litellm/docker/Dockerfile.non_root

# Base images
ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/wolfi-base@sha256:a5a619c1793039dcf92f02178f37c94bb3d6001403716da59d6092dfe8d9b502
ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base@sha256:a5a619c1793039dcf92f02178f37c94bb3d6001403716da59d6092dfe8d9b502
ARG PROXY_EXTRAS_SOURCE=published
ARG UV_IMAGE=ghcr.io/astral-sh/uv:0.10.9@sha256:10902f58a1606787602f303954cea099626a4adb02acbac4c69920fe9d278f82

FROM $UV_IMAGE AS uvbin

FROM $LITELLM_BUILD_IMAGE AS builder
ARG PROXY_EXTRAS_SOURCE
WORKDIR /app
USER root

COPY --from=uvbin /uv /usr/local/bin/uv
COPY --from=uvbin /uvx /usr/local/bin/uvx

RUN for i in 1 2 3; do \
    apk add --no-cache \
      python3 \
      python3-dev \
      clang \
      llvm \
      lld \
      gcc \
      linux-headers \
      build-base \
      bash \
      coreutils \
      curl \
      openssl \
      openssl-dev \
      nodejs \
      npm \
      libsndfile && break || sleep 5; \
    done

ENV UV_PROJECT_ENVIRONMENT=/app/.venv \
    UV_LINK_MODE=copy \
    NVM_DIR=/root/.nvm \
    PATH="/root/.nvm/versions/node/v20.20.2/bin:/app/.venv/bin:${PATH}" \
    LITELLM_NON_ROOT=true \
    PRISMA_BINARY_CACHE_DIR=/app/.cache/prisma-python/binaries \
    PRISMA_CLI_BINARY_TARGETS="debian-openssl-3.0.x" \
    XDG_CACHE_HOME=/app/.cache

# Copy dependency metadata first for layer caching
COPY pyproject.toml uv.lock ./
COPY enterprise/pyproject.toml enterprise/
COPY litellm-proxy-extras/pyproject.toml litellm-proxy-extras/

# Install third-party dependencies (cached unless pyproject.toml/uv.lock change)
RUN uv sync --frozen --no-install-project --no-install-workspace --no-default-groups --no-editable \
    --extra proxy \
    --extra proxy-runtime \
    --extra extra_proxy \
    --extra semantic-router \
    --python python3

# Copy full source tree
COPY . .

# Set non-root flag for build time consistency
ENV LITELLM_NON_ROOT=true

# Build Admin UI once and stage the static output for the runtime image.
# NOTE: .npmrc files (which may set ignore-scripts=true and min-release-age=3d)
# are temporarily renamed during npm install/ci so they don't block lifecycle
# scripts needed by the build. This is safe because npm ci installs from
# package-lock.json with pinned versions + integrity hashes.
RUN mkdir -p /var/lib/litellm/ui /var/lib/litellm/assets && \
    ([ -f /app/.npmrc ] && mv /app/.npmrc /app/.npmrc.bak || true) && \
    NVM_VERSION="v0.40.4" && \
    NVM_CHECKSUM="4b7412c49960c7d31e8df72da90c1fb5b8cccb419ac99537b737028d497aba4f" && \
    NODE_VERSION="v20.20.2" && \
    NVM_SCRIPT="/tmp/install-nvm.sh" && \
    curl -fsSL "https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh" -o "$NVM_SCRIPT" && \
    echo "${NVM_CHECKSUM}  ${NVM_SCRIPT}" | sha256sum -c - && \
    bash "$NVM_SCRIPT" && \
    export NVM_DIR="$HOME/.nvm" && \
    . "$NVM_DIR/nvm.sh" && \
    nvm install "${NODE_VERSION}" && \
    nvm use "${NODE_VERSION}" && \
    npm install -g npm@11.12.1 && \
    npm install -g node-gyp@12.2.0 && \
    ln -sf "$(npm root -g)/node-gyp" "$(npm root -g)/npm/node_modules/node-gyp" && \
    npm cache clean --force && \
    cd /app/ui/litellm-dashboard && \
    if [ -f "/app/enterprise/enterprise_ui/enterprise_colors.json" ]; then \
      cp /app/enterprise/enterprise_ui/enterprise_colors.json ./ui_colors.json; \
    fi && \
    ([ -f .npmrc ] && mv .npmrc .npmrc.bak || true) && \
    npm ci --no-audit --no-fund && \
    ([ -f .npmrc.bak ] && mv .npmrc.bak .npmrc || true) && \
    ([ -f /app/.npmrc.bak ] && mv /app/.npmrc.bak /app/.npmrc || true) && \
    npm run build && \
    cp -r /app/ui/litellm-dashboard/out/* /var/lib/litellm/ui/ && \
    cp /app/litellm/proxy/logo.jpg /var/lib/litellm/assets/logo.jpg && \
    ( cd /var/lib/litellm/ui && \
      for html_file in *.html; do \
        if [ "$html_file" != "index.html" ] && [ -f "$html_file" ]; then \
          folder_name="${html_file%.html}" && \
          mkdir -p "$folder_name" && \
          mv "$html_file" "$folder_name/index.html"; \
        fi; \
      done && \
      touch .litellm_ui_ready ) && \
    cd /app/ui/litellm-dashboard && rm -rf ./out

