This Dockerfile is tailored for CIO projects, utilizing a custom Ubuntu base image from the CIO's Docker repository. The Dockerfile includes configurations for installing Python and other dependencies, setting up environment variables, and preparing the GaiaAPI application.
Currently GAIA API uses a CIO's Ubuntu image as its base, if we want to build the Docker image we will need access to CIO Docker repository, for that follow the steps in Login Into CIO Azure Container Registry
Code Block | ||||
---|---|---|---|---|
| ||||
# syntax=docker/dockerfile:1 # Base image (Ubuntu 22.04 from CIO) FROM acncio.azurecr.io/ubuntu22.04cio-base:latest AS GaiaAPI # Arguments for dependency installation and PYQPL library location # Options for INSTALL_DEPENDENCIES: [ldap], [genai], [all], or leave empty ARG INSTALL_DEPENDENCIES="" ARG PYQPL_LOCATION=lib/pyqpl-1.1.04-py3-none-any.whl # Set GAIA_ENV as an environment variable, default value is 'default' ARG GAIA_ENV=system_default ENV GAIA_ENV=$GAIA_ENV # Set CONFIG_URL as an environment variable, for custom configuration JSON file path ARG CONFIG_URL='' ENV CONFIG_URL=$CONFIG_URL # Set number of Uvicorn workers, typically 1 is recommended in Docker ARG UVICORN_WORKERS=1 ENV UVICORN_WORKERS=$UVICORN_WORKERS # Set protocol (default 'http') as an environment variable ARG PROTOCOL=http ENV PROTOCOL=$PROTOCOL # Set host for GAIA API, necessary unless default entrypoint is removed ARG HOST=0.0.0.0 ENV HOST=$HOST # Set port for GAIA API, necessary unless default entrypoint is removed ARG PORT=8085 ENV PORT=$PORT # Set domain name for GAIA API, necessary unless default entrypoint is removed ARG DOMAIN_NAME=host.docker.internal ENV DOMAIN_NAME=$DOMAIN_NAME # Set cookie domain name for GAIA API, necessary unless default entrypoint is removed ARG COOKIE_DOMAIN_NAME='' ENV COOKIE_DOMAIN_NAME=$COOKIE_DOMAIN_NAME # Set engine URL for GAIA API, necessary unless default entrypoint is removed ARG ENGINE_URL=http://host.docker.internal:9200 ENV ENGINE_URL=$ENGINE_URL # Set path to certificates, necessary only if mailer is enabled using custom SMTP ARG CERTIFICATES_PATH='' ENV CERTIFICATES_PATH=$CERTIFICATES_PATH # Set AWS Elasticsearch credentials, only if using AWS service ARG AWS_SERVICE=es ENV AWS_SERVICE=$AWS_SERVICE ARG AWS_REGION=us-east-1 ENV AWS_REGION=$AWS_REGION # Set AWS Access Key and Session Token, required only if using access key and token ARG AWS_ACCESS_KEY_ID=default-key ENV AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID ARG AWS_SECRET_ACCESS_KEY=default-secret ENV AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY ARG AWS_SESSION_TOKEN=default-token ENV AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN # Set to allow empty queries on search ARG ALLOW_EMPTY_QUERY=false ENV ALLOW_EMPTY_QUERY=$ALLOW_EMPTY_QUERY # JWKS (JSON Web Key Set) URL is a location where public keys used for verifying JSON Web Tokens (JWTs) can be retrieved ARG DELEGATE_JWKS_URL='' ENV DELEGATE_JWKS_URL=$DELEGATE_JWKS_URL # The LDAP server URL. It specifies the network address and protocol for connecting to the LDAP server. ARG LDAP_URL='' ENV LDAP_URL=$LDAP_URL # Contains the password or credentials associated with the bindDN. It is used for authentication when establishing a # connection with the LDAP server. ARG LDAP_CREDENTIALS='' ENV LDAP_CREDENTIALS=$LDAP_CREDENTIALS # Contains bindDN of the user to connect with ldap and check the users. ARG LDAP_BIND_DN='' ENV LDAP_BIND_DN=$LDAP_BIND_DN # Contains the searchBase to where in the LDAP look for the users. ARG LDAP_SEARCH_BASE='' ENV LDAP_SEARCH_BASE=$LDAP_SEARCH_BASE # Unique identifier assigned to the client application by the IdP. It identifies the client application during # authentication and authorization requests. ARG OIDC_CLIENT_ID='' ENV OIDC_CLIENT_ID=$OIDC_CLIENT_ID # URI to the OpenID Connect configuration values from the provider\'s Well-Known Configuration Endpoint ARG OIDC_OPENID_CONFIG_URI='' ENV OIDC_OPENID_CONFIG_URI=$OIDC_OPENID_CONFIG_URI # The secret used to sign and decrypt the JWT. Does not apply with Delegated ARG AUTH_SECRET=52ecfd60e01b800355a8ce59780f9243b4662c3a236394ee ENV AUTH_SECRET=$AUTH_SECRET # IA Assistant ############################################################# # URI to the OpenID Connect configuration values from the provider's Well-Known Configuration Endpoint ARG ASSISTANT_INDEX='' ENV