Add back in non root image fixes (#7781) (#7795)

* Add back in non root image fixes (#7781) * Add back in non root image fixes * Fix dockerfile * Fix perms * Add in container structure tests for the nonroot image (#7796) * feat(helm): add securityContext and pull policy values to migration job (#7652) * fix(helm): corrected indentation in migration-job.yaml * feat(helm): add securityContext and pull policy values to migration job * fix confusing save button label (#7778) * [integrations/lunary] Improve Lunary documentaiton (#7770) * update lunary doc * better title * tweaks * Update langchain.md * Update lunary_integration.md * Fix wrong URL for internal user invitation (#7762) * format * done * Update instructor tutorial (#7784) * Add in container structure tests for the nonroot image --------- Co-authored-by: Zackeus Bengtsson <32719220+Hexoplon@users.noreply.github.com> Co-authored-by: yujonglee <yujonglee.dev@gmail.com> Co-authored-by: Hugues Chocart <chocart.hugues@icloud.com> Co-authored-by: Nikolaiev Dmytro <dima.nikol.99@gmail.com> --------- Co-authored-by: Rajat Vig <rajatvig@users.noreply.github.com> Co-authored-by: Zackeus Bengtsson <32719220+Hexoplon@users.noreply.github.com> Co-authored-by: yujonglee <yujonglee.dev@gmail.com> Co-authored-by: Hugues Chocart <chocart.hugues@icloud.com> Co-authored-by: Nikolaiev Dmytro <dima.nikol.99@gmail.com>
2025-04-25 18:54:30 +00:00 · 2025-01-15 21:49:03 -08:00 · 2025-01-15 21:49:03 -08:00 · d4ed985173
commit d4ed985173
parent 80d6bbec29
4 changed files with 128 additions and 77 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -1387,7 +1387,8 @@ jobs:
            pwd
            ls
            python -m pytest -vv tests/otel_tests -x --junitxml=test-results/junit.xml --durations=5
-          no_output_timeout: 120m
+          no_output_timeout:
+            120m
            # Clean up first container
      - run:
          name: Stop and remove first container
@ -1524,7 +1525,8 @@ jobs:
          name: Run tests
          command: |
            python -m pytest -vv tests/basic_proxy_startup_tests -x --junitxml=test-results/junit-2.xml --durations=5
-          no_output_timeout: 120m
+          no_output_timeout:
+            120m
            # Clean up first container
      - run:
          name: Stop and remove first container
@ -1676,7 +1678,6 @@ jobs:
      - codecov/upload:
          file: ./coverage.xml

-
  publish_to_pypi:
    docker:
      - image: cimg/python:3.8
@ -1703,7 +1704,6 @@ jobs:
              circleci step halt
            fi

-
      - run:
          name: Checkout code
          command: git checkout $CIRCLE_SHA1
@ -1845,6 +1845,28 @@ jobs:
      - store_test_results:
          path: test-results

+  test_nonroot_image:
+    machine:
+      image: ubuntu-2204:2023.10.1
+    resource_class: xlarge
+    working_directory: ~/project
+    steps:
+      - checkout
+      - run:
+          name: Build Docker image
+          command: |
+            docker build -t non_root_image:latest . -f ./docker/Dockerfile.non_root
+      - run:
+          name: Install Container Structure Test
+          command: |
+            curl -LO https://github.com/GoogleContainerTools/container-structure-test/releases/download/v1.19.3/container-structure-test-linux-amd64
+            chmod +x container-structure-test-linux-amd64
+            sudo mv container-structure-test-linux-amd64 /usr/local/bin/container-structure-test
+      - run:
+          name: Run Container Structure Test
+          command: |
+            container-structure-test test --image non_root_image:latest --config docker/tests/nonroot.yaml
+
  test_bad_database_url:
    machine:
      image: ubuntu-2204:2023.10.1
@ -2086,4 +2108,3 @@ workflows:
            branches:
              only:
                - main
-      
--- a/.dockerignore
+++ b/.dockerignore
@ -9,3 +9,4 @@ tests
 .devcontainer
 *.tgz
 log.txt
+docker/Dockerfile.*
--- a/docker/Dockerfile.non_root
+++ b/docker/Dockerfile.non_root
@ -9,13 +9,16 @@ FROM $LITELLM_BUILD_IMAGE AS builder
 # Set the working directory to /app
 WORKDIR /app

