Docker base image upgrade to Ubuntu 24 (#4754)

* test base image bump

* patch frontend compilation due to Vite QEMU exception

* migrate all runners to arm64 to avoid QEMU slowdown

* add back layer cleanup

* remove layer cache fix

.github/workflows/build-and-push-image-semver.yaml

@@ -11,7 +11,7 @@ on:
 jobs:
   push_multi_platform_to_registries:
     name: Push Docker multi-platform image to multiple registries
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04-arm
     permissions:
       packages: write
       contents: read
@@ -32,9 +32,6 @@ jobs:
           fi
         id: dockerhub
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:

.github/workflows/build-and-push-image.yaml

@@ -30,7 +30,7 @@ on:
 jobs:
   push_multi_platform_to_registries:
     name: Push Docker multi-platform image to multiple registries
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04-arm
     permissions:
       packages: write
       contents: read
@@ -51,9 +51,6 @@ jobs:
           fi
         id: dockerhub
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:

.github/workflows/dev-build.yaml

@@ -6,7 +6,7 @@ concurrency:
 
 on:
   push:
-    branches: ['mcp-improvements'] # put your current branch to create a build. Core team only.
+    branches: ['maint/upgrade-docker-base-image'] # put your current branch to create a build. Core team only.
     paths-ignore:
       - '**.md'
       - 'cloud-deployments/*'
@@ -44,10 +44,6 @@ jobs:
           fi
         id: dockerhub
 
-      # Uncomment this + add linux/arm64 to platforms if you want to build for arm64 as well
-      # - name: Set up QEMU
-      #   uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -78,8 +74,7 @@ jobs:
           push: true
           sbom: true
           provenance: mode=max
-          # platforms: linux/amd64
-          platforms: linux/arm64
+          platforms: linux/amd64,linux/arm64
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
@@ -88,37 +83,37 @@ jobs:
       # For Docker scout there are some intermediary reported CVEs which exists outside
       # of execution content or are unreachable by an attacker but exist in image.
       # We create VEX files for these so they don't show in scout summary. 
-      # - name: Collect known and verified CVE exceptions
-      #   id: cve-list
-      #   run: |
-      #     # Collect CVEs from filenames in vex folder
-      #     CVE_NAMES=""
-      #     for file in ./docker/vex/*.vex.json; do
-      #       [ -e "$file" ] || continue
-      #       filename=$(basename "$file")
-      #       stripped_filename=${filename%.vex.json}
-      #       CVE_NAMES+=" $stripped_filename"
-      #     done
-      #     echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
-      #   shell: bash
+      - name: Collect known and verified CVE exceptions
+        id: cve-list
+        run: |
+          # Collect CVEs from filenames in vex folder
+          CVE_NAMES=""
+          for file in ./docker/vex/*.vex.json; do
+            [ -e "$file" ] || continue
+            filename=$(basename "$file")
+            stripped_filename=${filename%.vex.json}
+            CVE_NAMES+=" $stripped_filename"
+          done
+          echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT
+        shell: bash
 
       # About VEX attestations https://docs.docker.com/scout/explore/exceptions/
       # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications
       # Fixed to use v1.15.1 of scout-cli as v1.16.0 install script is broken
       # https://github.com/docker/scout-cli
-      # - name: Add VEX attestations
-      #   env:
-      #     CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
-      #   run: |
-      #     echo $CVE_EXCEPTIONS
-      #     curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
-      #     for cve in $CVE_EXCEPTIONS; do
-      #       for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
-      #         echo "Attaching VEX exception $cve to $tag"
-      #         docker scout attestation add \
-      #         --file "./docker/vex/$cve.vex.json" \
-      #         --predicate-type https://openvex.dev/ns/v0.2.0 \
-      #         $tag
-      #       done
-      #     done
-      #   shell: bash
+      - name: Add VEX attestations
+        env:
+          CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }}
+        run: |
+          echo $CVE_EXCEPTIONS
+          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
+          for cve in $CVE_EXCEPTIONS; do
+            for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do
+              echo "Attaching VEX exception $cve to $tag"
+              docker scout attestation add \
+              --file "./docker/vex/$cve.vex.json" \
+              --predicate-type https://openvex.dev/ns/v0.2.0 \
+              $tag
+            done
+          done
+        shell: bash

docker/Dockerfile

@@ -1,5 +1,5 @@
 # Setup base image
-FROM ubuntu:jammy-20240627.1 AS base
+FROM ubuntu:noble-20251013 AS base
 
