diff --git a/.github/workflows/build-and-push-image-semver.yaml b/.github/workflows/build-and-push-image-semver.yaml index 1da1dda9d..ecb00b678 100644 --- a/.github/workflows/build-and-push-image-semver.yaml +++ b/.github/workflows/build-and-push-image-semver.yaml @@ -11,7 +11,7 @@ on: jobs: push_multi_platform_to_registries: name: Push Docker multi-platform image to multiple registries - runs-on: ubuntu-latest + runs-on: ubuntu-22.04-arm permissions: packages: write contents: read @@ -32,9 +32,6 @@ jobs: fi id: dockerhub - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: diff --git a/.github/workflows/build-and-push-image.yaml b/.github/workflows/build-and-push-image.yaml index 2519d1362..95e7f20b6 100644 --- a/.github/workflows/build-and-push-image.yaml +++ b/.github/workflows/build-and-push-image.yaml @@ -30,7 +30,7 @@ on: jobs: push_multi_platform_to_registries: name: Push Docker multi-platform image to multiple registries - runs-on: ubuntu-latest + runs-on: ubuntu-22.04-arm permissions: packages: write contents: read @@ -51,9 +51,6 @@ jobs: fi id: dockerhub - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: diff --git a/.github/workflows/dev-build.yaml b/.github/workflows/dev-build.yaml index 23223834a..bfd9a376d 100644 --- a/.github/workflows/dev-build.yaml +++ b/.github/workflows/dev-build.yaml @@ -6,7 +6,7 @@ concurrency: on: push: - branches: ['mcp-improvements'] # put your current branch to create a build. Core team only. + branches: ['maint/upgrade-docker-base-image'] # put your current branch to create a build. Core team only. paths-ignore: - '**.md' - 'cloud-deployments/*' @@ -44,10 +44,6 @@ jobs: fi id: dockerhub - # Uncomment this + add linux/arm64 to platforms if you want to build for arm64 as well - # - name: Set up QEMU - # uses: docker/setup-qemu-action@v3 - - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: @@ -78,8 +74,7 @@ jobs: push: true sbom: true provenance: mode=max - # platforms: linux/amd64 - platforms: linux/arm64 + platforms: linux/amd64,linux/arm64 tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha @@ -88,37 +83,37 @@ jobs: # For Docker scout there are some intermediary reported CVEs which exists outside # of execution content or are unreachable by an attacker but exist in image. # We create VEX files for these so they don't show in scout summary. - # - name: Collect known and verified CVE exceptions - # id: cve-list - # run: | - # # Collect CVEs from filenames in vex folder - # CVE_NAMES="" - # for file in ./docker/vex/*.vex.json; do - # [ -e "$file" ] || continue - # filename=$(basename "$file") - # stripped_filename=${filename%.vex.json} - # CVE_NAMES+=" $stripped_filename" - # done - # echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT - # shell: bash + - name: Collect known and verified CVE exceptions + id: cve-list + run: | + # Collect CVEs from filenames in vex folder + CVE_NAMES="" + for file in ./docker/vex/*.vex.json; do + [ -e "$file" ] || continue + filename=$(basename "$file") + stripped_filename=${filename%.vex.json} + CVE_NAMES+=" $stripped_filename" + done + echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT + shell: bash # About VEX attestations https://docs.docker.com/scout/explore/exceptions/ # Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications # Fixed to use v1.15.1 of scout-cli as v1.16.0 install script is broken # https://github.com/docker/scout-cli - # - name: Add VEX attestations - # env: - # CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} - # run: | - # echo $CVE_EXCEPTIONS - # curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- - # for cve in $CVE_EXCEPTIONS; do - # for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do - # echo "Attaching VEX exception $cve to $tag" - # docker scout attestation add \ - # --file "./docker/vex/$cve.vex.json" \ - # --predicate-type https://openvex.dev/ns/v0.2.0 \ - # $tag - # done - # done - # shell: bash \ No newline at end of file + - name: Add VEX attestations + env: + CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} + run: | + echo $CVE_EXCEPTIONS + curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- + for cve in $CVE_EXCEPTIONS; do + for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do + echo "Attaching VEX exception $cve to $tag" + docker scout attestation add \ + --file "./docker/vex/$cve.vex.json" \ + --predicate-type https://openvex.dev/ns/v0.2.0 \ + $tag + done + done + shell: bash \ No newline at end of file diff --git a/docker/Dockerfile b/docker/Dockerfile index f4171330d..7894995e9 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,5 +1,5 @@ # Setup base image -FROM ubuntu:jammy-20240627.1 AS base +FROM ubuntu:noble-20251013 AS base # Build arguments ARG ARG_UID=1000 @@ -14,11 +14,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # hadolint ignore=DL3008,DL3013 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \ - unzip curl gnupg libgfortran5 libgbm1 tzdata netcat \ - libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \ + unzip curl gnupg libgfortran5 libgbm1 tzdata netcat-openbsd \ + libasound2t64 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \ libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libx11-6 libx11-xcb1 libxcb1 \ libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 \ - libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release \ + libxss1 libxtst6 ca-certificates fonts-liberation libappindicator3-1 libnss3 lsb-release \ xdg-utils git build-essential ffmpeg && \ mkdir -p /etc/apt/keyrings && \ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ @@ -38,7 +38,10 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ rm -rf /var/lib/apt/lists/* # Create a group and user with specific UID and GID -RUN groupadd -g "$ARG_GID" anythingllm && \ +# First, remove any existing user/group with the target UID/GID to avoid conflicts +RUN (getent passwd "$ARG_UID" && userdel -f "$(getent passwd "$ARG_UID" | cut -d: -f1)") || true && \ + (getent group "$ARG_GID" && groupdel "$(getent group "$ARG_GID" | cut -d: -f1)") || true && \ + groupadd -g "$ARG_GID" anythingllm && \ useradd -l -u "$ARG_UID" -m -d /app -s /bin/bash -g anythingllm anythingllm && \ mkdir -p /app/frontend/ /app/server/ /app/collector/ && chown -R anythingllm:anythingllm /app @@ -80,11 +83,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"] # hadolint ignore=DL3008,DL3013 RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install -yq --no-install-recommends \ - curl gnupg libgfortran5 libgbm1 tzdata netcat \ - libasound2 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \ + curl gnupg libgfortran5 libgbm1 tzdata netcat-openbsd \ + libasound2t64 libatk1.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 \ libgcc1 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libx11-6 libx11-xcb1 libxcb1 \ libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 \ - libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release \ + libxss1 libxtst6 ca-certificates fonts-liberation libappindicator3-1 libnss3 lsb-release \ xdg-utils git build-essential ffmpeg && \ mkdir -p /etc/apt/keyrings && \ curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg && \ @@ -104,7 +107,10 @@ RUN DEBIAN_FRONTEND=noninteractive apt-get update && \ rm -rf /var/lib/apt/lists/* # Create a group and user with specific UID and GID -RUN groupadd -g "$ARG_GID" anythingllm && \ +# First, remove any existing user/group with the target UID/GID to avoid conflicts +RUN (getent passwd "$ARG_UID" && userdel -f "$(getent passwd "$ARG_UID" | cut -d: -f1)") || true && \ + (getent group "$ARG_GID" && groupdel "$(getent group "$ARG_GID" | cut -d: -f1)") || true && \ + groupadd -g "$ARG_GID" anythingllm && \ useradd -l -u "$ARG_UID" -m -d /app -s /bin/bash -g anythingllm anythingllm && \ mkdir -p /app/frontend/ /app/server/ /app/collector/ && chown -R anythingllm:anythingllm /app @@ -129,15 +135,15 @@ USER anythingllm WORKDIR /app # Install & Build frontend layer -FROM build AS frontend-build -COPY --chown=anythingllm:anythingllm ./frontend /app/frontend/ +# Use BUILDPLATFORM to run on the native host architecture (not emulated). +# This avoids esbuild crashing under QEMU when cross-compiling. +# The output (static HTML/CSS/JS) is platform-independent. +FROM --platform=$BUILDPLATFORM node:18-slim AS frontend-build WORKDIR /app/frontend +COPY ./frontend/package.json ./frontend/yarn.lock ./ RUN yarn install --network-timeout 100000 && yarn cache clean -RUN yarn build && \ - cp -r dist /tmp/frontend-build && \ - rm -rf * && \ - cp -r /tmp/frontend-build dist && \ - rm -rf /tmp/frontend-build +COPY ./frontend/ ./ +RUN yarn build WORKDIR /app # Install server layer