LLMSession-Docker/Dockerfile at main · STAR-173/LLMSession-Docker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
# Base Image
FROM python:3.11-slim

# Environment Configuration
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PLAYWRIGHT_BROWSERS_PATH=/ms-playwright \
    XDG_DATA_HOME=/home/llmuser/.local/share

# Install System Dependencies (Xvfb is kept for headless=False execution)
RUN apt-get update && apt-get install -y \
    xvfb \
    curl \
    build-essential \
    libgtk-3-0 \
    libasound2 \
    libgbm1 \
    libnss3 \
    libxss1 \
    libxtst6 \
    fonts-liberation \
    libappindicator3-1 \
    xdg-utils \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /app

# Dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Playwright
RUN playwright install chromium
RUN playwright install-deps chromium

# App Code
COPY app ./app
COPY scripts ./scripts
RUN chmod +x ./scripts/start.sh

# --- SECURITY FIX: Non-Root User Setup ---
# 1. Create user
RUN useradd -m -u 1000 llmuser

# 2. Permissions for Playwright Browsers (Required so llmuser can access them)
RUN chown -R llmuser:llmuser /ms-playwright

# 3. Permissions for App & Output
RUN chown -R llmuser:llmuser /app

# 4. Persistence & Output Dirs (Setup in user home)
RUN mkdir -p /home/llmuser/.local/share/LLMSession && \
    chown -R llmuser:llmuser /home/llmuser

# --- FIX for Xvfb Socket Error ---
# Pre-create the X11 socket directory with global write permissions (sticky bit)
# so Xvfb can write the socket file (X99) without being root.
RUN mkdir -p /tmp/.X11-unix && \
    chmod 1777 /tmp/.X11-unix
# ---------------------------------

# 5. Switch User
USER llmuser
ENV HOME=/home/llmuser
# -----------------------------------------

EXPOSE 8000

ENTRYPOINT ["./scripts/start.sh"]