Conversation
Add Dockerfile.arm for linux/aarch64 builds (macOS Apple Silicon) with aarch64 Miniforge, conditional THIRDPARTY copy, and trimmed thirdparty PATH. Add parallel ARM64 build job to CI workflow using ubuntu-22.04-arm runner.
📝 WalkthroughWalkthroughThis pull request introduces multi-architecture Docker image building capability by adding an ARM64 workflow job and a comprehensive multi-stage Dockerfile.arm. The new Dockerfile builds OpenMS and TOPP tools, pyOpenMS, a Vue.js frontend, and orchestrates runtime services including Redis, nginx, RQ workers, and Streamlit within an ARM64-optimized container. Changes
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment Tip You can make CodeRabbit's review stricter and more nitpicky using the `assertive` profile, if that's what you prefer.Change the |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 5
🧹 Nitpick comments (5)
Dockerfile.arm (5)
59-65: Add--no-install-recommendsto apt-get install commands.The GitHub CLI installation script is missing
--no-install-recommendsfor theapt-get installcommands, which increases image size with unnecessary packages.♻️ Proposed fix
RUN (type -p wget >/dev/null || (apt-get update && apt-get install wget -y)) \ +RUN (type -p wget >/dev/null || (apt-get update && apt-get install --no-install-recommends wget -y)) \ && mkdir -p -m 755 /etc/apt/keyrings \ && wget -qO- https://cli.github.com/packages/githubcli-archive-keyring.gpg | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \ && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \ && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \ && apt-get update \ - && apt-get install gh -y + && apt-get install --no-install-recommends gh -y🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.arm` around lines 59 - 65, The RUN block that installs wget and gh should add the --no-install-recommends flag to apt-get install invocations to avoid pulling unnecessary packages; update the two apt-get install calls in the RUN sequence (the one that installs wget and the final apt-get install gh -y) to include --no-install-recommends (and keep existing -y), leaving apt-get update and the wget/gh steps otherwise unchanged.
253-258: Consider adding error handling for GitHub release download.If
GH_TOKENis set but the release or asset doesn't exist,gh release downloadwill fail and stop the build due toset -ein the entrypoint (though this RUN is separate). Consider adding explicit error handling or using|| trueif the download is optional.♻️ Optional: Add error handling
RUN if [ -n "$GH_TOKEN" ]; then \ echo "GH_TOKEN is set, proceeding to download the release asset..."; \ - gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app; \ + gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p "OpenMS-App.zip" -D /app || \ + echo "WARNING: Failed to download release asset, continuing anyway"; \ else \ echo "GH_TOKEN is not set, skipping the release asset download."; \ fi🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.arm` around lines 253 - 258, The RUN step that uses GH_TOKEN to call "gh release download -R ${GITHUB_USER}/${GITHUB_REPO} -p \"OpenMS-App.zip\" -D /app" can fail the build if the release or asset is missing; update the Dockerfile RUN block to handle download failures gracefully by checking the release/asset existence (e.g., use "gh release view" first) or by making the download non-fatal (e.g., append "|| true" or catch errors and log a warning) so that a missing OpenMS-App.zip does not abort the image build when GH_TOKEN is present.
86-86: Uselesscd /OpenMSat end of RUN command.Each RUN command starts in a fresh shell, so
cd /OpenMSat the end has no effect on subsequent commands. The WORKDIR on line 89 already handles this correctly.♻️ Proposed fix
-RUN git clone --recursive --depth=1 -b ${OPENMS_BRANCH} --single-branch ${OPENMS_REPO} && cd /OpenMS +RUN git clone --recursive --depth=1 -b ${OPENMS_BRANCH} --single-branch ${OPENMS_REPO}🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.arm` at line 86, The RUN that executes "git clone --recursive --depth=1 -b ${OPENMS_BRANCH} --single-branch ${OPENMS_REPO} && cd /OpenMS" contains a useless "cd /OpenMS" because each RUN uses a fresh shell and the Dockerfile later sets WORKDIR; remove the trailing "&& cd /OpenMS" from the RUN command (the git clone invocation is fine) so the clone happens without the ineffective cd.
