python-sdk/Dockerfile at main · aignostics/python-sdk · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# We share the base in the builder and targets
FROM python:3.14.1-slim-trixie AS base

# The base of our builder
FROM base AS builder

# Copy in UV
COPY --from=ghcr.io/astral-sh/uv:0.9.18 /uv /bin/uv

# We use the system interpreter managed by uv
ENV UV_PYTHON_DOWNLOADS=0

# Enable bytecode compilation
ENV UV_COMPILE_BYTECODE=1

# Give more time with Python 3.14 on GHA with Qemu for arm
ENV UV_COMPILE_BYTECODE_TIMEOUT=300

# Copy from the cache instead of linking since it's a mounted volume
ENV UV_LINK_MODE=copy

# Create and set workdir
WORKDIR /app


# The slim builder does not take in the extras
FROM builder AS builder-slim

# Install the project's dependencies using the lockfile and settings
RUN --mount=type=cache,target=/root/.cache/uv \
    --mount=type=bind,source=uv.lock,target=uv.lock \
    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
    uv sync --frozen --no-install-project --no-dev --no-editable

# Then, add the rest of the project source code and install it
# Installing separately from its dependencies allows optimal layer caching
COPY pyproject.toml /app
COPY .python-version /app
COPY uv.lock /app
COPY src /app/src
COPY LICENSE /app
COPY *.md /app

COPY .env.example /app/.env.example
COPY tests /app/tests
COPY examples /app/examples

# Install project specifics
# Nothing yet

RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --no-dev --no-editable


# The all builder takes in all extras
FROM builder AS builder-all

# Install the project's dependencies using the lockfile and settings
RUN --mount=type=cache,target=/root/.cache/uv \
    --mount=type=bind,source=uv.lock,target=uv.lock \
    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
    uv sync --frozen --no-install-project --all-extras --no-dev --no-editable

# Then, add the rest of the project source code and install it
# Installing separately from its dependencies allows optimal layer caching
COPY pyproject.toml /app
COPY .python-version /app
COPY uv.lock /app
COPY src /app/src
COPY LICENSE /app
COPY *.md /app

COPY .env.example /app/.env.example
COPY tests /app/tests
COPY examples /app/examples

# Install project specifics
COPY codegen/out/aignx /app/codegen/out/aignx

RUN --mount=type=cache,target=/root/.cache/uv \
    uv sync --frozen --all-extras --no-dev --no-editable


# Base of our build targets
FROM base AS target

ENV AIGNOSTICS_RUNNING_IN_CONTAINER=1

# We don't want to run the app as root
RUN <<EOT
groupadd -r app
useradd -r -d /app -g app -N app
EOT

# We place executables in the environment at the front of the path
# Remember: we don't have UV, as we only copied the app from the builder
ENV PATH="/app/.venv/bin:$PATH"

# API will run on port 8000 by default
EXPOSE 8000/tcp

# Marimo server will run on port 8001 by default
EXPOSE 8001/tcp

# No healthcheck by default
HEALTHCHECK NONE

# Default entrypoint is our CLI
ENTRYPOINT ["aignostics"]

# See https://matplotlib.org/stable/install/environment_variables_faq.html
ENV MPLCONFIGDIR=/tmp/matplotlib

# Target slim
FROM target AS slim

# Copy slim app, make it immutable
COPY --from=builder-slim --chown=root:root --chmod=755  /app /app

# Run as nonroot
USER app
WORKDIR /app


# And with all extras
FROM target AS all

# Copy fat app, i.e. with all extras, make it immutable
COPY --from=builder-all --chown=root:root --chmod=755  /app /app

# Provide writeable .cache folder for python sdk, used for token storage
RUN mkdir -p /app/.cache && chown app:app /app/.cache && chmod 700 /app/.cache

# Run as nonroot
USER app
WORKDIR /app