216 lines
11 KiB
Docker
216 lines
11 KiB
Docker
# ── Common base with runtime deps ──────────────────────────────────────────
|
|
FROM node:24-trixie-slim AS base
|
|
WORKDIR /app
|
|
|
|
# `apt-get upgrade` pulls the security-patched versions of the Debian (trixie)
|
|
# base-image packages at build time — clears the subset of container-scan CVEs
|
|
# (perl / util-linux / systemd / ncurses / zlib / tar / sqlite / shadow / pam …)
|
|
# that already have a fix published in trixie. CVEs without an upstream fix yet
|
|
# (local-only TOCTOU, etc.) remain until the distro patches them and the image
|
|
# is rebuilt; none are reachable from the proxy's request surface at runtime.
|
|
RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt,sharing=shared \
|
|
--mount=type=cache,id=apt-lists,target=/var/lib/apt/lists,sharing=shared \
|
|
apt-get update \
|
|
&& apt-get upgrade -y \
|
|
&& apt-get install -y --no-install-recommends libsecret-1-0 ca-certificates \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Refresh the globally-installed npm so its *bundled* node_modules (undici, tar)
|
|
# ship the patched versions. These are npm's own internals — not application
|
|
# dependencies (our app already resolves undici@8.5.0 / tar@7.5.16, both fixed) —
|
|
# but the container scanner flags the stale copies under
|
|
# /usr/local/lib/node_modules/npm/node_modules. npm is not invoked at runtime in
|
|
# the runner stages, so this is hygiene, not an exploitable runtime path.
|
|
RUN npm install -g npm@latest \
|
|
&& npm cache clean --force
|
|
|
|
# ── Builder ────────────────────────────────────────────────────────────────
|
|
FROM base AS builder
|
|
|
|
# Build tools for native module compilation
|
|
# apt-get update needed here because base's rm -rf clears the shared cache
|
|
RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt,sharing=shared \
|
|
--mount=type=cache,id=apt-lists,target=/var/lib/apt/lists,sharing=shared \
|
|
apt-get update \
|
|
&& apt-get install -y --no-install-recommends python3 make g++ \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
COPY package*.json ./
|
|
# Workspace package manifests MUST be present before `npm ci` so npm materializes
|
|
# the workspace and installs its *workspace-only* deps (e.g. safe-regex,
|
|
# @toon-format/toon — declared in open-sse/package.json, not hoisted to root).
|
|
# Without this, `npm ci` skips them and the application build fails with "Module not
|
|
# found" (root cause of the v3.8.39 Docker build break). workspaces = ["open-sse"].
|
|
COPY open-sse/package.json ./open-sse/package.json
|
|
COPY scripts/build/postinstall.mjs ./scripts/build/postinstall.mjs
|
|
COPY scripts/build/postinstallSupport.mjs ./scripts/build/postinstallSupport.mjs
|
|
COPY scripts/build/native-binary-compat.mjs ./scripts/build/native-binary-compat.mjs
|
|
ENV NPM_CONFIG_LEGACY_PEER_DEPS=true
|
|
# --ignore-scripts blocks broad dependency install/postinstall hooks, closing
|
|
# the supply-chain attack surface where a transitive dep can run arbitrary code
|
|
# at install time. better-sqlite3 still needs a native binding for the target
|
|
# platform, so rebuild and smoke-test only that known runtime dependency below.
|
|
#
|
|
# We REQUIRE a committed package-lock.json so resolved dependency versions
|
|
# are reproducible.
|
|
RUN test -f package-lock.json \
|
|
|| (echo "package-lock.json is required for reproducible Docker builds" >&2 && exit 1)
|
|
RUN --mount=type=cache,id=npm-cache,target=/root/.npm \
|
|
npm ci --no-audit --no-fund --legacy-peer-deps --ignore-scripts \
|
|
&& npm rebuild better-sqlite3 \
|
|
&& node -e "require('better-sqlite3')(':memory:').close()"
