forked from langfuse/langfuse
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
102 lines (76 loc) · 4.11 KB
/
Dockerfile
File metadata and controls
102 lines (76 loc) · 4.11 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
# The node alpine image is available here: https://github.com/nodejs/docker-node
FROM --platform=${TARGETPLATFORM:-linux/amd64} node:24-alpine AS alpine
# It's important to update the index before installing packages to ensure you're getting the latest versions.
# Check https://github.com/nodejs/docker-node/tree/b4117f9333da4138b03a546ec926ef50a31506c3#nodealpine to understand why libc6-compat might be needed.
RUN apk update && apk upgrade --no-cache libcrypto3 libssl3 libc6-compat busybox ssl_client zlib
FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine AS build-base
# Pin turbo to avoid nondeterministic prune output from future patch releases.
RUN npm install turbo@2.9.12 --global
ENV PNPM_HOME="/pnpm"
ENV PATH="$PNPM_HOME:$PATH"
RUN corepack enable
RUN corepack prepare pnpm@11.1.3 --activate
FROM --platform=${TARGETPLATFORM:-linux/amd64} alpine AS runtime-base
# package managers and build-only CLIs only increase exposure to CVEs -> remove them
RUN rm -rf /usr/local/lib/node_modules/corepack /usr/local/lib/node_modules/npm \
/root/.cache/node/corepack && \
rm -f /usr/local/bin/corepack /usr/local/bin/npm /usr/local/bin/npx /usr/local/bin/yarn /usr/local/bin/yarnpkg
FROM --platform=${TARGETPLATFORM:-linux/amd64} build-base AS pruner
WORKDIR /app
COPY . .
RUN turbo prune --scope=worker --docker
FROM --platform=${TARGETPLATFORM:-linux/amd64} build-base AS builder
WORKDIR /app
# First install the dependencies (as they change less often)
COPY --from=pruner /app/out/pnpm-lock.yaml ./pnpm-lock.yaml
COPY --from=pruner /app/out/pnpm-workspace.yaml ./pnpm-workspace.yaml
COPY --from=pruner /app/out/json/ .
RUN pnpm install --frozen-lockfile
# pass public variables in build step
ARG NEXT_PUBLIC_LANGFUSE_CLOUD_REGION
ARG NEXT_PUBLIC_DEMO_ORG_ID
ARG NEXT_PUBLIC_DEMO_PROJECT_ID
ARG NEXT_PUBLIC_POSTHOG_KEY
ARG NEXT_PUBLIC_POSTHOG_HOST
# Copy source code of isolated subworkspace
COPY --from=pruner /app/out/full/ .
RUN turbo run build --filter=worker...
FROM --platform=${TARGETPLATFORM:-linux/amd64} builder AS prod-deps
# previously we copied the --from=builder /app . (includes full node_modules etc)
# we only need the prod + generated prisma client plus .prisma artifacts
# @langfuse/shared still pulls in next-auth transitively, so keep the deploy output
# intact here instead of pruning node_modules in Docker.
# Keep legacy deploy until the worker Docker image is verified with pnpm's default deploy implementation.
RUN pnpm --filter worker deploy --legacy --prod /prod/worker && \
builder_prisma_client_dir="$(find /app/node_modules/.pnpm -path '*/node_modules/@prisma/client' -type d | head -n 1)" && \
deployed_prisma_client_dir="$(find /prod/worker/node_modules/.pnpm -path '*/node_modules/@prisma/client' -type d | head -n 1)" && \
builder_prisma_runtime_dir="$(dirname "$(dirname "$builder_prisma_client_dir")")/.prisma" && \
deployed_prisma_runtime_dir="$(dirname "$(dirname "$deployed_prisma_client_dir")")/.prisma" && \
rm -rf "$deployed_prisma_client_dir" "$deployed_prisma_runtime_dir" && \
cp -R "$builder_prisma_client_dir" "$deployed_prisma_client_dir" && \
cp -R "$builder_prisma_runtime_dir" "$deployed_prisma_runtime_dir"
FROM --platform=${TARGETPLATFORM:-linux/amd64} runtime-base AS runner
ARG TARGETPLATFORM
ARG BUILDPLATFORM
RUN apk add --no-cache dumb-init
WORKDIR /app
ARG NEXT_PUBLIC_BUILD_ID
ENV BUILD_ID=$NEXT_PUBLIC_BUILD_ID
ENV NODE_ENV production
ENV DOCKER_BUILD 0
# Don't run production as root
ARG UID=1001
ARG GID=1001
RUN addgroup --system --gid ${GID} expressjs
RUN adduser --system --uid ${UID} expressjs
# Copy only production worker payload instead of full builder workspace (just /prod/worker not entire /app)
COPY --from=prod-deps --chown=expressjs:expressjs /prod/worker ./worker
RUN chmod +x ./worker/entrypoint.sh
USER expressjs
EXPOSE 3030
ENV PORT=3030
# Docker ENTRYPOINT (dumb-init) is covered by semantic versioning, not the entrypoint.sh itself
# Reasoning: ENTRYPOINT is overridden by some self-hosted deployments, thus changing this is breaking
ENTRYPOINT ["dumb-init", "--", "./worker/entrypoint.sh"]
# startup command
CMD ["node", "worker/dist/index.js"]