Adding Dockerfile for open-webuiv0.7.2

o/open-webui/Dockerfiles/v0.7.2_ubi_9/Dockerfile

@@ -0,0 +1,254 @@
+# syntax=docker/dockerfile:1
+# Initialize device type args
+# use build args in the docker build command with --build-arg="BUILDARG=true"
+# Arguments
+ARG USE_CUDA=false
+ARG USE_OLLAMA=false
+ARG USE_SLIM=false
+ARG USE_PERMISSION_HARDENING=false
+# Tested with cu117 for CUDA 11 and cu121 for CUDA 12 (default)
+ARG USE_CUDA_VER=cu128
+# any sentence transformer model; models to use can be found at https://huggingface.co/models?library=sentence-transformers
+# Leaderboard: https://huggingface.co/spaces/mteb/leaderboard 
+# for better performance and multilangauge support use "intfloat/multilingual-e5-large" (~2.5GB) or "intfloat/multilingual-e5-base" (~1.5GB)
+# IMPORTANT: If you change the embedding model (sentence-transformers/all-MiniLM-L6-v2) and vice versa, you aren't able to use RAG Chat with your previous documents loaded in the WebUI! You need to re-embed them.
+ARG USE_EMBEDDING_MODEL=sentence-transformers/all-MiniLM-L6-v2
+ARG USE_RERANKING_MODEL=""
+ARG USE_AUXILIARY_EMBEDDING_MODEL=TaylorAI/bge-micro-v2
+
+# Tiktoken encoding name; models to use can be found at https://huggingface.co/models?library=tiktoken
+ARG USE_TIKTOKEN_ENCODING_NAME="cl100k_base"
+
+ARG BUILD_HASH=dev-build
+# Override at your own risk - non-root configurations are untested
+ARG UID=0
+ARG GID=0
+
+######## STAGE 1 : WebUI frontend ########
+FROM --platform=$BUILDPLATFORM node:22 AS build
+ARG BUILD_HASH
+
+# Set Node.js options (heap limit Allocation failed - JavaScript heap out of memory)
+# ENV NODE_OPTIONS="--max-old-space-size=4096"
+
+WORKDIR /app
+
+#Node.js Dependencies and Build
+# to store git revision in build
+RUN apt update && apt install git wget -y
+COPY package.json package-lock.json ./
+RUN rm -rf package-lock.json && npm install --force
+
+
+RUN apt update && apt install -y git
+
+# Clone repo
+ARG REPO_URL=https://github.com/open-webui/open-webui.git
+ARG REPO_BRANCH=v0.7.2
+RUN git clone --branch ${REPO_BRANCH} ${REPO_URL} .
+
+# Get patch file from build context
+RUN wget https://raw.githubusercontent.com/ppc64le/build-scripts/master/o/open-webui/open-webui_v0.7.2.patch
+
+# Apply patch
+RUN git apply open-webui_v0.7.2.patch
+
+#Copy Source and Build
+COPY . .
+ENV APP_BUILD_HASH=${BUILD_HASH}
+RUN npm run build
+
+####### STAGE 2 : Install dependencies #######
+FROM python:3.11.14-slim-trixie AS deps
+#Use args for conditional installs
+ARG USE_CUDA
+ARG USE_CUDA_VER
+ARG USE_SLIM
+ARG USE_EMBEDDING_MODEL
+
+WORKDIR /app/backend
+
+#Install common system dependencies needed for building Python Packages
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        git build-essential pandoc gcc python3-dev netcat-openbsd curl jq \
+        ffmpeg libsm6 libxext6 \
+        && rm -rf /var/lib/apt/lists/*
+
+#Python Packages setup
+RUN pip3 install --no-cache-dir uv
+
+#Copy only requirements files
+COPY ./backend/requirements.txt ./requirements.txt
+
+#Dependency install and Model pre-download (if not slim)
+ENV RAG_EMBEDDING_MODEL=$USE_EMBEDDING_MODEL \
+        WHISPER_MODEL="base" \
+    WHISPER_MODEL_DIR="/app/backend/data/cache/whisper/models" \
+    TICKTOKEN_ENCODING_NAME="cl100k_base"