|
|
|
|
# Build with Turbopack (stable in Next 16, the repo default). The v3.8.27-era
|
|
# TurbopackInternalError panic ("entered unreachable code: there must be a path to a
|
|
# root" in ImportTracer::get_traces) no longer reproduces on Next 16.2.9 — validated
|
|
# 2026-07-05 with clean amd64 (12min14s, image smoke-tested: /api/monitoring/health
|
|
# 200) and arm64 (qemu, exit 0, zero panic strings) builds. Turbopack cut the bare
|
|
# build from 17min to 9min on the same 32-core box. Webpack stays available as the
|
|
# escape hatch: `--build-arg`/-e OMNIROUTE_USE_TURBOPACK=0.
|
|
# See docs/ops/QUALITY_GATE_PLAYBOOK.md Parte 6.
|
|
ENV OMNIROUTE_USE_TURBOPACK=1
|
|
|
|
# Docker containers cannot run the MITM/Agent-Bridge stack (no host DNS/cert
|
|
# access), so keep @/mitm/manager on the graceful stub (#3390). This flag is
|
|
# Docker-only: npm/Electron/VPS builds must bundle the REAL manager (#6344).
|
|
ENV OMNIROUTE_MITM_STUB=1
|
|
|
|
# Raise the V8 heap ceiling for the build. The webpack production optimization
|
|
# pass needs more than V8's default ceiling (~2 GB) for a codebase this size; a
|
|
# memory-constrained Docker build otherwise dies with "FATAL ERROR: ... JavaScript
|
|
# heap out of memory" during the builder stage (#4076). Turbopack's compile is
|
|
# native (Rust) and less V8-heap-bound, but the prerender/export phase still runs
|
|
# on V8, so keep the ceiling. NODE_OPTIONS propagates to the spawned `next build`
|
|
# child (build-next-isolated.mjs → resolveNextBuildEnv spreads process.env).
|
|
# Build-only; the runtime heap is set separately on the runner stage
|
|
# (OMNIROUTE_MEMORY_MB). Override: `--build-arg OMNIROUTE_BUILD_MEMORY_MB=6144`.
|
|
ARG OMNIROUTE_BUILD_MEMORY_MB=4096
|
|
ENV NODE_OPTIONS="--max-old-space-size=${OMNIROUTE_BUILD_MEMORY_MB}"
|
|
|
|
COPY . ./
|
|
RUN --mount=type=cache,id=next-cache,target=/app/.build/next/cache \
|
|
mkdir -p /app/data && npm run build
|
|
|
|
# ── Runner base ────────────────────────────────────────────────────────────
|
|
FROM base AS runner-base
|
|
|
|
LABEL org.opencontainers.image.title="omniroute" \
|
|
org.opencontainers.image.description="Unified AI proxy — route any LLM through one endpoint" \
|
|
org.opencontainers.image.url="https://omniroute.online" \
|
|
org.opencontainers.image.source="https://github.com/diegosouzapw/OmniRoute" \
|
|
org.opencontainers.image.licenses="MIT"
|
|
|
|
ENV NODE_ENV=production
|
|
ENV PORT=20128
|
|
ENV HOSTNAME=0.0.0.0
|
|
ENV OMNIROUTE_MEMORY_MB=1024
|
|
ENV NODE_OPTIONS="--max-old-space-size=${OMNIROUTE_MEMORY_MB}"
|
|
|
|
# Data directory inside Docker — must match the volume mount in docker-compose.yml
|
|
ENV DATA_DIR=/app/data
|
|
RUN mkdir -p /app/data
|
|
|
|
# `npm run build` (build-next-isolated → assembleStandalone) bundles ALL runtime
|
|
# files into .build/next/standalone/ — .next, node_modules, migrations, scripts,
|
|
# docs, and the previously hand-COPY'd modules below (@swc/helpers, pino-*, split2,
|
|
# migrations). assembleStandalone copies them straight from the builder's
|
|
# node_modules, so they are present regardless of NFT/Turbopack trace behaviour.
|
|
# The old per-module overrides were therefore pure duplication and were removed
|
|
# (build-output-isolation cleanup). See scripts/build/assembleStandalone.mjs
|
|
# (EXTRA_MODULE_ENTRIES) for the single source of truth.
|
|
COPY --from=builder /app/.build/next/standalone ./
|
|
# better-sqlite3 is the one exception still copied explicitly: assembleStandalone
|
|
# only syncs its native build/ dir; the JS wrapper (lib/, package.json) is left to
|
|
# Next.js tracing. bootstrap-env requires SQLite BEFORE the standalone server
|
|
# starts, so guarantee the complete package independent of trace behaviour.
|
|
COPY --from=builder /app/node_modules/better-sqlite3 ./node_modules/better-sqlite3
