yuneng-jiang
1fd8ab4c5f
* fix(docker): copy only runtime artifacts into the final image The runtime stage previously copied the builder's entire /app workspace, shipping the full source tree and dependency manifests (uv.lock, the dashboard package-lock.json, ui/) in the published images. Tools that read manifests found in an image attribute every pin in them to the image, including packages that are never installed, which produces recurring false reports against the official images. The runtime stage now copies an explicit allowlist: the venv (where the application is installed), the entrypoint scripts, schema.prisma, prisma_migration.py (invoked by source path from entrypoint.sh), and the prisma binary caches. npm and its globally installed helper packages are dropped from the runtime stage; node stays for the prisma CLI. The database image's /root/.cache copy is narrowed to the prisma subdirs, matching the main Dockerfile, which removes the uv build cache from that image (-1.1GB). Verified on locally built images for all three variants against a contract suite that passes 100% on the v1.88.1 baselines: byte-identical venv vs old-Dockerfile builds from the same commit, DB-less and Postgres-backed boots, migration entrypoint, real completion and streaming calls, admin UI, key generation, non-root UID behavior. Image sizes: main 1.71GB -> 1.53GB, database 2.68GB -> 1.53GB * fix(docker): restore enterprise source dir required by runtime imports litellm/proxy/hooks/__init__.py, callback_utils.py and customer_endpoints.py import enterprise.* by source path, resolved via the cwd entry proxy_cli appends to sys.path, with silent ImportError fallbacks. Dropping /app/enterprise from the runtime image emptied ENTERPRISE_PROXY_HOOKS and broke managed files (e2e_openai_endpoints caught it). Restore the directory in all three runtime stages
Docker Development Guide
This guide provides instructions for building and running the LiteLLM application using Docker and Docker Compose.
Prerequisites
- Docker
- Docker Compose
Building and Running the Application
To build and run the application, you will use the docker-compose.yml file located in the root of the project. This file is configured to use the Dockerfile.non_root for a secure, non-root container environment.
1. Set the Master Key
The application requires a LITELLM_MASTER_KEY for signing and validating tokens. You must set this key as an environment variable before running the application.
Create a .env file in the root of the project and add the following line:
LITELLM_MASTER_KEY=your-secret-key
Replace your-secret-key with a strong, randomly generated secret.
2. Build and Run the Containers
Once you have set the LITELLM_MASTER_KEY, you can build and run the containers using the following command:
docker compose up -d --build
This command will:
- Build the Docker image using
Dockerfile.non_root. - Start the
litellm,litellm_db, andprometheusservices in detached mode (-d). - The
--buildflag ensures that the image is rebuilt if there are any changes to the Dockerfile or the application code.
3. Verifying the Application is Running
You can check the status of the running containers with the following command:
docker compose ps
To view the logs of the litellm container, run:
docker compose logs -f litellm
4. Stopping the Application
To stop the running containers, use the following command:
docker compose down
Hardened / Offline Testing
To ensure changes are safe for non-root, read-only root filesystems and restricted egress, always validate with the hardened compose file:
docker compose -f docker-compose.yml -f docker-compose.hardened.yml build --no-cache
docker compose -f docker-compose.yml -f docker-compose.hardened.yml up -d
This setup:
- Builds from
docker/Dockerfile.non_rootwith Prisma engines and Node toolchain baked into the image. - Runs the proxy as a non-root user with a read-only rootfs and only writable tmpfs mounts:
/app/cache(Prisma/NPM cache; backingPRISMA_BINARY_CACHE_DIR,NPM_CONFIG_CACHE,XDG_CACHE_HOME)/app/migrations(Prisma migration workspace; backingLITELLM_MIGRATION_DIR)
- Pre-builds and serves the admin UI from read-only paths:
/var/lib/litellm/ui(pre-restructured Next.js UI with.litellm_ui_readymarker)/var/lib/litellm/assets(UI logos and assets)
- Routes all outbound traffic through a local Squid proxy that denies egress, so Prisma migrations must use the cached CLI and engines.
You should also verify offline Prisma behaviour with:
docker run --rm --network none --entrypoint prisma ghcr.io/berriai/litellm:main-stable --version
This command should succeed (showing engine versions) even with --network none, confirming that Prisma binaries are available without network access.
Troubleshooting
build_admin_ui.sh: not found: This error can occur if the Docker build context is not set correctly. Ensure that you are running thedocker-composecommand from the root of the project.Master key is not initialized: This error means theLITELLM_MASTER_KEYenvironment variable is not set. Make sure you have created a.envfile in the project root with theLITELLM_MASTER_KEYdefined.