This Dockerfile is tailored for CIO projects, utilizing a custom Ubuntu base image from the CIO's Docker repository. The Dockerfile includes configurations for installing Python and other dependencies, setting up environment variables, and preparing the GaiaAPI application.
Accessing the CIO Docker Repository
Currently GAIA API uses a CIO's Ubuntu image as its base, if we want to build the Docker image we will need access to CIO Docker repository, for that follow the steps in Login Into CIO Azure Container Registry
CIO's Dockerfile
# syntax=docker/dockerfile:1
# Base image (Ubuntu 22.04 from CIO)
FROM acncio.azurecr.io/ubuntu22.04cio-base:latest AS GaiaAPI
# Arguments for dependency installation and PYQPL library location
# Options for INSTALL_DEPENDENCIES: [ldap], [genai], [all], or leave empty
ARG INSTALL_DEPENDENCIES=""
ARG PYQPL_LOCATION=lib/pyqpl-1.1.1-py3-none-any.whl
# Set GAIA_ENV as an environment variable, default value is 'default'
ARG GAIA_ENV=system_default
ENV GAIA_ENV=$GAIA_ENV
# Set CONFIG_URL as an environment variable, for custom configuration JSON file path
ARG CONFIG_URL=''
ENV CONFIG_URL=$CONFIG_URL
# Set number of Uvicorn workers, typically 1 is recommended in Docker
ARG UVICORN_WORKERS=1
ENV UVICORN_WORKERS=$UVICORN_WORKERS
# Set protocol (default 'http') as an environment variable
ARG PROTOCOL=http
ENV PROTOCOL=$PROTOCOL
# Set host for GAIA API, necessary unless default entrypoint is removed
ARG HOST=0.0.0.0
ENV HOST=$HOST
# Set port for GAIA API, necessary unless default entrypoint is removed
ARG PORT=8085
ENV PORT=$PORT
# Set domain name for GAIA API, necessary unless default entrypoint is removed
ARG DOMAIN_NAME=host.docker.internal
ENV DOMAIN_NAME=$DOMAIN_NAME
# Set cookie domain name for GAIA API, necessary unless default entrypoint is removed
ARG COOKIE_DOMAIN_NAME=''
ENV COOKIE_DOMAIN_NAME=$COOKIE_DOMAIN_NAME
# Set engine URL for GAIA API, necessary unless default entrypoint is removed
ARG ENGINE_URL=http://host.docker.internal:9200
ENV ENGINE_URL=$ENGINE_URL
# Set path to certificates, necessary only if mailer is enabled using custom SMTP
ARG CERTIFICATES_PATH=''
ENV CERTIFICATES_PATH=$CERTIFICATES_PATH
# Set AWS Elasticsearch credentials, only if using AWS service
ARG AWS_SERVICE=es
ENV AWS_SERVICE=$AWS_SERVICE
ARG AWS_REGION=us-east-1
ENV AWS_REGION=$AWS_REGION
# Set AWS Access Key and Session Token, required only if using access key and token
ARG AWS_ACCESS_KEY_ID=default-key
ENV AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
ARG AWS_SECRET_ACCESS_KEY=default-secret
ENV AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
ARG AWS_SESSION_TOKEN=default-token
ENV AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN
# Set to allow empty queries on search
ARG ALLOW_EMPTY_QUERY=false
ENV ALLOW_EMPTY_QUERY=$ALLOW_EMPTY_QUERY
# JWKS (JSON Web Key Set) URL is a location where public keys used for verifying JSON Web Tokens (JWTs) can be retrieved
ARG DELEGATE_JWKS_URL=''
ENV DELEGATE_JWKS_URL=$DELEGATE_JWKS_URL
# The LDAP server URL. It specifies the network address and protocol for connecting to the LDAP server.
ARG LDAP_URL=''
ENV LDAP_URL=$LDAP_URL
# Contains the password or credentials associated with the bindDN. It is used for authentication when establishing a
# connection with the LDAP server.
ARG LDAP_CREDENTIALS=''
ENV LDAP_CREDENTIALS=$LDAP_CREDENTIALS
# Contains bindDN of the user to connect with ldap and check the users.
ARG LDAP_BIND_DN=''
ENV LDAP_BIND_DN=$LDAP_BIND_DN
# Contains the searchBase to where in the LDAP look for the users.
ARG LDAP_SEARCH_BASE=''