+# Set the shell to bash
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 # Install build dependencies
 RUN apt-get clean && apt-get update && \
    apt-get install -y gcc python3-dev && \
    rm -rf /var/lib/apt/lists/*

-RUN pip install --upgrade pip && \
-    pip install build
+RUN pip install --no-cache-dir --upgrade pip && \
+    pip install --no-cache-dir build

 # Copy the current directory contents into the container at /app
 COPY . .
@ -54,31 +57,39 @@ COPY --from=builder /wheels/ /wheels/
 RUN pip install *.whl /wheels/* --no-index --find-links=/wheels/ && rm -f *.whl && rm -rf /wheels

 # install semantic-cache [Experimental]- we need this here and not in requirements.txt because redisvl pins to pydantic 1.0
-RUN pip install redisvl==0.0.7 --no-deps
-
 # ensure pyjwt is used, not jwt
-RUN pip uninstall jwt -y
-RUN pip uninstall PyJWT -y
-RUN pip install PyJWT==2.9.0 --no-cache-dir
+RUN pip install redisvl==0.0.7 --no-deps --no-cache-dir && \
+    pip uninstall jwt -y && \
+    pip uninstall PyJWT -y && \
+    pip install PyJWT==2.9.0 --no-cache-dir

 # Build Admin UI
 RUN chmod +x docker/build_admin_ui.sh && ./docker/build_admin_ui.sh

-# Generate prisma client
-ENV PRISMA_BINARY_CACHE_DIR=/app/prisma
-RUN mkdir -p /.cache
-RUN chmod -R 777 /.cache
-RUN pip install nodejs-bin
-RUN pip install prisma
-RUN prisma generate
+### Prisma Handling for Non-Root #################################################
+# Prisma allows you to specify the binary cache directory to use
+ENV PRISMA_BINARY_CACHE_DIR=/nonexistent
+
+RUN pip install --no-cache-dir nodejs-bin prisma
+
+# Make a /non-existent folder and assign chown to nobody
+RUN mkdir -p /nonexistent && \
+    chown -R nobody:nogroup /app && \
+    chown -R nobody:nogroup /nonexistent && \
+    chown -R nobody:nogroup /usr/local/lib/python3.13/site-packages/prisma/

 RUN chmod +x docker/entrypoint.sh
 RUN chmod +x docker/prod_entrypoint.sh

+# Run Prisma generate as user = nobody
+USER nobody
+
+RUN prisma generate
+### End of Prisma Handling for Non-Root #########################################
+
 EXPOSE 4000/tcp

 # # Set your entrypoint and command
-
 ENTRYPOINT ["docker/prod_entrypoint.sh"]

 # Append "--detailed_debug" to the end of CMD to view detailed debug logs
--- a/docker/tests/nonroot.yaml
+++ b/docker/tests/nonroot.yaml
@ -0,0 +1,18 @@
+schemaVersion: 2.0.0
+
+metadataTest:
+  entrypoint: ["docker/prod_entrypoint.sh"]
+  user: "nobody"
+  workdir: "/app"
+
+fileExistenceTests:
+  - name: "Prisma Folder"
+    path: "/usr/local/lib/python3.13/site-packages/prisma/"
+    shouldExist: true
+    uid: 65534
+    gid: 65534
+  - name: "Prisma Schema"
+    path: "/usr/local/lib/python3.13/site-packages/prisma/schema.prisma"
+    shouldExist: true
+    uid: 65534
+    gid: 65534