-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathDockerfile.codeengine
More file actions
119 lines (94 loc) · 4.21 KB
/
Dockerfile.codeengine
File metadata and controls
119 lines (94 loc) · 4.21 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# syntax=docker/dockerfile:1
# Build stage: build rust, install poetry and python dependencies
# Security: Use bookworm (Debian 12) for latest security patches
FROM python:3.12-slim-bookworm AS builder
# Pre-configure poetry to install to system Python
ENV PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1 \
POETRY_VERSION=2.1.3 \
POETRY_HOME="/opt/poetry" \
POETRY_VIRTUALENVS_IN_PROJECT=false \
POETRY_VIRTUALENVS_CREATE=false \
POETRY_NO_INTERACTION=1 \
POETRY_CACHE_DIR="/opt/poetry/cache"
ENV PATH="$POETRY_HOME/bin:$PATH"
# Install system dependencies and upgrade all packages for security
RUN apt-get update && \
apt-get upgrade -y && \
apt-get install -y build-essential curl && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
# Install Rust and poetry
RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y && . $HOME/.cargo/env \
&& curl -sSL https://install.python-poetry.org | python3 -
# Add Rust to PATH
ENV PATH="/root/.cargo/bin:${PATH}"
WORKDIR /app
# CACHE_BUST: Poetry files moved to project root (Issue #501)
# This ARG invalidates Docker cache when pyproject.toml location changes
ARG POETRY_ROOT_MIGRATION=20251027
# Copy dependency files first for better layer caching
# Poetry config moved from backend/ to project root
COPY pyproject.toml poetry.lock ./
# Install CPU-only PyTorch first to avoid CUDA dependencies (~6GB savings)
# Using torch 2.6.0 CPU-only version (compatible with ARM64 and x86_64)
# Note: torchvision doesn't have +cpu builds, use regular version
RUN --mount=type=cache,target=/root/.cache/pip \
pip install --no-cache-dir \
torch==2.6.0+cpu \
--index-url https://download.pytorch.org/whl/cpu && \
pip install --no-cache-dir torchvision==0.21.0
# Configure pip globally to prevent any CUDA torch reinstalls
RUN pip config set global.extra-index-url https://download.pytorch.org/whl/cpu
# Install docling without dependencies first (prevents CUDA torch pull)
RUN --mount=type=cache,target=/root/.cache/pip \
pip install --no-cache-dir --no-deps docling
# Now install all dependencies via Poetry, which will:
# - Skip torch/torchvision (already installed)
# - Skip docling (already installed)
# - Install everything else
RUN --mount=type=cache,target=/root/.cache/pip \
--mount=type=cache,target=/root/.cache/pypoetry \
poetry install --only main --no-root --no-cache
# Clean up system Python installation
RUN find /usr/local -name "*.pyc" -delete && \
find /usr/local -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true && \
find /usr/local -name "tests" -type d -exec rm -rf {} + 2>/dev/null || true && \
find /usr/local -name "*.egg-info" -type d -exec rm -rf {} + 2>/dev/null || true
# Final stage - clean runtime
# Security: Use bookworm (Debian 12) for latest security patches
FROM python:3.12-slim-bookworm
# CACHE_BUST: Poetry files moved to project root (Issue #501)
# Ensure final stage cache is also invalidated
ARG POETRY_ROOT_MIGRATION=20251027
# Security: Update system packages immediately
RUN apt-get update && \
apt-get upgrade -y && \
apt-get clean && \
rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Copy system Python packages from builder
COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages
COPY --from=builder /usr/local/bin /usr/local/bin
# Copy Poetry config from project root (moved from backend/ in Issue #501)
COPY pyproject.toml poetry.lock ./
# Copy only essential application files from backend directory
COPY backend/main.py backend/healthcheck.py ./
COPY backend/rag_solution/ ./rag_solution/
COPY backend/auth/ ./auth/
COPY backend/core/ ./core/
COPY backend/cli/ ./cli/
COPY backend/vectordbs/ ./vectordbs/
# Create a non-root user and group
RUN groupadd --gid 10001 backend && \
useradd --uid 10001 -g backend -M -d /nonexistent backend && \
mkdir -p /app/logs && \
chown -R backend:backend /app && \
chmod -R 755 /app && \
chmod 777 /app/logs
# Set environment variables
ENV PYTHONPATH=/app:/app/vectordbs:/app/rag_solution:/app/core
ENV CONTAINER_ENV=1
USER backend
EXPOSE 8000
CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]