fix non root docker image (#6744)

Signed-off-by: Rajat Vig <rvig@etsy.com>
2024-11-14 16:16:18 +00:00 · 2024-11-14 16:16:18 +00:00 · 320032deed
commit 320032deed
parent 0892975434
2 changed files with 23 additions and 16 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -9,3 +9,4 @@ tests
 .devcontainer
 *.tgz
 log.txt
 docker/Dockerfile.*
--- a/docker/Dockerfile.non_root
+++ b/docker/Dockerfile.non_root
@ -9,13 +9,16 @@ FROM $LITELLM_BUILD_IMAGE AS builder
 # Set the working directory to /app
 WORKDIR /app
 # Set the shell to bash
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # Install build dependencies
 RUN apt-get clean && apt-get update && \
    apt-get install -y gcc python3-dev && \
    rm -rf /var/lib/apt/lists/*
-RUN pip install --upgrade pip && \
+RUN pip install --no-cache-dir --upgrade pip && \
-    pip install build
+    pip install --no-cache-dir build
 # Copy the current directory contents into the container at /app
 COPY . .
@ -39,7 +42,7 @@ RUN pip wheel --no-cache-dir --wheel-dir=/wheels/ -r requirements.txt
 FROM $LITELLM_RUNTIME_IMAGE AS runtime
 # Update dependencies and clean up - handles debian security issue
-RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/* 
+RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
 WORKDIR /app
 # Copy the current directory contents into the container at /app
@ -53,42 +56,45 @@ COPY --from=builder /wheels/ /wheels/
 # Install the built wheel using pip; again using a wildcard if it's the only file
 RUN pip install *.whl /wheels/* --no-index --find-links=/wheels/ && rm -f *.whl && rm -rf /wheels
-# install semantic-cache [Experimental]- we need this here and not in requirements.txt because redisvl pins to pydantic 1.0 
+# install semantic-cache [Experimental]- we need this here and not in requirements.txt because redisvl pins to pydantic 1.0
 RUN pip install redisvl==0.0.7 --no-deps
 # ensure pyjwt is used, not jwt
-RUN pip uninstall jwt -y
+RUN pip uninstall jwt -y && \
-RUN pip uninstall PyJWT -y
+    pip uninstall PyJWT -y && \
-RUN pip install PyJWT==2.9.0 --no-cache-dir
+    pip install PyJWT==2.9.0 --no-cache-dir
 # Build Admin UI
 RUN chmod +x docker/build_admin_ui.sh && ./docker/build_admin_ui.sh
 ### Prisma Handling for Non-Root #################################################
-# Prisma allows you to specify the binary cache directory to use 
+# Prisma allows you to specify the binary cache directory to use
-ENV PRISMA_BINARY_CACHE_DIR=/app/prisma
+ENV PRISMA_BINARY_CACHE_DIR=/nonexistent
 # Set the TMPDIR environment variable, when this does not exist prisma raises "Error: ENOENT: no such file or directory, lstat '/var/folders'""
-ENV TMPDIR=/tmp 
+ENV TMPDIR=/tmp
 RUN mkdir -p /tmp && chmod 1777 /tmp
 RUN pip install nodejs-bin
 RUN pip install prisma
 # Make a /non-existent folder and assign chown to nobody
-RUN mkdir -p /nonexistent && chown -R nobody:nogroup /nonexistent
+RUN mkdir -p /nonexistent && \
    chown -R nobody:nogroup /nonexistent && \
    chown -R nobody:nogroup /usr/local/lib/python3.11/site-packages/prisma/
 RUN chmod +x docker/entrypoint.sh
 # Run Prisma generate as user = nobody
 USER nobody
 RUN pip install --no-cache-dir nodejs-bin prisma
 RUN prisma generate
 ### End of Prisma Handling for Non-Root #########################################
-USER root
+
 EXPOSE 4000/tcp
 # # Set your entrypoint and command
 ENTRYPOINT ["litellm"]
-# Append "--detailed_debug" to the end of CMD to view detailed debug logs 
+# Append "--detailed_debug" to the end of CMD to view detailed debug logs
 # CMD ["--port", "4000", "--detailed_debug"]
 CMD ["--port", "4000"]