184-242: Complex entrypoint script is hard to maintain.The inline entrypoint script with embedded nginx config is difficult to read, test, and maintain. Consider extracting it to a separate
entrypoint.shfile and COPYing it into the image. This would also make debugging easier and allow proper shell syntax highlighting.Additionally, the Streamlit instances are started without
--server.headless true, which may cause issues in headless environments.♻️ Suggested improvement for Streamlit commands
- streamlit run app.py --server.port $PORT --server.address 0.0.0.0 &\n\ + streamlit run app.py --server.port $PORT --server.address 0.0.0.0 --server.headless true &\n\ ... - exec streamlit run app.py --server.address 0.0.0.0\n\ + exec streamlit run app.py --server.address 0.0.0.0 --server.headless true\n\🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.arm` around lines 184 - 242, Extract the large inline script into a standalone entrypoint script file (e.g., entrypoint.sh) and COPY it into the image instead of echoing it in Dockerfile; ensure the file contains the same logic around starting cron, Redis, RQ workers (RQ_WORKER_COUNT, openms-workflows, REDIS_URL), generating nginx upstream using STREAMLIT_SERVER_COUNT/BASE_PORT, starting Streamlit instances and nginx, and make the script executable (chmod +x) and used via ENTRYPOINT or CMD. While extracting, update all Streamlit invocations (both in single-instance and multi-instance loops) to include --server.headless true (keep --server.port and --server.address flags as present) so Streamlit runs correctly in headless/container environments. Ensure the nginx config generation and exec /usr/sbin/nginx -g "daemon off;" and exec streamlit run app.py lines remain identical in behavior after the move.
90-97: Consider adding explicit logging when ARM64 thirdparty binaries are present or missing.The conditional check for
THIRDPARTY/Linux/aarch64is appropriate, and the directory does exist with binaries (Comet, Percolator, Sage). However, to improve build visibility and aid debugging, consider adding explicit output when the directory is present or missing:Suggested improvement for build visibility
RUN mkdir /thirdparty && \ git submodule update --init THIRDPARTY && \ cp -r THIRDPARTY/All/* /thirdparty && \ if [ -d "THIRDPARTY/Linux/aarch64" ]; then \ cp -r THIRDPARTY/Linux/aarch64/* /thirdparty; \ + echo "INFO: Copied ARM64-specific binaries from THIRDPARTY/Linux/aarch64"; \ + else \ + echo "WARNING: THIRDPARTY/Linux/aarch64 not found - using generic binaries only"; \ fi && \ chmod -R +x /thirdparty🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@Dockerfile.arm` around lines 90 - 97, The build step that copies ARM64 third-party binaries (the RUN block that creates /thirdparty, updates the THIRDPARTY submodule and conditionally copies from THIRDPARTY/Linux/aarch64) lacks visible output about whether the aarch64 directory was found; update that RUN sequence to emit explicit messages (e.g., using echo) for both the present and missing cases around the if [ -d "THIRDPARTY/Linux/aarch64" ] check so the build log shows “Found ARM64 thirdparty: copying...” or “No ARM64 thirdparty directory; skipping” before or after the cp commands; keep the existing chmod and ENV PATH update unchanged.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/build-docker-images.yml:
- Around line 20-27: Replace the deprecated actions/checkout@v3 usage with
actions/checkout@v4 in the workflow job that builds the ARM64 image (job name
build-full-app-arm64); find the step that currently reads "uses:
actions/checkout@v3" and update it to "uses: actions/checkout@v4" so the runner
uses Node 20-compatible checkout action and avoids Node 16 deprecation failures.
In `@Dockerfile.arm`:
- Line 1: Update the top-line comment in the Dockerfile.arm header to correct
the typo "thidparty" to "thirdparty" so the comment reads "...pyOpenMS and
thirdparty tools."; locate the string in the file (the first-line comment) and
replace the misspelled word.
- Around line 78-79: The SHELL directive using "~/.bashrc" won't expand in
Docker's JSON-array form; replace the tilde with an absolute path or an
environment variable (e.g., use "/root/.bashrc" or "$HOME/.bashrc") in the SHELL
invocation so the rcfile is actually sourced; update the two SHELL lines (the
first SHELL ["/bin/bash", "--rcfile", "~/.bashrc"] and the following SHELL
["mamba", "run", "-n", "streamlit-env", "/bin/bash", "-c"]) to reference the
expanded path or $HOME consistently (or remove the first SHELL and adjust the
mamba-run line to source the absolute rcfile) so bash will source the intended
file.
