Versions Compared

Old Version 7

changes.mady.by.user Luis Diego Vargas Guell

Saved on

compared with

New Version 8

changes.mady.by.user Potter (Esteban Alvarado)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This Dockerfile is tailored for CIO projects, utilizing a custom Ubuntu base image from the CIO's Docker repository. The Dockerfile includes configurations for installing Python and other dependencies, setting up environment variables, and preparing the GaiaAPI application.

Accessing the CIO Docker Repository

Currently GAIA API uses a  CIO's Ubuntu image as its base, if we want to build the Docker image we will need access to CIO Docker repository, for that follow the steps in Login Into CIO Azure Container Registry

CIO's Dockerfile

Code Block
titleDockerfile
collapsetrue
# syntax=docker/dockerfile:1

# Base image (Ubuntu 22.04 from CIO)
FROM acncio.azurecr.io/ubuntu22.04cio-base:latest AS GaiaAPI


# Arguments for dependency installation and PYQPL library location
# Options for INSTALL_DEPENDENCIES: [ldap], [genai], [all], or leave empty
ARG INSTALL_DEPENDENCIES=""
ARG PYQPL_LOCATION=lib/pyqpl-1.1.1-py3-none-any.whl

# Set GAIA_ENV as an environment variable, default value is 'default'
ARG GAIA_ENV=system_default
ENV GAIA_ENV=$GAIA_ENV

# Set CONFIG_URL as an environment variable, for custom configuration JSON file path
ARG CONFIG_URL=''
ENV CONFIG_URL=$CONFIG_URL

# Set number of Uvicorn workers, typically 1 is recommended in Docker
ARG UVICORN_WORKERS=1
ENV UVICORN_WORKERS=$UVICORN_WORKERS

# Set protocol (default 'http') as an environment variable
ARG PROTOCOL=http
ENV PROTOCOL=$PROTOCOL

# Set host for GAIA API, necessary unless default entrypoint is removed
ARG HOST=0.0.0.0
ENV HOST=$HOST

# Set port for GAIA API, necessary unless default entrypoint is removed
ARG PORT=8085
ENV PORT=$PORT

# Set domain name for GAIA API, necessary unless default entrypoint is removed
ARG DOMAIN_NAME=host.docker.internal
ENV DOMAIN_NAME=$DOMAIN_NAME

# Set cookie domain name for GAIA API, necessary unless default entrypoint is removed
ARG COOKIE_DOMAIN_NAME=''
ENV COOKIE_DOMAIN_NAME=$COOKIE_DOMAIN_NAME

# Set engine URL for GAIA API, necessary unless default entrypoint is removed
ARG ENGINE_URL=http://host.docker.internal:9200
ENV ENGINE_URL=$ENGINE_URL

# Set path to certificates, necessary only if mailer is enabled using custom SMTP
ARG CERTIFICATES_PATH=''
ENV CERTIFICATES_PATH=$CERTIFICATES_PATH

# Set AWS Elasticsearch credentials, only if using AWS service
ARG AWS_SERVICE=es
ENV AWS_SERVICE=$AWS_SERVICE

ARG AWS_REGION=us-east-1
ENV AWS_REGION=$AWS_REGION

# Set AWS Access Key and Session Token, required only if using access key and token
ARG AWS_ACCESS_KEY_ID=default-key
ENV AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID

ARG AWS_SECRET_ACCESS_KEY=default-secret
ENV AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY

ARG AWS_SESSION_TOKEN=default-token
ENV AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN

# Set to allow empty queries on search
ARG ALLOW_EMPTY_QUERY=false
ENV ALLOW_EMPTY_QUERY=$ALLOW_EMPTY_QUERY

# JWKS (JSON Web Key Set) URL is a location where public keys used for verifying JSON Web Tokens (JWTs) can be retrieved
ARG DELEGATE_JWKS_URL=''
ENV DELEGATE_JWKS_URL=$DELEGATE_JWKS_URL

# The LDAP server URL. It specifies the network address and protocol for connecting to the LDAP server.'
ARG LDAP_URL=''
ENV LDAP_URL=$LDAP_URL

# Contains the password or credentials associated with the bindDN. It is used for authentication when establishing a
# connection with the LDAP server.
ARG LDAP_CREDENTIALS=''
ENV LDAP_CREDENTIALS=$LDAP_CREDENTIALS

