dify-aio/Dockerfile at main · JSONbored/dify-aio · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
# syntax=docker/dockerfile:1@sha256:2780b5c3bab67f1f76c781860de469442999ed1a0d7992a5efdf2cffc0e3d769
# checkov:skip=CKV_DOCKER_7: Upstream Dify images are pinned by immutable manifest digests.
# checkov:skip=CKV_DOCKER_8: s6-overlay starts as root to initialize bundled Postgres, Redis, Nginx, Squid, and Dify services.

ARG UPSTREAM_DIFY_VERSION=1.14.2
ARG UPSTREAM_DIFY_API_DIGEST=sha256:062815df8ed6fcf82285e55f3cb5586241b2828e6695a3fb8114bfb99b5e8517
ARG UPSTREAM_DIFY_WEB_DIGEST=sha256:db73434e185ac778f31f4cc1adcce0dbe84b41a95ea5af58216acf095eed5f67
ARG UPSTREAM_DIFY_SANDBOX_VERSION=0.2.15
ARG UPSTREAM_DIFY_SANDBOX_DIGEST=sha256:750e1111426ef31a9217b81c98cccfb750f17b182af3221102e420afa9f0928e
ARG UPSTREAM_DIFY_PLUGIN_DAEMON_VERSION=0.6.0-local
ARG UPSTREAM_DIFY_PLUGIN_DAEMON_DIGEST=sha256:f200b00544f83ed69ea11d82996819be43415ad33e5c2b37436667df152ef6c8
ARG NODE_RUNTIME_DIGEST=sha256:d415caac2f1f77b98caaf9415c5f807e14bc8d7bdea62561ea2fef4fbd08a73c
ARG S6_OVERLAY_VERSION=3.2.1.0
ARG S6_OVERLAY_NOARCH_SHA256=42e038a9a00fc0fef70bf0bc42f625a9c14f8ecdfe77d4ad93281edf717e10c5
ARG S6_OVERLAY_X86_64_SHA256=8bcbc2cada58426f976b159dcc4e06cbb1454d5f39252b3bb0c778ccf71c9435
ARG S6_OVERLAY_AARCH64_SHA256=c8fd6b1f0380d399422fc986a1e6799f6a287e2cfa24813ad0b6a4fb4fa755cc

FROM langgenius/dify-web:${UPSTREAM_DIFY_VERSION}@${UPSTREAM_DIFY_WEB_DIGEST} AS web
FROM langgenius/dify-sandbox:${UPSTREAM_DIFY_SANDBOX_VERSION}@${UPSTREAM_DIFY_SANDBOX_DIGEST} AS sandbox
FROM langgenius/dify-plugin-daemon:${UPSTREAM_DIFY_PLUGIN_DAEMON_VERSION}@${UPSTREAM_DIFY_PLUGIN_DAEMON_DIGEST} AS plugin_daemon
FROM node:22-bookworm-slim@${NODE_RUNTIME_DIGEST} AS node_runtime
FROM langgenius/dify-api:${UPSTREAM_DIFY_VERSION}@${UPSTREAM_DIFY_API_DIGEST}

ARG TARGETARCH
ARG UPSTREAM_DIFY_VERSION
ARG UPSTREAM_DIFY_SANDBOX_VERSION
ARG UPSTREAM_DIFY_PLUGIN_DAEMON_VERSION
ARG S6_OVERLAY_VERSION
ARG S6_OVERLAY_NOARCH_SHA256
ARG S6_OVERLAY_X86_64_SHA256
ARG S6_OVERLAY_AARCH64_SHA256

SHELL ["/bin/bash", "-o", "pipefail", "-c"]

# trunk-ignore(hadolint/DL3002)
USER root

LABEL org.opencontainers.image.title="dify-aio" \
      org.opencontainers.image.description="Unraid-first Dify AIO wrapper bundling Dify API, worker, web, sandbox, plugin daemon, PostgreSQL/pgvector, Redis, Nginx, and SSRF proxy defaults." \
      org.opencontainers.image.source="https://github.com/JSONbored/dify-aio" \
      org.opencontainers.image.vendor="JSONbored" \
      io.jsonbored.wrapper.name="dify-aio" \
      io.jsonbored.wrapper.type="unraid-aio" \
      io.jsonbored.upstream.dify.version="${UPSTREAM_DIFY_VERSION}" \
      io.jsonbored.upstream.dify_sandbox.version="${UPSTREAM_DIFY_SANDBOX_VERSION}" \
      io.jsonbored.upstream.dify_plugin_daemon.version="${UPSTREAM_DIFY_PLUGIN_DAEMON_VERSION}"