 # Build arguments
 ARG ARG_UID=1000
@@ -14,11 +14,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # hadolint ignore=DL3008,DL3013
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
-        unzip curl gnupg libgfortran5 libgbm1 tzdata netcat \
-        libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \
+        unzip curl gnupg libgfortran5 libgbm1 tzdata netcat-openbsd \
+        libasound2t64 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \
         libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libx11-6 libx11-xcb1 libxcb1 \
         libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 \
-        libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release \
+        libxss1 libxtst6 ca-certificates fonts-liberation libappindicator3-1 libnss3 lsb-release \
         xdg-utils git build-essential ffmpeg && \
     mkdir -p /etc/apt/keyrings && \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
@@ -38,7 +38,10 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     rm -rf /var/lib/apt/lists/*
 
 # Create a group and user with specific UID and GID
-RUN groupadd -g "$ARG_GID" anythingllm && \
+# First, remove any existing user/group with the target UID/GID to avoid conflicts
+RUN (getent passwd "$ARG_UID" && userdel -f "$(getent passwd "$ARG_UID" | cut -d: -f1)") || true && \
+    (getent group "$ARG_GID" && groupdel "$(getent group "$ARG_GID" | cut -d: -f1)") || true && \
+    groupadd -g "$ARG_GID" anythingllm && \
     useradd -l -u "$ARG_UID" -m -d /app -s /bin/bash -g anythingllm anythingllm && \
     mkdir -p /app/frontend/ /app/server/ /app/collector/ && chown -R anythingllm:anythingllm /app
 
@@ -80,11 +83,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 # hadolint ignore=DL3008,DL3013
 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \
-        curl gnupg libgfortran5 libgbm1 tzdata netcat \
-        libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \
+        curl gnupg libgfortran5 libgbm1 tzdata netcat-openbsd \
+        libasound2t64 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \
         libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libx11-6 libx11-xcb1 libxcb1 \
         libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 \
-        libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release \
+        libxss1 libxtst6 ca-certificates fonts-liberation libappindicator3-1 libnss3 lsb-release \
         xdg-utils git build-essential ffmpeg && \
     mkdir -p /etc/apt/keyrings && \
     curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \
@@ -104,7 +107,10 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \
     rm -rf /var/lib/apt/lists/*
 
 # Create a group and user with specific UID and GID
-RUN groupadd -g "$ARG_GID" anythingllm && \
+# First, remove any existing user/group with the target UID/GID to avoid conflicts
+RUN (getent passwd "$ARG_UID" && userdel -f "$(getent passwd "$ARG_UID" | cut -d: -f1)") || true && \
+    (getent group "$ARG_GID" && groupdel "$(getent group "$ARG_GID" | cut -d: -f1)") || true && \
+    groupadd -g "$ARG_GID" anythingllm && \
     useradd -l -u "$ARG_UID" -m -d /app -s /bin/bash -g anythingllm anythingllm && \
     mkdir -p /app/frontend/ /app/server/ /app/collector/ && chown -R anythingllm:anythingllm /app
 
@@ -129,15 +135,15 @@ USER anythingllm
 WORKDIR /app
 
 # Install & Build frontend layer
-FROM build AS frontend-build
-COPY --chown=anythingllm:anythingllm ./frontend /app/frontend/
+# Use BUILDPLATFORM to run on the native host architecture (not emulated).
+# This avoids esbuild crashing under QEMU when cross-compiling.
+# The output (static HTML/CSS/JS) is platform-independent.
+FROM --platform=$BUILDPLATFORM node:18-slim AS frontend-build
 WORKDIR /app/frontend
+COPY ./frontend/package.json ./frontend/yarn.lock ./
 RUN yarn install --network-timeout 100000 && yarn cache clean
-RUN yarn build && \
-    cp -r dist /tmp/frontend-build && \
-    rm -rf * && \
-    cp -r /tmp/frontend-build dist && \
-    rm -rf /tmp/frontend-build
+COPY ./frontend/ ./
+RUN yarn build
 WORKDIR /app
 
 # Install server layer