ENV LDAP_SEARCH_BASE=$LDAP_SEARCH_BASE
# Unique identifier assigned to the client application by the IdP. It identifies the client application during
# authentication and authorization requests.
ARG OIDC_CLIENT_ID=''
ENV OIDC_CLIENT_ID=$OIDC_CLIENT_ID
# URI to the OpenID Connect configuration values from the provider\'s Well-Known Configuration Endpoint
ARG OIDC_OPENID_CONFIG_URI=''
ENV OIDC_OPENID_CONFIG_URI=$OIDC_OPENID_CONFIG_URI
# The secret used to sign and decrypt the JWT. Does not apply with Delegated
ARG AUTH_SECRET=52ecfd60e01b800355a8ce59780f9243b4662c3a236394ee
ENV AUTH_SECRET=$AUTH_SECRET
# IA Assistant #############################################################
# URI to the OpenID Connect configuration values from the provider's Well-Known Configuration Endpoint
ARG ASSISTANT_INDEX=''
ENV ASSISTANT_INDEX=$ASSISTANT_INDEX
# This is your openai key to use the chat from your service provider
ARG OPENAI_API_KEY=''
ENV OPENAI_API_KEY=$OPENAI_API_KEY
# Base url of your service provider for open ai chat
ARG OPENAI_ENDPOINT=''
ENV OPENAI_ENDPOINT=$OPENAI_ENDPOINT
# Api version of the openai chat
ARG OPENAI_API_VERSION=''
ENV OPENAI_API_VERSION=$OPENAI_API_VERSION
# Name of the model to be used
ARG OPENAI_MODEL=''
ENV OPENAI_MODEL=$OPENAI_MODEL
# List of function which would trigger and exit of the loop pipeline
ARG ASSISTANT_EXIT_FUNCTIONS=''
ENV ASSISTANT_EXIT_FUNCTIONS=$ASSISTANT_EXIT_FUNCTIONS
# Change user to ROOT
USER root:root
# Install python 3.11 and other dependencies on OS
RUN apt-get update && apt-get install -y\
pkg-config\
libxml2-dev\
libxmlsec1\
libxmlsec1-dev\
libxmlsec1-openssl\
xmlsec1\
build-essential\
curl\
iputils-ping\
libnss3-dev\
libgdbm-dev\
libncurses5-dev\
libssl-dev\
libffi-dev\
libreadline-dev\
libsqlite3-dev\
libbz2-dev\
software-properties-common\
vim\
wget\
zlib1g-dev\
# Installiing Python 3.11.7
&& wget https://www.python.org/ftp/python/3.11.7/Python-3.11.7.tgz\
&& tar xvf Python-3.11.7.tgz\
&& cd Python-*/\
&& ./configure --enable-optimizations\
&& make altinstall\
&& ln -s -f /usr/local/bin/python3.11 /usr/local/bin/python\
&& ln -s -f /usr/local/bin/pip3.11 /usr/local/bin/pip\
&& cd ..\
&& rm Python-3.11.7.tgz\
&& rm -rf Python-3.11.7
# Create our work directory
WORKDIR /gaia_api
# Change work directory ownership to root-less user
RUN chown appuser:appgroup /gaia_api
# Copy GaiaAPI source and change ownership to root-less user
COPY --chown=appuser:appgroup . .
# Installiing all SAPI dependencies
RUN /bin/sh -c pip install --upgrade pip\
&& pip install --no-cache-dir lxml>=4.9.0\
&& pip install --no-cache-dir xmlsec\
&& pip install --no-cache-dir -e ".$INSTALL_DEPENDENCIES"\
# PYQPL from the local lib folder, check the VERSION before installing!
&& pip install --no-cache-dir $PYQPL_LOCATION
# Export GaiaAPI PORT
EXPOSE $PORT
# Change back to the root-less user
USER appuser:appgroup
# Default startup script command to run Uvicorn with specified configurations
ENTRYPOINT ["/bin/bash", "/gaia_api/startup.sh"]
Dockerfile Breakdown
Base Image:
Arguments and Environment Variables:
- Similar to the GAIA API Dockerfile, it defines build-time arguments (
ARG) and environment variables (ENV) for configuring the GaiaAPI application.
Python and Dependency Installation:
- Switches to the root user.
- Runs a series of commands to update the package list, install necessary libraries, and install Python 3.11.7 from source.
Setting Up the Working Directory:
- Creates a work directory
/gaia_api and changes its ownership to a non-root user (appuser:appgroup).
Application Setup:
- Copies the GaiaAPI source code into the container and changes ownership to the non-root user.
- Installs Python dependencies, including the
PYQPL library.
Exposing Ports and Running the Application:
- Exposes the specified port for the GaiaAPI.
- Switches back to the non-root user for running the application.
- Defines the default entrypoint script to start the GaiaAPI using Uvicorn, with optional commands for running behind a proxy or with SSL.
Startup Script
#!/bin/bash
# Amount of retries that the server will restart
tries=3
# Startup/Restart loop
for i in $(seq 1 $tries)
do
# Start the python server
python -m uvicorn app.webapp:app --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header
# Optional commands for running Uvicorn with proxy headers or SSL (uncomment as needed)
# Uncomment to run Uvicorn with proxy headers if behind a proxy like Nginx or Traefik
# python -m uvicorn app.webapp:app --proxy-headers --host $HOST --port $PORT --workers $UVICORN_WORKERS --no-server-header
# Uncomment to run Uvicorn with SSL, ensure SSL certificate and key paths are correct
# python -m uvicorn app.webapp:app --host $HOST --port $PORT --ssl-keyfile /path/in/container/private.key", "--ssl-certfile", "/path/in/container/certificate.crt"]
# If the server fails and exits we check if the exit code is 15 (most likely to be a planned restart from the shutdown endpoint)
exit_status=$?
if [ "${exit_status}" -ne 137 ];
then
tries=$((tries-1))
fi
# If we want to exit via Keyboard Interrupt, we skip the loop
if [ "${exit_status}" -eq 0 ];
then
tries=0
fi
# Go back to Restart Loop after a 3 second timeout
sleep 3
done
Detailed Startup Breakdown
- The tries variable has the number of maximum restarts of the server, this will exit the startup loop after reaching this limit.
- The for loop is the startup/restart loop, this will start a new python server depending of the command you want to start the server.
- There are 3 different start commands, depending if SSL verification or proxy headers are needed.
- Then, we catch the exit code of the python process, this is to know if the server was shutdown on purpose (in case of a successful import) or if it was manually shutdown (via Keyboard Interrupt) and depending of this code, the loop will continue and a new python server instance will spawn.
Key Differences from GAIA Dockerfile
- Base Image: Uses a custom Ubuntu image from the CIO's Docker repository.
- Python Installation: Python is installed from source rather than using a pre-built Python Docker image.
- User Management: Introduces a non-root user (
appuser:appgroup) for running the application, enhancing security.