-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathDockerfile
More file actions
50 lines (35 loc) · 1.77 KB
/
Dockerfile
File metadata and controls
50 lines (35 loc) · 1.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
# syntax=docker/dockerfile:1.6
# ── Stage 1 — UI build ────────────────────────────────────────────────────────
FROM node:20-alpine AS ui-builder
WORKDIR /ui
COPY ui/package.json ui/package-lock.json* ./
RUN npm ci --no-audit --no-fund
COPY ui/ ./
RUN npm run build
# ── Stage 2 — Python runtime ──────────────────────────────────────────────────
FROM python:3.12-slim
WORKDIR /app
# Non-root user
RUN groupadd -r llmproxy && useradd -r -g llmproxy llmproxy
# Install Python dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
# Supply chain verification: scan for malicious .pth files post-install
# Defense against litellm-style attacks (2026-03-24)
RUN echo "=== .pth file audit ===" && \
SITE_DIR=$(python -c 'import site; print(site.getsitepackages()[0])') && \
if find "$SITE_DIR" -name "*.pth" -exec grep -lE "(exec\(|eval\(|subprocess|Popen|__import__|urllib|socket)" {} \; | grep -q .; then \
echo "CRITICAL: Suspicious .pth file detected!" && exit 1; \
else \
echo "Clean: no malicious .pth files found"; \
fi
# Copy application source (ui/dist and ui/node_modules excluded via .dockerignore)
COPY . .
# Drop the built UI bundle on top of the source tree so app_factory mounts it.
COPY --from=ui-builder /ui/dist /app/ui/dist
RUN chown -R llmproxy:llmproxy /app
USER llmproxy
EXPOSE 8090
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8090/health')"
CMD ["python", "-u", "main.py"]