-
Notifications
You must be signed in to change notification settings - Fork 381
Expand file tree
/
Copy pathDockerfile.backend
More file actions
95 lines (78 loc) · 3.28 KB
/
Dockerfile.backend
File metadata and controls
95 lines (78 loc) · 3.28 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
# syntax=docker/dockerfile:1.4
# BuildKit: enables cache mounts and better layer reuse.
#
# Build: docker build -t openrag-backend .
# -----------------------------------------------------------------------------
# Stage: base (system + uv)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS base
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
\
&& curl -LsSf https://astral.sh/uv/install.sh | sh \
&& rm -rf /var/lib/apt/lists/*
ENV PATH="/root/.local/bin:$PATH"
# -----------------------------------------------------------------------------
# Stage: builder (deps + app)
# -----------------------------------------------------------------------------
FROM base AS builder
# Build-time deps only (not in final image)
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
build-essential \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Dependency layer: reuse as long as lockfile and pyproject don't change
COPY pyproject.toml uv.lock ./
RUN --mount=type=cache,target=/root/.cache/uv,uid=0,gid=0 \
uv sync
# Application (invalidates after deps only when src/flows change)
COPY src/ ./src/
COPY flows/ ./flows/
COPY securityconfig/ ./securityconfig/
COPY cloud_securityconfig/ ./cloud_securityconfig/
# -----------------------------------------------------------------------------
# Stage: runtime (minimal image)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS runtime
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
gosu \
&& rm -rf /var/lib/apt/lists/* \
&& pip install --no-cache-dir --upgrade "pip>=26.0"
# Create a non-root user/group.
# UID/GID 1000 is the conventional first non-root account and
# matches what Podman's :U volume flag maps to.
RUN groupadd --gid 1000 appuser \
&& useradd --uid 1000 --gid 1000 --no-create-home appuser
WORKDIR /app
COPY --from=builder /app /app
COPY securityconfig/ ./securityconfig/
COPY cloud_securityconfig/ ./cloud_securityconfig/
COPY scripts/backend-entrypoint.sh /entrypoint.sh
ENV VIRTUAL_ENV=/app/.venv
ENV PATH="/app/.venv/bin:$PATH"
# Pre-create every directory the app writes to at runtime so they are owned
# by appuser in the image layer. When Docker/Podman mounts a host volume over
# one of these paths the mount takes precedence, but the ownership baked here
# acts as a safe default when no volume is attached (e.g. CI, unit tests).
#
# Writable paths:
# keys/ - RSA JWT keys (private_key.pem / public_key.pem)
# data/ - connections.json
# config/ - config.yaml (ConfigManager runtime settings)
# flows/backup/ - Langflow flow backups (flows/ itself is COPY'd from builder)
# openrag-documents/ - uploaded documents staging area
RUN mkdir -p keys data config flows/backup openrag-documents \
&& chown -R appuser:appuser /app \
&& chmod +x /entrypoint.sh
# entrypoint.sh runs as root, re-chowns volume-mounted directories to appuser
# (belt-and-suspenders for Docker where :U is not supported), then execs the
# application as appuser via gosu.
EXPOSE 8000
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "src/main.py"]