tiennm99/litellm
1
0
Fork 0
mirror of https://github.com/tiennm99/litellm.git synced 2026-06-18 07:33:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
35,721 Commits 2,072 Branches 1,425 Tags
66f97a00a44d096c5ee0e54e9fbab59ea8ed9cd7
Commit Graph

44 Commits

Author SHA1 Message Date
yuneng-jiang d3587b1d8e fix: bump PyJWT to 2.12.0 in all Dockerfiles and tar to 7.5.11 
All Dockerfiles were pinning PyJWT 2.9.0 (Dockerfile, Dockerfile.database,
Dockerfile.dev) or had a stale wheel build for 2.9.0 (Dockerfile.non_root).
Updated to 2.12.0 to match pyproject.toml. Also bumps tar to 7.5.11 in
Dockerfile.non_root for security.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 19:54:54 -07:00
yuneng-jiang 1f485007fb fix: update PyJWT pin in Dockerfile.non_root to 2.12.0 
The wheels directory contains 2.12.0 after the pyproject.toml bump,
so the hardcoded 2.10.1 pin fails at build time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-14 19:53:52 -07:00
Krish Dholakia e7714f0ce6 Fix CVEs: bump tar/minimatch/pypdf + harden Docker SBOM patching (#23082) 
* fix(docker): bump tar/minimatch/pypdf for CVE fixes + harden SBOM patching

- Bump tar 7.5.8→7.5.10, minimatch 10.2.1→10.2.4, pypdf 6.6.2→6.7.3
- Add sed-based SBOM metadata patching with properly indented find/sed
- Add npm package manager cleanup (apk del / apt-get purge) to remove
  stale SBOM entries from image scanners
- Scope || true to only apk del via brace grouping { ... || true; }
- Guard npm root -g with non-empty assertion to prevent silent failures
- Scope minimatch sed regex to ^10.x to avoid matching other major versions

Addresses: CVE-2026-27903, CVE-2026-27904, GHSA-qffp-2rhf-9h96, CVE-2026-27888

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(docker): scope find to /usr/local/lib /usr/lib, drop autoremove

- Replace `find /` with `find /usr/local/lib /usr/lib` to avoid
  traversing /proc, /sys, /dev during SBOM metadata patching
- Remove `apt-get autoremove -y` from Debian-based Dockerfiles to
  prevent nodejs from being removed as an auto-installed dependency

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-07 18:31:27 -08:00
Harshit28j 3e6c10a071 security: fix critical/high CVEs in OS-level libs and NPM transitive 2026-02-24 19:40:09 +05:30
Achilleas Athanasiou Fragkoulis cb95b1cf92 fix: Add LITELLM_UI_PATH and LITELLM_ASSETS_PATH for read-only filesystem support (#20492) 
Fixes #19578

---

When deploying the LiteLLM proxy with `readOnlyRootFilesystem: true` in Kubernetes, UI routes returned `404` because:

- Hardcoded paths:
  - `/var/lib/litellm/ui`
  - `/var/lib/litellm/assets`
- Runtime copy/restructure operations failed on read-only filesystems
- No detection mechanism for pre-restructured UI

---

Add configurable environment variables with intelligent detection, graceful fallbacks, and code quality improvements.

---

- **`LITELLM_UI_PATH`** — Custom UI directory location
  - Default: `/var/lib/litellm/ui` (when `LITELLM_NON_ROOT=true`)
  - Default: packaged UI path (otherwise)
  - Example: `/app/var/litellm/ui` for `emptyDir` volumes

- **`LITELLM_ASSETS_PATH`** — Custom assets directory location
  - Default: `/var/lib/litellm/assets` (when `LITELLM_NON_ROOT=true`)
  - Default: current working directory (otherwise)
  - Example: `/app/var/litellm/assets`

---

UI is detected as **pre-restructured and ready** if any of the following apply:

1. **Primary**: `.litellm_ui_ready` marker file exists (created by Dockerfile)
2. **Fallback**: Pattern-based detection — finds *any* subdirectory containing `index.html`
   (resilient to UI structure changes; no hardcoded route names)
3. **Safety**: Filesystem writability check before operations

