directory for venv: The venv docs suggest that env is the default name. We are using .vsts-env. Is that to align with scripts that are run in multiple environments?
• Install packages via venv: This approach will enable us to stop using --break-system-package

Related issues:

• Remove sudo requirement for helix container images dnceng#1312
• Use versioned python3 command in scripts aspnetcore#48221
• Make packages available for latest RHEL-based distributions microsoft/msquic#3625