ASSISTANT_INDEX=$ASSISTANT_INDEX # This is your openai key to use the chat from your service provider ARG OPENAI_API_KEY='' ENV OPENAI_API_KEY=$OPENAI_API_KEY # Base url of your service provider for open ai chat ARG OPENAI_ENDPOINT='' ENV OPENAI_ENDPOINT=$OPENAI_ENDPOINT # Api version of the openai chat ARG OPENAI_API_VERSION='' ENV OPENAI_API_VERSION=$OPENAI_API_VERSION # Name of the model to be used ARG OPENAI_MODEL='' ENV OPENAI_MODEL=$OPENAI_MODEL # List of function which would trigger and exit of the loop pipeline ARG ASSISTANT_EXIT_FUNCTIONS='' ENV ASSISTANT_EXIT_FUNCTIONS=$ASSISTANT_EXIT_FUNCTIONS # Change user to ROOT USER root:root # Install python 3.11 and other dependencies on OS RUN apt-get update && apt-get install -y\ pkg-config\ libxml2-dev\ libxmlsec1\ libxmlsec1-dev\ libxmlsec1-openssl\ xmlsec1\ build-essential\ curl\ iputils-ping\ libnss3-dev\ libgdbm-dev\ libncurses5-dev\ libssl-dev\ libffi-dev\ libreadline-dev\ libsqlite3-dev\ libbz2-dev\ software-properties-common\ vim\ wget\ zlib1g-dev\ # Installiing Python 3.11.79 && wget https://www.python.org/ftp/python/3.11.79/Python-3.11.79.tgz\ && tar xvf Python-3.11.79.tgz\ && cd Python-*/\ && ./configure --enable-optimizations\ && make altinstall\ && ln -s -f /usr/local/bin/python3.11 /usr/local/bin/python\ && ln -s -f /usr/local/bin/pip3.11 /usr/local/bin/pip\ && cd ..\ && rm Python-3.11.79.tgz\ && rm -rf Python-3.11.79 # Create our work directory WORKDIR /gaia_api # Change work directory ownership to root-less user RUN chown appuser:appgroup /gaia_api # Copy GaiaAPI source and change ownership to root-less user COPY --chown=appuser:appgroup . . # Installiing all SAPI dependencies RUN /bin/sh -c pip install --upgrade pip\ && pip install --no-cache-dir lxml>=4.9.0\ && pip install --no-cache-dir xmlsec\ && pip install --no-cache-dir -e ".$INSTALL_DEPENDENCIES"\ # PYQPL from the local lib folder, check the VERSION before installing! && pip install --no-cache-dir $PYQPL_LOCATION # Export GaiaAPI PORT EXPOSE $PORT # Change back to the root-less user USER appuser:appgroup # StartDefault thestartup GaiaAPIscript atcommand containerto start CMDrun pythonUvicorn -mwith uvicorn app.webapp:app --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header # If running behind a proxy like Nginx or Traefik add --proxy-headers # CMD python -m uvicorn app.webapp:app --proxy-headers --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header # Comando para ejecutar Uvicorn con SSL # CMD python -m uvicorn app.webapp:app --host $HOST --port $PORT --ssl-keyfile /path/in/container/private.key", "--ssl-certfilespecified configurations ENTRYPOINT ["/bin/bash", "/path/in/container/certificate.crt"] gaia_api/startup.sh"] |
Base Image:
FROM acncio.azurecr.io/ubuntu22.04cio-base:latest AS GaiaAPI
.Arguments and Environment Variables:
ARG
) and environment variables (ENV
) for configuring the GaiaAPI application.Python and Dependency Installation:
Setting Up the Working Directory:
/gaia_api
and changes its ownership to a non-root user (appuser:appgroup
).Application Setup:
PYQPL
library.Exposing Ports and Running the Application:
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
#!/bin/bash
# Amount of retries that the server will restart
tries=3
# Startup/Restart loop
for i in $(seq 1 $tries)
do
# Start the python server
python -m uvicorn app.webapp:app --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header
# Optional commands for running Uvicorn with proxy headers or SSL (uncomment as needed)
# Uncomment to run Uvicorn with proxy headers if behind a proxy like Nginx or Traefik
# python -m uvicorn app.webapp:app --proxy-headers --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header
# Uncomment to run Uvicorn with SSL, ensure SSL certificate and key paths are correct
# python -m uvicorn app.webapp:app --host $HOST --port $PORT --ssl-keyfile /path/in/container/private.key", "--ssl-certfile", "/path/in/container/certificate.crt"]
# If the server fails and exits we check if the exit code is 15 (most likely to be a planned restart from the shutdown endpoint)
exit_status=$?
if [ "${exit_status}" -ne 137 ];
then
tries=$((tries-1))
fi
# If we want to exit via Keyboard Interrupt, we skip the loop
if [ "${exit_status}" -eq 0 ];
then
tries=0
fi
# Go back to Restart Loop after a 3 second timeout
sleep 3
done |
appuser:appgroup
) for running the application, enhancing security.