---

**`litellm/proxy/proxy_server.py`**

- `_validate_ui_directory()` — Verifies UI has required structure (`index.html`, `_next/`)
- `_is_ui_pre_restructured()` — Pattern-based detection (not hardcoded routes)
- `_try_populate_ui_directory()` — Helper for clean error handling
- Refactored UI path decision tree with numbered cases (1, 2, 3, 4a, 4b)
- Updated UI path logic to use `LITELLM_UI_PATH`
- Added writability checks before copy/restructure operations
- Graceful fallback to packaged UI if operations fail
- Updated `server_root_path` replacement with read-only check
- Simplified assets directory creation (try/except instead of complex parent checks)
- Updated `get_image()` endpoint to use `LITELLM_ASSETS_PATH`
- Added validation for packaged and final UI paths

**`docker/Dockerfile.non_root`**

- Added `touch .litellm_ui_ready` marker after UI restructuring
- Enables automatic detection of pre-built UI in Docker images

**`tests/proxy_unit_tests/test_ui_path_detection.py`**

- Added comprehensive unit tests for new functionality
- Tests env var handling, detection logic, and writability checks

---

**`docs/my-website/docs/proxy/config_settings.md`**

- Added `LITELLM_UI_PATH` and `LITELLM_ASSETS_PATH` to env vars table
- Documented defaults and use cases

**`docs/my-website/docs/proxy/prod.md`**

- Added comprehensive "Read-Only Root Filesystem" section
- Quick fixes for permission errors
- Full Kubernetes setup with `initContainer` + `emptyDir` volumes
- API-only deployment option
- Environment variables reference table
- Notes on migrations, caching, and `server_root_path`

**`docker/README.md`**

- Updated hardened setup notes to mention pre-built UI
- Added details about UI serving from read-only paths

---

- No breaking changes
- Existing deployments continue working without modifications
- New env vars are optional with sensible defaults
- Detection logic supports both old and new builds
- Graceful fallbacks throughout