|
|
# migrations land at <standalone>/migrations via assembleStandalone; point the runtime at them.
|
|
ENV OMNIROUTE_MIGRATIONS_DIR=/app/migrations
|
|
|
|
# Docker healthcheck script — not traced by Next.js standalone output, so copy
|
|
# it explicitly. The HEALTHCHECK CMD references it as `node healthcheck.mjs`.
|
|
COPY --from=builder /app/scripts/dev/healthcheck.mjs ./healthcheck.mjs
|
|
|
|
# Hand /app over to the baked-in `node` non-root user (UID/GID 1000) so the
|
|
# runtime process never holds root privileges. The chown happens after all
|
|
# COPYs so it covers files originally owned by root in the builder stage.
|
|
RUN chown -R node:node /app
|
|
|
|
EXPOSE 20128
|
|
|
|
# Drop to non-root before ENTRYPOINT/CMD so every derived stage (runner-cli,
|
|
# runner-web) also runs as a non-root user unless they explicitly switch back.
|
|
USER node
|
|
|
|
# Warns if the mounted data volume has wrong ownership
|
|
COPY --chmod=755 scripts/check-permissions.sh /tmp/check-permissions.sh
|
|
ENTRYPOINT ["/tmp/check-permissions.sh"]
|
|
|
|
HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
|
|
CMD ["node", "healthcheck.mjs"]
|
|
|
|
CMD ["node", "dev/run-standalone.mjs"]
|
|
|
|
# ── Runner Web (web-cookie providers: Gemini Web, Claude Turnstile) ───────────
|
|
#
|
|
# Two image flavors:
|
|
# runner-base → omniroute:VERSION Lean base (~500 MB). No browsers.
|
|
# runner-web → omniroute:VERSION-web +Chromium/Playwright (~800 MB).
|
|
#
|
|
# Use runner-web when you need web-cookie providers (gemini-web, claude-web,
|
|
# claude-turnstile). For all other providers runner-base is sufficient.
|
|
#
|
|
# Build:
|
|
# docker build --target runner-web -t omniroute:web .
|
|
# Compose:
|
|
# build:
|
|
# context: .
|
|
# target: runner-web
|
|
FROM runner-base AS runner-web
|
|
|
|
USER root
|
|
|
|
# Copy playwright and playwright-core from the builder stage.
|
|
# The slim runtime image does not have playwright in node_modules, so npx falls
|
|
# back to a registry download — unreliable on CI runners (exits 127 on failure).
|
|
# Copying from the builder avoids any network access at image-build time and also
|
|
# ensures the same playwright version is available at runtime for web-session providers.
|
|
COPY --from=builder /app/node_modules/playwright-core ./node_modules/playwright-core
|
|
COPY --from=builder /app/node_modules/playwright ./node_modules/playwright
|
|
|
|
# Install Playwright browser binaries + OS dependencies under root, then hand
|
|
# ownership of the browsers cache to the node user.
|
|
# PLAYWRIGHT_BROWSERS_PATH overrides the default ~/.cache/ms-playwright so the
|
|
# browsers land under /home/node which persists across image layers and is
|
|
# accessible to the non-root runtime user.
|
|
ENV PLAYWRIGHT_BROWSERS_PATH=/home/node/.cache/ms-playwright
|
|
RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt,sharing=locked \
|
|
--mount=type=cache,id=apt-lists,target=/var/lib/apt/lists,sharing=locked \
|
|
apt-get update \
|
|
&& node node_modules/playwright/cli.js install chromium --with-deps \
|
|
&& chown -R node:node /home/node/.cache \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
USER node
|
|
|
|
FROM runner-base AS runner-cli
|
|
|
|
# Drop back to root briefly so we can install system + global npm packages,
|
|
# then return to the `node` non-root user before the CMD inherited from
|
|
# runner-base runs.
|
|
USER root
|
|
|
|
# Install system dependencies required by openclaw (git+ssh references).
|
|
RUN --mount=type=cache,id=apt-cache,target=/var/cache/apt,sharing=locked \
|
|
--mount=type=cache,id=apt-lists,target=/var/lib/apt/lists,sharing=locked \
|
|
apt-get update \
|
|
&& apt-get install -y --no-install-recommends git ca-certificates docker.io docker-compose \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& git config --system url."https://github.com/".insteadOf "ssh://git@github.com/"
|
|
|
|
# Install CLI tools globally. Separate layer from apt for better cache reuse.
|
|
RUN --mount=type=cache,id=npm-cache,target=/root/.npm \
|
|
npm install -g --no-audit --no-fund @openai/codex @anthropic-ai/claude-code droid openclaw@latest
|
|
|
|
USER node
|