RUN if [ "$PROXY_EXTRAS_SOURCE" = "published" ]; then \
      uv sync --frozen --no-default-groups --no-editable \
        --extra proxy \
        --extra proxy-runtime \
        --extra extra_proxy \
        --extra semantic-router \
        --python python3 \
        --no-sources-package litellm-proxy-extras; \
    else \
      uv sync --frozen --no-default-groups --no-editable \
        --extra proxy \
        --extra proxy-runtime \
        --extra extra_proxy \
        --extra semantic-router \
        --python python3; \
    fi

RUN mkdir -p /app/.cache/npm && \
    prisma generate --schema=./schema.prisma && \
    prisma --version && \
    prisma migrate diff --from-empty --to-schema-datamodel ./schema.prisma --script > /dev/null 2>&1 || true

RUN sed -i 's/\r$//' docker/entrypoint.sh && chmod +x docker/entrypoint.sh && \
    sed -i 's/\r$//' docker/prod_entrypoint.sh && chmod +x docker/prod_entrypoint.sh

FROM $LITELLM_RUNTIME_IMAGE AS runtime
ARG PROXY_EXTRAS_SOURCE
WORKDIR /app
USER root

RUN for i in 1 2 3; do \
    apk upgrade --no-cache && break || sleep 5; \
    done && \
    for i in 1 2 3; do \
      apk add --no-cache python3 bash openssl tzdata nodejs npm supervisor libsndfile && break || sleep 5; \
    done && \
    apk upgrade --no-cache nodejs && \
    npm install -g npm@11.12.1 tar@7.5.11 glob@11.1.0 @isaacs/brace-expansion@5.0.1 minimatch@10.2.4 diff@8.0.3 && \
    GLOBAL="$(npm root -g)" && \
    find "$GLOBAL/npm" -type d -name "tar" -path "*/node_modules/tar" | while read d; do \
      rm -rf "$d" && cp -rL "$GLOBAL/tar" "$d"; \
    done && \
    find "$GLOBAL/npm" -type d -name "glob" -path "*/node_modules/glob" | while read d; do \
      rm -rf "$d" && cp -rL "$GLOBAL/glob" "$d"; \
    done && \
    find "$GLOBAL/npm" -type d -name "brace-expansion" -path "*/node_modules/@isaacs/brace-expansion" | while read d; do \
      rm -rf "$d" && cp -rL "$GLOBAL/@isaacs/brace-expansion" "$d"; \
    done && \
    find "$GLOBAL/npm" -type d -name "minimatch" -path "*/node_modules/minimatch" | while read d; do \
      rm -rf "$d" && cp -rL "$GLOBAL/minimatch" "$d"; \
    done && \
    find "$GLOBAL/npm" -type d -name "diff" -path "*/node_modules/diff" | while read d; do \
      rm -rf "$d" && cp -rL "$GLOBAL/diff" "$d"; \
    done && \
    find /usr/local/lib /usr/lib -path "*/node_modules/npm/package.json" -exec \
      sed -i 's/"tar": "\^7\.5\.[0-9]*"/"tar": "^7.5.10"/g; s/"minimatch": "\^10\.[0-9.]*"/"minimatch": "^10.2.4"/g' {} + 2>/dev/null && \
    npm cache clean --force && \
    { apk del --no-cache npm 2>/dev/null || true; }