---

```yaml
apiVersion: apps/v1
kind: Deployment
spec:
  template:
    spec:
      initContainers:
        - name: setup-ui
          image: ghcr.io/berriai/litellm:main-stable
          command: ["sh", "-c", "cp -r /var/lib/litellm/ui/* /app/var/litellm/ui/"]
          volumeMounts:
            - name: ui-volume
              mountPath: /app/var/litellm/ui
      containers:
        - name: litellm
          env:
            - name: LITELLM_UI_PATH
              value: "/app/var/litellm/ui"
            - name: LITELLM_ASSETS_PATH
              value: "/app/var/litellm/assets"
          securityContext:
            readOnlyRootFilesystem: true
          volumeMounts:
            - name: ui-volume
              mountPath: /app/var/litellm/ui
      volumes:
        - name: ui-volume
          emptyDir:
            sizeLimit: 100Mi
 2026-02-12 19:39:04 +05:30
Harshit Jain 3b043ee8bf fix critical CVE vulnerabliltes (#20683) 2026-02-07 22:23:01 -08:00
Ishaan Jaffer ef66a6cb62 fix security scans 2026-02-07 11:15:02 -08:00
yuneng-jiang 7831e30666 keep package-lock.json in non-root 2026-02-04 17:58:22 -08:00
Ishaan Jaffer a002907389 fix tar security issue with TAR 2026-01-31 11:46:53 -08:00
milan-berri 8fcdf6105f fix: run prisma generate as nobody user in non-root container (#20000) 
Fixes permission error where prisma generate fails with 'Permission denied'
when trying to write schema.prisma in non-root containers.

The issue was that prisma generate was running as root before switching
to nobody user, causing generated files to be owned by root:root.
Moving prisma generate after USER nobody ensures files are owned by
nobody:nobody and can be written to during runtime.

Fixes #19859
 2026-01-29 19:04:59 -08:00
yuneng-jiang 1bf32deb6c Adding python3-dev to non root 2026-01-22 10:05:09 -08:00
Ishaan Jaff f98814ba8a fix include proxy/prisma_migration.py in non root (#18971) 2026-01-12 08:12:39 -08:00
Alexsander Hamir 1544e8f971 feat: Add line_profiler support for performance analysis and fix Windows CRLF issues in Docker builds (#18773) 2026-01-07 11:36:57 -08:00
yuneng-jiang 05dd247ff5 Fix UI disappearing for development instances 2025-12-23 15:24:07 -08:00
yuneng-jiang 6bb5254c9b Revert "[Fix] UI - Disappears in Development Environments" 2025-12-23 15:08:07 -08:00
yuneng-jiang fccd2d1e87 Fix UI disappearing for development instances 2025-12-23 11:46:55 -08:00
Alexsander Hamir 4b652e19d8 [Fix] CI/CD - security­_tests (#18305) 2025-12-20 17:08:28 -08:00
Mateo Di Loreto 107ea9043a [Feature] Download Prisma binaries at build time instead of at runtime for Security Restricted environments (#17695) 
* Use config file to enable prometheus metrics

* Revert "Use config file to enable prometheus metrics"

This reverts commit 15ae36e1711791c0ac0a7aa84dcec142951717f5.

* Improve hardened stack and Prisma offline flow

* Document hardened compose usage

* Remove undesired change in fastapi-sso

* Restore dashboard lockfile

* Remove unecessary tempdirs

* Document hardened/offline Docker validation flow
 2025-12-16 21:25:53 +05:30
yuneng-jiang 1d95595522 Merge remote-tracking branch 'origin' into litellm_non_root_docker_logo_fix 2025-12-06 20:00:33 -08:00
Alexsander Hamir db40a38999 Add retry logic to apk package installation in Dockerfile.non_root (#17596) 
- Add retry loop (3 attempts with 5s delay) to builder stage apk add command
- Add retry logic to runtime stage apk upgrade and apk add commands
- Improves resilience to transient network errors during package downloads
 2025-12-06 08:17:50 -08:00
Krish Dholakia 74ba18df55 Litellm chainguard fixes 12 02 2025 p1 (#17406) 
* build: update dockerfile non root

* build: update build

* build: update non root

* build: dockerfile fixes

* build: ensure dockerfile + dockerfile.database also work
 2025-12-02 22:50:13 -08:00
Krrish Dholakia 8ee298f9c9 fix: remove python3 headers 2025-12-02 16:06:06 -08:00
Krrish Dholakia 7fb2f4730b build: remove duplicate packages 2025-12-02 15:53:10 -08:00
yuneng-jiang 031677636a Add user writable file to non root docker for logo 2025-11-26 21:44:02 -08:00
yuneng-jiang e371ff454a Non root docker build fix (#17060) 2025-11-24 20:45:56 -08:00
Ishaan Jaffer be71138af3 fix build bad db url 2025-11-22 10:10:08 -08:00
Ishaan Jaffer c34d8af329 test fix 2025-11-22 10:02:15 -08:00
Ishaan Jaff 9288c8543c fix docker (#16342) 2025-11-07 14:38:20 -08:00
yuneng-jiang 5d158775b1 [Fix] Litellm non root docker Model Hub Table fix (#16282) 
* Fix model hub table 404 on non-root docker

* Adding test
 2025-11-05 18:30:20 -08:00
Arthur 6c97a31c9c bug: add supervisor to non-root image 2025-08-24 15:43:57 +02:00
Jan Kessler 3eecff44c6 fix permission access on prisma migrate in non-root image 2025-08-21 09:00:55 +02:00
Ishaan Jaff a328ad56e3 [Bug Fix] Fixes for using Auto Router with LiteLLM Docker Image (#13788) 
* fix install auto router.sh

* fixes for Docker IMG
 2025-08-19 18:36:30 -07:00
Parham Alvani 849c262a02 fix: we need to have project files for running migration using this image (#13379) 2025-08-07 13:31:10 -07:00
Jugal D. Bhatt 9aeca96c16 fix openshift (#13239) 2025-08-02 22:37:02 -07:00
Mateo Di Loreto 6e5fe51184 add openssl in apk install in runtime stage in dockerfile.non_root (#13168) 