+
+RUN if [ "$USE_CUDA" = "true" ]; then \
+#CUDA build : Install PyTorch with CUDA support
+#Predownload models on CUDA build
+pip3 install uvicorn --no-cache-dir && \
+    pip3 install fastapi typer pydantic sqlalchemy aiocache aiohttp anyio requests redis starlette_compress itsdangerous fastapi starsessions loguru opentelemetry-api cryptography markdown bs4 asgiref jwt bcrypt pytz --no-cache-dir && \
+    pip3 install torch torchvision torchaudio --index-url https://download.pytorch.org/whl/$USE_CUDA_VER --no-cache-dir && \
+    uv pip install --system -r requirements.txt --no-cache-dir && \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ['RAG_EMBEDDING_MODEL'], device='cpu')" && \
+    python -c "import os; from faster_whisper import WhisperModel; WhisperModel(os.environ['WHISPER_MODEL'], device='cpu', compute_type='int8', download_root=os.environ['WHISPER_MODEL_DIR'])"; \
+    python -c "import os; import tiktoken; tiktoken.get_encoding(os.environ['TIKTOKEN_ENCODING_NAME'])"; \
+    else \
+    pip3 install torch torchvision torchaudio --no-cache-dir && \
+    python -m pip install -r requirements.txt --no-cache-dir && \
+    if [ "$USE_SLIM" != "true" ]; then \
+    python -c "import os; from sentence_transformers import SentenceTransformer; SentenceTransformer(os.environ['RAG_EMBEDDING_MODEL'], device='cpu')" && \
+    python -c "import os; from faster_whisper import WhisperModel; WhisperModel(os.environ['WHISPER_MODEL'], device='cpu', compute_type='int8', download_root=os.environ['WHISPER_MODEL_DIR'])"; \
+    python -c "import os; import tiktoken; tiktoken.get_encoding(os.environ['TIKTOKEN_ENCODING_NAME'])"; \
+    fi; \
+    fi; \
+    mkdir -p /app/backend/data && chown -R $UID:$GID /app/backend/data/ && \
+    rm -rf /var/lib/apt/lists/*;
+
+######## STAGE 3 : WebUI backend ########
+FROM python:3.11.14-slim-trixie AS base
+
+ENV UV_EXTRA_INDEX_URL=https://repo.fury.io/mgiessing
+ENV PIP_EXTRA_INDEX_URL=https://repo.fury.io/mgiessing
+
+# Use args
+ARG USE_CUDA
+ARG USE_OLLAMA
+ARG USE_CUDA_VER
+ARG USE_SLIM
+ARG USE_PERMISSION_HARDENING
+ARG USE_EMBEDDING_MODEL
+ARG USE_RERANKING_MODEL
+ARG USE_AUXILIARY_EMBEDDING_MODEL
+ARG UID
+ARG GID
+
+# Python settings
+ENV PYTHONUNBUFFERED=1
+
+WORKDIR /app/backend
+ENV HOME=/root
+
+## Environment Variables for Runtime Configuration Basis ##
+ENV ENV=prod \
+    PORT=8080 \
+    DOCKER=true \
+    WEBUI_BUILD_VERSION=${BUILD_HASH} \
+    # pass build args to the build
+    USE_OLLAMA_DOCKER=${USE_OLLAMA} \
+    USE_CUDA_DOCKER=${USE_CUDA} \
+    USE_SLIM_DOCKER=${USE_SLIM} \
+    USE_CUDA_DOCKER_VER=${USE_CUDA_VER} \
+    USE_EMBEDDING_MODEL_DOCKER=${USE_EMBEDDING_MODEL} \
+    USE_RERANKING_MODEL_DOCKER=${USE_RERANKING_MODEL} \
+    USE_AUXILIARY_EMBEDDING_MODEL_DOCKER=${USE_AUXILIARY_EMBEDDING_MODEL}
+
+## Basis URL Config ##
+ENV OLLAMA_BASE_URL="/ollama" \
+    OPENAI_API_BASE_URL=""
+
+## API Key and Security Config ##
+ENV OPENAI_API_KEY="" \
+    WEBUI_SECRET_KEY="" \
+    SCARF_NO_ANALYTICS=true \
+    DO_NOT_TRACK=true \
+    ANONYMIZED_TELEMETRY=false
+
+#### Other models #########################################################
+## whisper TTS model settings ##
+ENV WHISPER_MODEL="base" \
+    WHISPER_MODEL_DIR="/app/backend/data/cache/whisper/models"
