openwebui-open-terminal/Dockerfile
Timothy Jaeryang Baek 2da589100c fix: port detection broken since v0.11.2 (#85, #63)
setcap cap_setgid+ep on the system Python binary made all Python
processes non-dumpable, blocking /proc/[pid]/fd/ access needed by
_pid_from_inode() to resolve socket inodes to PIDs.

Fix: copy the Python binary to python3-ot and setcap only the copy.
The open-terminal server uses python3-ot (has CAP_SETGID for
multi-user os.setgroups()), while user-spawned python3 stays
capability-free and dumpable.

Slim/Alpine: removed setcap entirely (multi-user mode requires sudo,
which only the full image has). Kept libcap packages installed.

README: corrected Image Variants table — multi-user mode is
full-image only.
2026-03-19 17:42:17 -05:00

81 lines
2.6 KiB
Docker

# Pin to a specific patch version for reproducible builds.
# To pick up security patches, bump this version and rebuild.
FROM python:3.12.13
RUN apt-get update && apt-get install -y --no-install-recommends \
# Core utilities
coreutils findutils grep sed gawk diffutils patch \
less file tree bc man-db \
# Networking
curl wget net-tools iputils-ping dnsutils netcat-openbsd socat telnet \
openssh-client rsync \
# Editors
vim nano \
# Version control
git \
# Build tools
build-essential cmake make \
# Scripting & languages
perl ruby-full lua5.4 \
# Data processing
jq xmlstarlet sqlite3 \
# Media & documents
ffmpeg pandoc imagemagick texlive-latex-base \
# Compression
zip unzip tar gzip bzip2 xz-utils zstd p7zip-full \
# System
procps htop lsof strace sysstat \
sudo tmux screen tini iptables ipset dnsmasq \
ca-certificates gnupg apt-transport-https \
# Capabilities (needed for setcap on Python binary)
libcap2-bin \
&& rm -rf /var/lib/apt/lists/*
# Node.js (LTS)
RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
&& apt-get install -y --no-install-recommends nodejs \
&& rm -rf /var/lib/apt/lists/*
# Docker CLI + Compose + Buildx (mount socket at runtime for access)
RUN curl -fsSL https://get.docker.com | sh
# Uncomment to apply security patches beyond what the base image provides.
# Not recommended for reproducible builds; prefer bumping the base image tag.
# RUN apt-get update && apt-get upgrade -y && rm -rf /var/lib/apt/lists/*
WORKDIR /app
RUN pip install --no-cache-dir \
numpy pandas scipy scikit-learn \
matplotlib seaborn plotly \
jupyter ipython \
requests beautifulsoup4 lxml \
sqlalchemy psycopg2-binary \
pyyaml toml jsonlines \
tqdm rich \
openpyxl weasyprint \
python-docx python-pptx pypdf csvkit
COPY . .
# Create a capability-bearing Python copy for the server process only.
# The system python3 stays clean so user-spawned Python processes remain
# dumpable (readable via /proc/[pid]/fd/ for port detection).
RUN pip install --no-cache-dir . \
&& cp "$(readlink -f "$(which python3)")" /usr/local/bin/python3-ot \
&& setcap cap_setgid+ep /usr/local/bin/python3-ot \
&& sed -i "1s|.*|#!/usr/local/bin/python3-ot|" "$(which open-terminal)"
RUN useradd -m -s /bin/bash user && echo 'user ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
USER user
ENV SHELL=/bin/bash
ENV PATH="/home/user/.local/bin:${PATH}"
WORKDIR /home/user
EXPOSE 8000
COPY entrypoint.sh /app/entrypoint.sh
ENTRYPOINT ["/usr/bin/tini", "--", "/app/entrypoint.sh"]
CMD ["run"]