- Around line 44-56: The Dockerfile currently sets USER root and runs multiple
separated apt-get update/install RUNs; create a dedicated non-root user and
group (e.g., appuser) during the image build, chown any necessary app files and
switch to that user before the final CMD/ENTRYPOINT (replace or move the
existing USER root), and consolidate package installation by combining apt-get
-y update && apt-get install -y --no-install-recommends ... into single RUN
statements (replace the separate RUN apt-get -y update and subsequent RUN
apt-get install lines) to prevent stale package lists and reduce image layers;
update any file ownership or startup steps to use the new user.
- Around line 36-38: Fix the typos in the Dockerfile comments by changing
"Gihub" to "GitHub" where the ARG is declared (e.g., the comment above ARG
GITHUB_USER) and in the adjacent repository-name comment; update the two comment
strings so they read "GitHub" instead of "Gihub" while leaving ARG GITHUB_USER
and the repository ARG unchanged.
---
Nitpick comments:
In `@Dockerfile.arm`:
- Around line 59-65: The RUN block that installs wget and gh should add the
--no-install-recommends flag to apt-get install invocations to avoid pulling
unnecessary packages; update the two apt-get install calls in the RUN sequence
(the one that installs wget and the final apt-get install gh -y) to include
--no-install-recommends (and keep existing -y), leaving apt-get update and the
wget/gh steps otherwise unchanged.
- Around line 253-258: The RUN step that uses GH_TOKEN to call "gh release
download -R ${GITHUB_USER}/${GITHUB_REPO} -p \"OpenMS-App.zip\" -D /app" can
fail the build if the release or asset is missing; update the Dockerfile RUN
block to handle download failures gracefully by checking the release/asset
existence (e.g., use "gh release view" first) or by making the download
non-fatal (e.g., append "|| true" or catch errors and log a warning) so that a
missing OpenMS-App.zip does not abort the image build when GH_TOKEN is present.
- Line 86: The RUN that executes "git clone --recursive --depth=1 -b
${OPENMS_BRANCH} --single-branch ${OPENMS_REPO} && cd /OpenMS" contains a
useless "cd /OpenMS" because each RUN uses a fresh shell and the Dockerfile
later sets WORKDIR; remove the trailing "&& cd /OpenMS" from the RUN command
(the git clone invocation is fine) so the clone happens without the ineffective
cd.
- Around line 184-242: Extract the large inline script into a standalone
entrypoint script file (e.g., entrypoint.sh) and COPY it into the image instead
of echoing it in Dockerfile; ensure the file contains the same logic around
starting cron, Redis, RQ workers (RQ_WORKER_COUNT, openms-workflows, REDIS_URL),
generating nginx upstream using STREAMLIT_SERVER_COUNT/BASE_PORT, starting
Streamlit instances and nginx, and make the script executable (chmod +x) and
used via ENTRYPOINT or CMD. While extracting, update all Streamlit invocations
(both in single-instance and multi-instance loops) to include --server.headless
true (keep --server.port and --server.address flags as present) so Streamlit
runs correctly in headless/container environments. Ensure the nginx config
generation and exec /usr/sbin/nginx -g "daemon off;" and exec streamlit run
app.py lines remain identical in behavior after the move.