# trunk-ignore(hadolint/DL3008)
RUN find /etc/apt -type f \( -name '*.list' -o -name '*.sources' \) -exec sed -i 's|http://|https://|g' {} + && \
    printf 'Acquire::Retries "5";\nAcquire::http::Timeout "30";\nAcquire::https::Timeout "30";\n' > /etc/apt/apt.conf.d/80-retries && \
    DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      ca-certificates \
      curl \
      gettext-base \
      nginx \
      openssl \
      postgresql-common \
      redis-server \
      squid \
      xz-utils && \
    install -d /usr/share/postgresql-common/pgdg && \
    curl -fsSL -o /usr/share/postgresql-common/pgdg/apt.postgresql.org.asc https://www.postgresql.org/media/keys/ACCC4CF8.asc && \
    . /etc/os-release && \
    echo "deb [signed-by=/usr/share/postgresql-common/pgdg/apt.postgresql.org.asc] https://apt.postgresql.org/pub/repos/apt ${VERSION_CODENAME}-pgdg main" > /etc/apt/sources.list.d/pgdg.list && \
    DEBIAN_FRONTEND=noninteractive apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
      postgresql-15 \
      postgresql-15-pgvector \
      postgresql-client-15 && \
    curl -fsSL -o /tmp/s6-overlay-noarch.tar.xz "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-noarch.tar.xz" && \
    echo "${S6_OVERLAY_NOARCH_SHA256}  /tmp/s6-overlay-noarch.tar.xz" | sha256sum -c - && \
    tar -C / -Jxpf /tmp/s6-overlay-noarch.tar.xz && \
    case "${TARGETARCH}" in \
      amd64) s6_arch="x86_64"; s6_arch_sha256="${S6_OVERLAY_X86_64_SHA256}" ;; \
      arm64) s6_arch="aarch64"; s6_arch_sha256="${S6_OVERLAY_AARCH64_SHA256}" ;; \
      *) echo "Unsupported TARGETARCH: ${TARGETARCH}" >&2; exit 1 ;; \
    esac && \
    curl -fsSL -o /tmp/s6-overlay-arch.tar.xz "https://github.com/just-containers/s6-overlay/releases/download/v${S6_OVERLAY_VERSION}/s6-overlay-${s6_arch}.tar.xz" && \
    echo "${s6_arch_sha256}  /tmp/s6-overlay-arch.tar.xz" | sha256sum -c - && \
    tar -C / -Jxpf /tmp/s6-overlay-arch.tar.xz && \
    mkdir -p /appdata /opt/dify-aio /opt/dify-web /opt/dify-plugin-daemon /opt/dify-sandbox /run/postgresql /var/lib/postgresql/data && \
    chown -R postgres:postgres /run/postgresql /var/lib/postgresql && \
    rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf && \
    rm -rf /tmp/* /var/lib/apt/lists/*

COPY --from=web /app /opt/dify-web
COPY --from=node_runtime /usr/local/bin/node /usr/local/bin/node
COPY --from=plugin_daemon /app /opt/dify-plugin-daemon
COPY --from=sandbox /main /opt/dify-sandbox/main
COPY --from=sandbox /conf /opt/dify-sandbox/conf
COPY --from=sandbox /dependencies /opt/dify-sandbox/dependencies
COPY --from=sandbox /opt /opt
COPY rootfs/ /

RUN find /etc/cont-init.d -type f -exec chmod +x {} \; && \
    find /etc/services.d -type f -name run -exec chmod +x {} \; && \
    find /opt/dify-aio/bin -type f -exec chmod +x {} \; && \
    sed -i 's#/app/targets#/opt/dify-web/targets#g' /opt/dify-web/entrypoint.sh && \
    chmod +x /opt/dify-web/entrypoint.sh /opt/dify-plugin-daemon/main /opt/dify-plugin-daemon/commandline /opt/dify-sandbox/main && \
    mkdir -p /app/api/storage && \
    chown -R dify:dify /opt/dify-web /app/api/storage

VOLUME ["/appdata"]

EXPOSE 8080

ENV LANG=C.UTF-8
ENV LC_ALL=C.UTF-8
ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=900000
ENV S6_BEHAVIOUR_IF_STAGE2_FAILS=2

HEALTHCHECK --interval=30s --timeout=10s --start-period=180s --retries=5 \
  CMD curl -fsS http://127.0.0.1:5001/health >/dev/null || exit 1

ENTRYPOINT ["/init"]