# Unique identifier assigned to the client application by the IdP. It identifies the client application during
# authentication and authorization requests.
ARG OIDC_CLIENT_ID=''
ENV OIDC_CLIENT_ID=$OIDC_CLIENT_ID

# URI to the OpenID Connect configuration values from the provider\'s Well-Known Configuration Endpoint
ARG OIDC_OPENID_CONFIG_URI=''
ENV OIDC_OPENID_CONFIG_URI=$OIDC_OPENID_CONFIG_URI

# The secret used to sign and decrypt the JWT. Does not apply with Delegated
ARG AUTH_SECRET=52ecfd60e01b800355a8ce59780f9243b4662c3a236394ee
ENV AUTH_SECRET=$AUTH_SECRET


# Change user to ROOT
USER root:root

# Install python 3.11 and other dependencies on OS
RUN apt-get update && apt-get install -y\
	 pkg-config\      
	 libxml2-dev\     
	 libxmlsec1\      
	 libxmlsec1-dev\
	 libxmlsec1-openssl\
	 xmlsec1\
	 build-essential\
	 curl\
	 iputils-ping\
	 libnss3-dev\
	 libgdbm-dev\
	 libncurses5-dev\
	 libssl-dev\
	 libffi-dev\
	 libreadline-dev\
	 libsqlite3-dev\
	 libbz2-dev\
	 software-properties-common\
	 vim\
	 wget\
	 zlib1g-dev\
# Installiing Python 3.11.7
    && wget https://www.python.org/ftp/python/3.11.7/Python-3.11.7.tgz\
    && tar xvf Python-3.11.7.tgz\
    && cd Python-*/\
    && ./configure --enable-optimizations\
    && make altinstall\
    && ln -s -f /usr/local/bin/python3.11 /usr/local/bin/python\
    && ln -s -f /usr/local/bin/pip3.11 /usr/local/bin/pip\
    && cd ..\
    && rm Python-3.11.7.tgz\
    && rm -rf Python-3.11.7

# Create our work directory
WORKDIR /gaia_api

# Change work directory ownership to root-less user
RUN chown appuser:appgroup /gaia_api

# Copy GaiaAPI source and change ownership to root-less user
COPY --chown=appuser:appgroup . .


# Installiing all SAPI dependencies
RUN /bin/sh -c pip install --upgrade pip\
    && pip install --no-cache-dir lxml>=4.9.0\
    && pip install --no-cache-dir xmlsec\
    && pip install --no-cache-dir -e ".$INSTALL_DEPENDENCIES"\
	# PYQPL from the local lib folder, check the VERSION before installing!
    && pip install --no-cache-dir $PYQPL_LOCATION

# Export GaiaAPI PORT
EXPOSE $PORT

# Change back to the root-less user
USER appuser:appgroup

# Start the GaiaAPI at container start
CMD python -m uvicorn app.webapp:app --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header

# If running behind a proxy like Nginx or Traefik add --proxy-headers
# CMD python -m uvicorn app.webapp:app --proxy-headers --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header

# Comando para ejecutar Uvicorn con SSL
# CMD python -m uvicorn app.webapp:app --host $HOST --port $PORT --ssl-keyfile /path/in/container/private.key", "--ssl-certfile", "/path/in/container/certificate.crt"]

  

Dockerfile Breakdown

  1. Base Image:

  2. Arguments and Environment Variables:

    • Similar to the GAIA API Dockerfile, it defines build-time arguments (ARG) and environment variables (ENV) for configuring the GaiaAPI application.

  3. Python and Dependency Installation:

    • Switches to the root user.
    • Runs a series of commands to update the package list, install necessary libraries, and install Python 3.11.7 from source.

  4. Setting Up the Working Directory:

    • Creates a work directory /gaia_api and changes its ownership to a non-root user (appuser:appgroup).

  5. Application Setup:

    • Copies the GaiaAPI source code into the container and changes ownership to the non-root user.
    • Installs Python dependencies, including the PYQPL library.

  6. Exposing Ports and Running the Application:

    • Exposes the specified port for the GaiaAPI.
    • Switches back to the non-root user for running the application.
    • Defines the default command to start the GaiaAPI using Uvicorn, with optional commands for running behind a proxy or with SSL.

Key Differences from GAIA Dockerfile

  1. Base Image: Uses a custom Ubuntu image from the CIO's Docker repository.
  2. Python Installation: Python is installed from source rather than using a pre-built Python Docker image.
  3. User Management: Introduces a non-root user (appuser:appgroup) for running the application, enhancing security.