COPY --from=builder /app /app
COPY --from=builder /var/lib/litellm/ui /var/lib/litellm/ui
COPY --from=builder /var/lib/litellm/assets /var/lib/litellm/assets
COPY --from=builder /app/docker/supervisord.conf /etc/supervisord.conf

ENV PATH="/app/.venv/bin:${PATH}" \
    PRISMA_BINARY_CACHE_DIR=/app/.cache/prisma-python/binaries \
    PRISMA_CLI_BINARY_TARGETS="debian-openssl-3.0.x" \
    HOME=/app \
    LITELLM_NON_ROOT=true \
    XDG_CACHE_HOME=/app/.cache \
    PRISMA_SKIP_POSTINSTALL_GENERATE=1 \
    PRISMA_HIDE_UPDATE_MESSAGE=1 \
    PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING=1 \
    NPM_CONFIG_CACHE=/app/.cache/npm \
    NPM_CONFIG_PREFER_OFFLINE=true \
    PRISMA_OFFLINE_MODE=true

RUN sed -i 's/\r$//' docker/entrypoint.sh && \
    sed -i 's/\r$//' docker/prod_entrypoint.sh && \
    chmod +x docker/entrypoint.sh docker/prod_entrypoint.sh && \
    mkdir -p /nonexistent /.npm /var/lib/litellm/assets /var/lib/litellm/ui /tmp/.npm && \
    chown -R nobody:nogroup /app /var/lib/litellm/ui /var/lib/litellm/assets /nonexistent /.npm /tmp/.npm && \
    PRISMA_PATH=$(python -c "import os, prisma; print(os.path.dirname(prisma.__file__))") && \
    chown -R nobody:nogroup "$PRISMA_PATH" && \
    LITELLM_PKG_MIGRATIONS_PATH="$(python -c 'import os, litellm_proxy_extras; print(os.path.dirname(litellm_proxy_extras.__file__))' 2>/dev/null || echo '')/migrations" && \
    [ -n "$LITELLM_PKG_MIGRATIONS_PATH" ] && chown -R nobody:nogroup "$LITELLM_PKG_MIGRATIONS_PATH" || true && \
    LITELLM_PROXY_EXTRAS_PATH=$(python -c "import os, litellm_proxy_extras; print(os.path.dirname(litellm_proxy_extras.__file__))" 2>/dev/null || echo "") && \
    chgrp -R 0 "$PRISMA_PATH" /var/lib/litellm/ui /var/lib/litellm/assets && \
    [ -n "$LITELLM_PROXY_EXTRAS_PATH" ] && chgrp -R 0 "$LITELLM_PROXY_EXTRAS_PATH" || true && \
    chmod -R g=u "$PRISMA_PATH" /var/lib/litellm/ui /var/lib/litellm/assets && \
    [ -n "$LITELLM_PROXY_EXTRAS_PATH" ] && chmod -R g=u "$LITELLM_PROXY_EXTRAS_PATH" || true && \
    chmod -R g+w "$PRISMA_PATH" /var/lib/litellm/ui /var/lib/litellm/assets && \
    [ -n "$LITELLM_PROXY_EXTRAS_PATH" ] && chmod -R g+w "$LITELLM_PROXY_EXTRAS_PATH" || true && \
    chmod -R g+rX "$PRISMA_PATH" /var/lib/litellm/ui /var/lib/litellm/assets /app/.cache

USER nobody

RUN prisma generate --schema=./schema.prisma

EXPOSE 4000/tcp

ENTRYPOINT ["/app/docker/prod_entrypoint.sh"]
CMD ["--port", "4000"]