Multi-Agent-Intelligent-Warehouse/Dockerfile.backend at main · NVIDIA-AI-Blueprints/Multi-Agent-Intelligent-Warehouse · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# Backend-only Dockerfile for Development
# This Dockerfile builds only the backend (no frontend build)
# Use this for docker-compose.dev.yaml where frontend runs separately

# =============================================================================
# Backend Dependencies Stage
# =============================================================================
FROM python:3.11-slim AS backend-deps

WORKDIR /app

# Install system dependencies
RUN apt-get update && apt-get install -y \
    g++ \
    gcc \
    git \
    && rm -rf /var/lib/apt/lists/*

# Copy requirements and install Python dependencies
COPY requirements.docker.txt ./requirements.txt
RUN pip install --no-cache-dir -r requirements.txt

# =============================================================================
# Final Runtime Stage
# =============================================================================
FROM python:3.11-slim AS final

# Set working directory
WORKDIR /app

# Install runtime dependencies
RUN apt-get update && apt-get install -y \
    curl \
    git \
    poppler-utils \
    && rm -rf /var/lib/apt/lists/*

# Copy Python dependencies from backend-deps stage
COPY --from=backend-deps /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY --from=backend-deps /usr/local/bin /usr/local/bin

# Copy application code (explicitly copy only necessary directories)
# Security: Explicitly copy only required source code to prevent sensitive data exposure
# .dockerignore provides additional protection as a defense-in-depth measure
COPY src/ ./src/
# Copy guardrails configuration (required for NeMo Guardrails)
COPY data/config/guardrails/ ./data/config/guardrails/

# Build arguments for version injection
ARG VERSION=0.0.0
ARG GIT_SHA=unknown
ARG BUILD_TIME=unknown

# Set environment variables
ENV VERSION=$VERSION
ENV GIT_SHA=$GIT_SHA
ENV BUILD_TIME=$BUILD_TIME
ENV DOCKER_IMAGE=warehouse-assistant:$VERSION
ENV PYTHONPATH=/app
ENV PYTHONUNBUFFERED=1

# Create non-root user for security
RUN groupadd -r appuser && \
    useradd -r -g appuser appuser && \
    chown -R appuser:appuser /app
USER appuser

# Health check
HEALTHCHECK --interval=30s --timeout=30s --start-period=5s --retries=3 \
    CMD curl -f http://localhost:8001/api/v1/health || exit 1

# Expose port
EXPOSE 8001

# Start command
CMD ["uvicorn", "src.api.app:app", "--host", "0.0.0.0", "--port", "8001"]