forked from langflow-ai/openrag
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile.backend
More file actions
104 lines (87 loc) · 3.72 KB
/
Dockerfile.backend
File metadata and controls
104 lines (87 loc) · 3.72 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
# syntax=docker/dockerfile:1.4
# BuildKit: enables cache mounts and better layer reuse.
#
# Build: docker build -t openrag-backend .
# -----------------------------------------------------------------------------
# Stage: base (system + uv)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS base
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
\
&& curl -LsSf https://astral.sh/uv/install.sh | sh \
&& rm -rf /var/lib/apt/lists/*
ENV PATH="/root/.local/bin:$PATH"
# -----------------------------------------------------------------------------
# Stage: builder (deps + app)
# -----------------------------------------------------------------------------
FROM base AS builder
# Build-time deps only (not in final image)
RUN apt-get update && apt-get install -y --no-install-recommends \
git \
build-essential \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /app
# Dependency layer: reuse as long as lockfile and pyproject don't change
COPY pyproject.toml uv.lock ./
RUN --mount=type=cache,target=/root/.cache/uv,uid=0,gid=0 \
uv sync
# Application (invalidates after deps only when src/flows change)
COPY src/ ./src/
COPY flows/ ./flows/
COPY securityconfig/ ./securityconfig/
COPY cloud_securityconfig/ ./cloud_securityconfig/
# Alembic migrations — the runtime calls run_alembic_upgrade("head") on
# startup. Without these the migration silently no-ops with
# "alembic.ini not found; skipping schema upgrade", and the SQL DB
# starts empty (no users / conversations / session_ownership tables).
COPY alembic.ini ./
COPY alembic/ ./alembic/
COPY openrag-documents/ ./openrag-documents/
# -----------------------------------------------------------------------------
# Stage: runtime (minimal image)
# -----------------------------------------------------------------------------
FROM python:3.13-slim AS runtime
RUN apt-get update && apt-get install -y --no-install-recommends \
curl \
ca-certificates \
openssl \
gosu \
&& rm -rf /var/lib/apt/lists/* \
&& pip install --no-cache-dir --upgrade "pip>=26.0"
# Create a non-root user/group.
# UID/GID 1000 is the conventional first non-root account and
# matches what Podman's :U volume flag maps to.
RUN groupadd --gid 1000 appuser \
&& useradd --uid 1000 --gid 1000 --no-create-home appuser
WORKDIR /app
COPY --from=builder /app /app
COPY securityconfig/ ./securityconfig/
COPY cloud_securityconfig/ ./cloud_securityconfig/
COPY scripts/backend-entrypoint.sh /entrypoint.sh
ENV VIRTUAL_ENV=/app/.venv
ENV PATH="/app/.venv/bin:$PATH"
# Pre-create every directory the app writes to at runtime so they are owned
# by appuser in the image layer. When Docker/Podman mounts a host volume over
# one of these paths the mount takes precedence, but the ownership baked here
# acts as a safe default when no volume is attached (e.g. CI, unit tests).
#
# Writable paths:
# keys/ - RSA JWT keys (private_key.pem / public_key.pem)
# data/ - connections.json
# config/ - config.yaml (ConfigManager runtime settings)
# flows/backup/ - Langflow flow backups (flows/ itself is COPY'd from builder)
# openrag-documents/ - uploaded documents staging area
RUN mkdir -p keys data config flows/backup openrag-documents \
&& chown -R appuser:appuser /app \
&& chmod +x /entrypoint.sh
# entrypoint.sh runs as root, re-chowns volume-mounted directories to appuser
# (belt-and-suspenders for Docker where :U is not supported), then execs the
# application as appuser via gosu.
EXPOSE 8000
# Ingestion-callback proxy router (OPENRAG_BACKEND_ROUTER_ENABLE), when enabled.
EXPOSE 8100
ENTRYPOINT ["/entrypoint.sh"]
CMD ["python", "src/main.py"]