- Around line 90-97: The build step that copies ARM64 third-party binaries (the
RUN block that creates /thirdparty, updates the THIRDPARTY submodule and
conditionally copies from THIRDPARTY/Linux/aarch64) lacks visible output about
whether the aarch64 directory was found; update that RUN sequence to emit
explicit messages (e.g., using echo) for both the present and missing cases
around the if [ -d "THIRDPARTY/Linux/aarch64" ] check so the build log shows
“Found ARM64 thirdparty: copying...” or “No ARM64 thirdparty directory;
skipping” before or after the cp commands; keep the existing chmod and ENV PATH
update unchanged.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 251ca5b0-9e83-4973-b9a0-a442be04b513
📒 Files selected for processing (2)
.github/workflows/build-docker-images.ymlDockerfile.arm
| build-full-app-arm64: | ||
|
|
||
| runs-on: ubuntu-22.04-arm | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@v3 | ||
| - name: Build the ARM64 Docker image | ||
| run: docker build --file Dockerfile.arm --tag streamlitapp:latest-arm64 --output type=tar,dest=/dev/null . No newline at end of file |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
GitHub Actions checkout v3 ARM64 runner compatibility
💡 Result:
actions/checkout@v3 is architecture-agnostic (it’s a JavaScript action), so it can run on ARM64 runners as long as the runner provides a compatible Node runtime. checkout@v3 declares runs.using: node16. [1]
However, GitHub Actions moved JavaScript actions to run on Node 20 by default (enforced starting June 3, 2024). [2] And Node 16 was removed from GitHub-hosted runners on Nov 12, 2024, meaning workflows relying on Node16-only actions are expected to break on runners that no longer include Node16. [3]
So, for ARM64 runners (including GitHub-hosted ARM64 runners, which are GA), [4] the practical guidance is:
- Use
actions/checkout@v4(it declaresruns.using: node20). [5] - If you’re on self-hosted ARM64, ensure the OS/glibc toolchain can run the runner’s embedded Node 20 (otherwise you may see runtime/library errors). [6]
Sources
[1] https://raw.githubusercontent.com/actions/checkout/v3/action.yml
[2] https://github.blog/changelog/2024-03-06-github-actions-all-actions-will-run-on-node20-instead-of-node16-by-default/
[3] https://github.blog/changelog/2024-09-25-end-of-life-for-actions-node16/
[4] https://github.blog/changelog/2024-09-03-github-actions-arm64-linux-and-windows-runners-are-now-generally-available
[5] https://raw.githubusercontent.com/actions/checkout/v4/action.yml
[6] actions/checkout#1809
🏁 Script executed:
cat -n .github/workflows/build-docker-images.yml | head -40Repository: OpenMS/FLASHApp
Length of output: 896
Update actions/checkout to v4 due to Node 16 deprecation.
actions/checkout@v3 uses Node 16, which was removed from GitHub-hosted runners on November 12, 2024. Both jobs must be updated to v4, which uses Node 20. This affects all runners, including the ARM64 runner, and will cause workflow failures if not addressed.
🐛 Proposed fix
build-full-app:
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Build the full Docker image
run: docker build --file Dockerfile --tag streamlitapp:latest --output type=tar,dest=/dev/null .
build-full-app-arm64:
runs-on: ubuntu-22.04-arm
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Build the ARM64 Docker image
- run: docker build --file Dockerfile.arm --tag streamlitapp:latest-arm64 --output type=tar,dest=/dev/null .
+ run: docker build --file Dockerfile.arm --tag streamlitapp:latest-arm64 --output type=tar,dest=/dev/null .🧰 Tools
🪛 actionlint (1.7.11)
[error] 25-25: the runner of "actions/checkout@v3" action is too old to run on GitHub Actions. update the action's version to fix this issue
(action)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/workflows/build-docker-images.yml around lines 20 - 27, Replace the
deprecated actions/checkout@v3 usage with actions/checkout@v4 in the workflow
job that builds the ARM64 image (job name build-full-app-arm64); find the step
that currently reads "uses: actions/checkout@v3" and update it to "uses:
actions/checkout@v4" so the runner uses Node 20-compatible checkout action and
avoids Node 16 deprecation failures.
| @@ -0,0 +1,263 @@ | |||
| # This Dockerfile builds OpenMS, the TOPP tools, pyOpenMS and thidparty tools. | |||
There was a problem hiding this comment.
Fix typos in documentation comments.
Minor typos: "thidparty" should be "thirdparty".
📝 Proposed fix
-# This Dockerfile builds OpenMS, the TOPP tools, pyOpenMS and thidparty tools.