* add openssl in apk install in runtime stage in dockerfile.non_rootdocker-compose logs -f litellm

* Improve Docker-compose.yaml for local debugging

---------

Co-authored-by: Krish Dholakia <krrishdholakia@gmail.com>
 2025-07-31 21:52:11 -07:00
Ishaan Jaff 106a298f0a [Feat] UI - Allow Adding LiteLLM Auto Router on UI (#12960) 
* add router.json

* test_router_auto_router

* async_pre_routing_hook

* fixes for auto router

* add async_pre_routing_hook

* add LiteLLMRouterEncoder

* update test auto_router_embedding_model

* add auto_router_embedding_model

* add AutoRouter

* fix async_pre_routing_hook

* update async_pre_routing_hook

* fix auto router

* fix router.json

* working router init

* working embedding encoder

* working auto router

* test_router_auto_router

* test auto router

* add semantic-router as optional for litellm

* add extras

* semantic_router==0.1.10

* ruff fix

* use aiohttp==3.10.11

* python-dotenv==1.0.1

* test auto router

* test_router_auto_router

* semantic_router

* test_is_auto_router_deployment

* fix check

* fix docker build step

* add semantic_router

* UI  - Add auto router on litellm

* working utterances config

* fix route config builder

* kind of working add automodel router

* move loc of add deployment

* fixes for AutoRouter

* add auto_router_config in types.py

* fixes for init_auto_router_deployment

* fix adding auto router models

* working auto-router with dB

* Revert "add semantic_router"

This reverts commit 537b67288798731a119d811f643b682086377ee9.

* TestAutoRouter

* fix linting

* add semantic router to docker

* test fix

* fix router config builder

* remove export button
 2025-07-24 19:58:49 -07:00
Mateo Di Loreto c65392cf81 Replace non-root Dockerfile base with Alpine multi-stage build; (#12707) 
* Change Dockerfile.noon_root with alpine base image

* Improve non_root docker image

* Re add the build_admin_ui.sh script step

* Re add the build_admin_ui.sh script step

* Remove unnecessary workdir set

* Remove unnecessary workdir set

* Configure chainguard image

* A bit of optimization and improve comments

* delete extra build_ui script run

* Optimizie Dockerfile copy statements
 2025-07-22 08:53:10 -07:00
Jugal D. Bhatt a112ec5b02 Health check app on separate port (#12718) 
* add separate health app

* add new docs

* refactor

* fix colons

* Update config_settings.md

* refactor

* docs

* add unit test

* added supervisord

* remove app

* add supervisor conf

* Add markdown

* add video to md

* remove test

* docs build failure

* add to all docker files, change prod.md and add tests

* change dockerfiles

* remove extra file

* remove extra file

* remove extra file

* change apt->apk

* remove rdb file

* add fixed file
 2025-07-18 11:17:15 -07:00
Tyler Hutcherson 7864cd1f76 update redisvl dependency 2025-03-24 08:42:11 -04:00
Krish Dholakia d4ed985173 Add back in non root image fixes (#7781) (#7795) 
* Add back in non root image fixes (#7781)

* Add back in non root image fixes

* Fix dockerfile

* Fix perms

* Add in container structure tests for the nonroot image (#7796)

* feat(helm): add securityContext and pull policy values to migration job (#7652)

* fix(helm): corrected indentation in migration-job.yaml

* feat(helm): add securityContext and pull policy values to migration job

* fix confusing save button label (#7778)

* [integrations/lunary] Improve Lunary documentaiton (#7770)

* update lunary doc

* better title

* tweaks

* Update langchain.md

* Update lunary_integration.md

* Fix wrong URL for internal user invitation (#7762)

* format

* done

* Update instructor tutorial (#7784)

* Add in container structure tests for the nonroot image

---------

Co-authored-by: Zackeus Bengtsson <32719220+Hexoplon@users.noreply.github.com>
Co-authored-by: yujonglee <yujonglee.dev@gmail.com>
Co-authored-by: Hugues Chocart <chocart.hugues@icloud.com>
Co-authored-by: Nikolaiev Dmytro <dima.nikol.99@gmail.com>

---------

Co-authored-by: Rajat Vig <rajatvig@users.noreply.github.com>
Co-authored-by: Zackeus Bengtsson <32719220+Hexoplon@users.noreply.github.com>
Co-authored-by: yujonglee <yujonglee.dev@gmail.com>
Co-authored-by: Hugues Chocart <chocart.hugues@icloud.com>
Co-authored-by: Nikolaiev Dmytro <dima.nikol.99@gmail.com>
 2025-01-15 21:49:03 -08:00
Ishaan Jaff 6125ba1e2b (Feat) - allow including dd-trace in litellm base image (#7587) 
* introduce USE_DDTRACE=true

* update dd tracer

* update

* bump dd trace

* use og slim image

* DD tracing

* fix _init_dd_tracer
 2025-01-06 17:27:09 -08:00
Ishaan Jaff 564ecc728d (security fix) - update base image for all docker images to python:3.13.1-slim (#7388) 
* update base image for all docker files

* remove unused files

* fix sec vuln
 2024-12-23 16:20:47 -08:00
Ishaan Jaff d1760b1b04 (fix) clean up root repo - move entrypoint.sh and build_admin_ui to /docker (#6110) 
* fix move docker files to docker folders

* move check file length

* fix docker hub deploy

* fix clean up root

* fix circle ci config
 2024-10-08 11:34:43 +05:30
Ishaan Jaff d742e8cb43 (clean up) move docker files from root to docker folder (#6109) 
* fix move docker files to docker folders

* move check file length

* fix docker hub deploy
 2024-10-08 08:23:52 +05:30