Merge pull request #5306 from BerriAI/litellm_fix_docker-permission_issue

[Fix Docker] Maintain separate docker image for running as non-root user
2024-08-20 16:15:43 -07:00 · 2024-08-20 16:15:43 -07:00 · 9ac1b639bc
commit 9ac1b639bc
parent 5f565806bd 48eb4d2730
4 changed files with 120 additions and 10 deletions
--- a/.github/workflows/ghcr_deploy.yml
+++ b/.github/workflows/ghcr_deploy.yml
@ -154,6 +154,45 @@ jobs:
          tags: ${{ steps.meta-database.outputs.tags }}-${{ github.event.inputs.tag || 'latest' }}, ${{ steps.meta-database.outputs.tags }}-${{ github.event.inputs.release_type }} 
          labels: ${{ steps.meta-database.outputs.labels }} 
          platforms: local,linux/amd64,linux/arm64,linux/arm64/v8
+            
+  build-and-push-image-non_root:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.inputs.commit_hash }}
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for non_root Dockerfile
+        id: meta-non_root
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}-non_root
+      # Configure multi platform Docker builds
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@e0e4588fad221d38ee467c0bffd91115366dc0c5
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@edfb0fe6204400c56fbfd3feba3fe9ad1adfa345
+
+      - name: Build and push non_root Docker image
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          file: Dockerfile.non_root
+          push: true
+          tags: ${{ steps.meta-non_root.outputs.tags }}-${{ github.event.inputs.tag || 'latest' }}, ${{ steps.meta-non_root.outputs.tags }}-${{ github.event.inputs.release_type }} 
+          labels: ${{ steps.meta-non_root.outputs.labels }} 
+          platforms: local,linux/amd64,linux/arm64,linux/arm64/v8
  
  build-and-push-image-spend-logs:
    runs-on: ubuntu-latest
--- a/5
+++ b/5
@ -62,11 +62,6 @@ COPY --from=builder /wheels/ /wheels/
 RUN pip install *.whl /wheels/* --no-index --find-links=/wheels/ && rm -f *.whl && rm -rf /wheels

 # Generate prisma client
-ENV PRISMA_BINARY_CACHE_DIR=/app/prisma
-RUN mkdir -p /.cache
-RUN chmod -R 777 /.cache
-RUN pip install nodejs-bin
-RUN pip install prisma
 RUN prisma generate
 RUN chmod +x entrypoint.sh

--- a/Dockerfile.database
+++ b/Dockerfile.database
@ -62,11 +62,6 @@ RUN pip install PyJWT --no-cache-dir
 RUN chmod +x build_admin_ui.sh && ./build_admin_ui.sh

 # Generate prisma client
-ENV PRISMA_BINARY_CACHE_DIR=/app/prisma
-RUN mkdir -p /.cache
-RUN chmod -R 777 /.cache
-RUN pip install nodejs-bin
-RUN pip install prisma
 RUN prisma generate
 RUN chmod +x entrypoint.sh

--- a/Dockerfile.non_root
+++ b/Dockerfile.non_root
@ -0,0 +1,81 @@
+# Base image for building
+ARG LITELLM_BUILD_IMAGE=python:3.11.8-slim
+
+# Runtime image
+ARG LITELLM_RUNTIME_IMAGE=python:3.11.8-slim
+# Builder stage
+FROM $LITELLM_BUILD_IMAGE as builder
+
+# Set the working directory to /app
+WORKDIR /app
+
+# Install build dependencies
+RUN apt-get clean && apt-get update && \
+    apt-get install -y gcc python3-dev && \
+    rm -rf /var/lib/apt/lists/*
+
+RUN pip install --upgrade pip && \
+    pip install build
+
+# Copy the current directory contents into the container at /app
+COPY . .
+
+# Build Admin UI
+RUN chmod +x build_admin_ui.sh && ./build_admin_ui.sh
+
+# Build the package
+RUN rm -rf dist/* && python -m build
+
+# There should be only one wheel file now, assume the build only creates one
+RUN ls -1 dist/*.whl | head -1
+
+# Install the package
+RUN pip install dist/*.whl
+
+# install dependencies as wheels
+RUN pip wheel --no-cache-dir --wheel-dir=/wheels/ -r requirements.txt
+
+# Runtime stage
+FROM $LITELLM_RUNTIME_IMAGE as runtime
+
+WORKDIR /app
+# Copy the current directory contents into the container at /app
+COPY . .
+RUN ls -la /app
+
+# Copy the built wheel from the builder stage to the runtime stage; assumes only one wheel file is present
+COPY --from=builder /app/dist/*.whl .
+COPY --from=builder /wheels/ /wheels/
+
+# Install the built wheel using pip; again using a wildcard if it's the only file
+RUN pip install *.whl /wheels/* --no-index --find-links=/wheels/ && rm -f *.whl && rm -rf /wheels
+
+# install semantic-cache [Experimental]- we need this here and not in requirements.txt because redisvl pins to pydantic 1.0 
+RUN pip install redisvl==0.0.7 --no-deps
+
+# ensure pyjwt is used, not jwt
+RUN pip uninstall jwt -y
+RUN pip uninstall PyJWT -y
+RUN pip install PyJWT --no-cache-dir
+
+# Build Admin UI
+RUN chmod +x build_admin_ui.sh && ./build_admin_ui.sh
+
+# Generate prisma client
+ENV PRISMA_BINARY_CACHE_DIR=/app/prisma
+RUN mkdir -p /.cache
+RUN chmod -R 777 /.cache
+RUN pip install nodejs-bin
+RUN pip install prisma
+RUN prisma generate
+RUN chmod +x entrypoint.sh
+
+EXPOSE 4000/tcp
+
+# # Set your entrypoint and command
+
+ENTRYPOINT ["litellm"]
+
+# Append "--detailed_debug" to the end of CMD to view detailed debug logs 
+# CMD ["--port", "4000", "--detailed_debug"]
+CMD ["--port", "4000"]