+# This Dockerfile builds OpenMS, the TOPP tools, pyOpenMS and thirdparty tools.📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # This Dockerfile builds OpenMS, the TOPP tools, pyOpenMS and thidparty tools. | |
| # This Dockerfile builds OpenMS, the TOPP tools, pyOpenMS and thirdparty tools. |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.arm` at line 1, Update the top-line comment in the Dockerfile.arm
header to correct the typo "thidparty" to "thirdparty" so the comment reads
"...pyOpenMS and thirdparty tools."; locate the string in the file (the
first-line comment) and replace the misspelled word.
| # Streamlit app Gihub user name (to download artifact from). | ||
| ARG GITHUB_USER=OpenMS | ||
| # Streamlit app Gihub repository name (to download artifact from). |
There was a problem hiding this comment.
Fix typos: "Gihub" → "GitHub".
📝 Proposed fix
-# Streamlit app Gihub user name (to download artifact from).
+# Streamlit app GitHub user name (to download artifact from).
ARG GITHUB_USER=OpenMS
-# Streamlit app Gihub repository name (to download artifact from).
+# Streamlit app GitHub repository name (to download artifact from).
ARG GITHUB_REPO=FLASHApp📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| # Streamlit app Gihub user name (to download artifact from). | |
| ARG GITHUB_USER=OpenMS | |
| # Streamlit app Gihub repository name (to download artifact from). | |
| # Streamlit app GitHub user name (to download artifact from). | |
| ARG GITHUB_USER=OpenMS | |
| # Streamlit app GitHub repository name (to download artifact from). | |
| ARG GITHUB_REPO=FLASHApp |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.arm` around lines 36 - 38, Fix the typos in the Dockerfile
comments by changing "Gihub" to "GitHub" where the ARG is declared (e.g., the
comment above ARG GITHUB_USER) and in the adjacent repository-name comment;
update the two comment strings so they read "GitHub" instead of "Gihub" while
leaving ARG GITHUB_USER and the repository ARG unchanged.
| USER root | ||
|
|
||
| # Install required Ubuntu packages. | ||
| RUN apt-get -y update | ||
| RUN apt-get install -y --no-install-recommends --no-install-suggests g++ autoconf automake patch libtool make git gpg wget ca-certificates curl jq libgtk2.0-dev openjdk-8-jdk cron | ||
| RUN update-ca-certificates | ||
| RUN apt-get install -y --no-install-recommends --no-install-suggests libsvm-dev libeigen3-dev coinor-libcbc-dev libglpk-dev libzip-dev zlib1g-dev libxerces-c-dev libbz2-dev libomp-dev libhdf5-dev | ||
| RUN apt-get install -y --no-install-recommends --no-install-suggests libboost-date-time1.74-dev \ | ||
| libboost-iostreams1.74-dev \ | ||
| libboost-regex1.74-dev \ | ||
| libboost-math1.74-dev \ | ||
| libboost-random1.74-dev | ||
| RUN apt-get install -y --no-install-recommends --no-install-suggests qt6-base-dev libqt6svg6-dev libqt6opengl6-dev libqt6openglwidgets6 libgl-dev |
There was a problem hiding this comment.
Security concern: Container runs as root.
The container runs all processes as root, which is a security risk in production deployments. Consider creating a non-root user for running the application. Additionally, as flagged by static analysis, apt-get update on line 47 should be combined with apt-get install in the same RUN statement to avoid stale package lists.
🔒 Proposed fix for apt-get consolidation
-RUN apt-get -y update
-RUN apt-get install -y --no-install-recommends --no-install-suggests g++ autoconf automake patch libtool make git gpg wget ca-certificates curl jq libgtk2.0-dev openjdk-8-jdk cron
+RUN apt-get -y update && \
+ apt-get install -y --no-install-recommends --no-install-suggests g++ autoconf automake patch libtool make git gpg wget ca-certificates curl jq libgtk2.0-dev openjdk-8-jdk cronNote: Running as root may be acceptable for this build if it's only used in controlled CI/test environments, but should be addressed for any production deployment.
📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| USER root | |
| # Install required Ubuntu packages. | |
| RUN apt-get -y update | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests g++ autoconf automake patch libtool make git gpg wget ca-certificates curl jq libgtk2.0-dev openjdk-8-jdk cron | |
| RUN update-ca-certificates | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests libsvm-dev libeigen3-dev coinor-libcbc-dev libglpk-dev libzip-dev zlib1g-dev libxerces-c-dev libbz2-dev libomp-dev libhdf5-dev | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests libboost-date-time1.74-dev \ | |
| libboost-iostreams1.74-dev \ | |
| libboost-regex1.74-dev \ | |
| libboost-math1.74-dev \ | |
| libboost-random1.74-dev | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests qt6-base-dev libqt6svg6-dev libqt6opengl6-dev libqt6openglwidgets6 libgl-dev | |
| USER root | |
| # Install required Ubuntu packages. | |
| RUN apt-get -y update && \ | |
| apt-get install -y --no-install-recommends --no-install-suggests g++ autoconf automake patch libtool make git gpg wget ca-certificates curl jq libgtk2.0-dev openjdk-8-jdk cron | |
| RUN update-ca-certificates | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests libsvm-dev libeigen3-dev coinor-libcbc-dev libglpk-dev libzip-dev zlib1g-dev libxerces-c-dev libbz2-dev libomp-dev libhdf5-dev | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests libboost-date-time1.74-dev \ | |
| libboost-iostreams1.74-dev \ | |
| libboost-regex1.74-dev \ | |
| libboost-math1.74-dev \ | |
| libboost-random1.74-dev | |
| RUN apt-get install -y --no-install-recommends --no-install-suggests qt6-base-dev libqt6svg6-dev libqt6opengl6-dev libqt6openglwidgets6 libgl-dev |
🧰 Tools
🪛 Trivy (0.69.3)
[error] 44-44: Image user should not be 'root'
Last USER command in Dockerfile should not be 'root'
Rule: DS-0002
(IaC/Dockerfile)
[error] 47-47: 'RUN update' instruction alone
The instruction 'RUN update' should always be followed by ' install' in the same RUN statement.
Rule: DS-0017
(IaC/Dockerfile)
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.arm` around lines 44 - 56, The Dockerfile currently sets USER root
and runs multiple separated apt-get update/install RUNs; create a dedicated
non-root user and group (e.g., appuser) during the image build, chown any
necessary app files and switch to that user before the final CMD/ENTRYPOINT
(replace or move the existing USER root), and consolidate package installation
by combining apt-get -y update && apt-get install -y --no-install-recommends ...
into single RUN statements (replace the separate RUN apt-get -y update and
subsequent RUN apt-get install lines) to prevent stale package lists and reduce
image layers; update any file ownership or startup steps to use the new user.
| SHELL ["/bin/bash", "--rcfile", "~/.bashrc"] | ||
| SHELL ["mamba", "run", "-n", "streamlit-env", "/bin/bash", "-c"] |
There was a problem hiding this comment.
Tilde expansion does not work in Dockerfile SHELL directive.
The ~/.bashrc path won't expand correctly since Docker's SHELL directive uses JSON array syntax where tilde expansion doesn't occur. This could cause the bashrc to not be sourced as intended.
🐛 Proposed fix
-SHELL ["/bin/bash", "--rcfile", "~/.bashrc"]
+SHELL ["/bin/bash", "--rcfile", "/root/.bashrc"]🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile.arm` around lines 78 - 79, The SHELL directive using "~/.bashrc"
won't expand in Docker's JSON-array form; replace the tilde with an absolute
path or an environment variable (e.g., use "/root/.bashrc" or "$HOME/.bashrc")
in the SHELL invocation so the rcfile is actually sourced; update the two SHELL
lines (the first SHELL ["/bin/bash", "--rcfile", "~/.bashrc"] and the following
SHELL ["mamba", "run", "-n", "streamlit-env", "/bin/bash", "-c"]) to reference
the expanded path or $HOME consistently (or remove the first SHELL and adjust
the mamba-run line to source the absolute rcfile) so bash will source the
intended file.
1 participant
Add Dockerfile.arm for linux/aarch64 builds (macOS Apple Silicon) with aarch64 Miniforge, conditional THIRDPARTY copy, and trimmed thirdparty PATH. Add parallel ARM64 build job to CI workflow using ubuntu-22.04-arm runner.
Summary by CodeRabbit
Release Notes