+
+## RAG Embedding model settings ##
+ENV RAG_EMBEDDING_MODEL="$USE_EMBEDDING_MODEL_DOCKER" \
+    RAG_RERANKING_MODEL="$USE_RERANKING_MODEL_DOCKER" \
+    AUXILIARY_EMBEDDING_MODEL="$USE_AUXILIARY_EMBEDDING_MODEL_DOCKER" \
+    SENTENCE_TRANSFORMERS_HOME="/app/backend/data/cache/embedding/models"
+
+## Tiktoken model settings ##
+ENV TIKTOKEN_ENCODING_NAME="cl100k_base" \
+    TIKTOKEN_CACHE_DIR="/app/backend/data/cache/tiktoken"
+
+## Hugging Face download cache ##
+ENV HF_HOME="/app/backend/data/cache/embedding/models"
+
+## Torch Extensions ##
+# ENV TORCH_EXTENSIONS_DIR="/.cache/torch_extensions"
+
+
+# Install common system dependencies
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+    git build-essential pandoc gcc netcat-openbsd curl jq \
+    python3-dev \
+    ffmpeg libsm6 libxext6 \
+    && rm -rf /var/lib/apt/lists/*
+
+# User Setup and Permissions
+# Create non-root user/group
+RUN if [ $UID -ne 0 ]; then \
+    if [ $GID -ne 0 ]; then \
+    addgroup --gid $GID app; \
+    fi; \
+    adduser --uid $UID --gid $GID --home $HOME --disabled-password --no-create-home app; \
+    fi
+
+#Copy only requirements files
+COPY ./backend/requirements.txt ./requirements.txt
+RUN python -m pip install --no-cache-dir -r requirements.txt
+
+RUN mkdir -p $HOME/.cache/chroma
+RUN echo -n 00000000-0000-0000-0000-000000000000 > $HOME/.cache/chroma/telemetry_user_id
+# Make sure the user has access to the app and root directory
+RUN chown -R $UID:$GID /app $HOME
+
+# Install Ollama if requested
+RUN if [ "$USE_OLLAMA" = "true" ]; then \
+    date +%s > /tmp/ollama_build_hash && \
+    echo "Cache broken at timestamp: `cat /tmp/ollama_build_hash`" && \
+    curl -fsSL https://ollama.com/install.sh | sh && \
+    rm -rf /var/lib/apt/lists/*; \
+    fi
+
+## Copy artifacts from build stages
+# copy Python environment from 'deps' stages
+COPY --from=deps /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
+#COPY --from=deps /usr/local/lib/uv /usr/local/lib/uv
+COPY --chown=$UID:$GID --from=deps /app/backend/data /app/backend/data
+
+
+# copy embedding weight from build
+# RUN mkdir -p /root/.cache/chroma/onnx_models/all-MiniLM-L6-v2
+# COPY --from=build /app/onnx /root/.cache/chroma/onnx_models/all-MiniLM-L6-v2/onnx
+
+# copy built frontend files
+COPY --chown=$UID:$GID --from=build /app/build /app/build
+COPY --chown=$UID:$GID --from=build /app/CHANGELOG.md /app/CHANGELOG.md
+COPY --chown=$UID:$GID --from=build /app/package.json /app/package.json
+
+# copy backend files
+COPY --chown=$UID:$GID ./backend .
+
+EXPOSE 8080
+
+#Healthcheck and Final Permissisons
+HEALTHCHECK CMD curl --silent --fail http://localhost:${PORT:-8080}/health | jq -ne 'input.status == true' || exit 1
+
+# Minimal, atomic permission hardening for OpenShift (arbitrary UID):
+# - Group 0 owns /app and /root
+# - Directories are group-writable and have SGID so new files inherit GID 0
+RUN if [ "$USE_PERMISSION_HARDENING" = "true" ]; then \
+    set -eux; \
+    chgrp -R 0 /app /root || true; \
+    chmod -R g+rwX /app /root || true; \
+    find /app -type d -exec chmod g+s {} + || true; \
+    find /root -type d -exec chmod g+s {} + || true; \
+    fi
+
+USER $UID:$GID
+
+CMD [ "bash", "start.sh"]