mirror of
https://github.com/tiennm99/litellm.git
synced 2026-06-17 18:48:36 +00:00
Krish Dholakia
e7714f0ce6
* fix(docker): bump tar/minimatch/pypdf for CVE fixes + harden SBOM patching
- Bump tar 7.5.8→7.5.10, minimatch 10.2.1→10.2.4, pypdf 6.6.2→6.7.3
- Add sed-based SBOM metadata patching with properly indented find/sed
- Add npm package manager cleanup (apk del / apt-get purge) to remove
stale SBOM entries from image scanners
- Scope || true to only apk del via brace grouping { ... || true; }
- Guard npm root -g with non-empty assertion to prevent silent failures
- Scope minimatch sed regex to ^10.x to avoid matching other major versions
Addresses: CVE-2026-27903, CVE-2026-27904, GHSA-qffp-2rhf-9h96, CVE-2026-27888
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix(docker): scope find to /usr/local/lib /usr/lib, drop autoremove
- Replace `find /` with `find /usr/local/lib /usr/lib` to avoid
traversing /proc, /sys, /dev during SBOM metadata patching
- Remove `apt-get autoremove -y` from Debian-based Dockerfiles to
prevent nodejs from being removed as an auto-installed dependency
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
150 lines
5.3 KiB
Docker
150 lines
5.3 KiB
Docker
# Base image for building
|
|
ARG LITELLM_BUILD_IMAGE=python:3.11-slim
|
|
|
|
# Runtime image
|
|
ARG LITELLM_RUNTIME_IMAGE=python:3.11-slim
|
|
|
|
# Builder stage
|
|
FROM $LITELLM_BUILD_IMAGE AS builder
|
|
|
|
# Set the working directory to /app
|
|
WORKDIR /app
|
|
|
|
USER root
|
|
|
|
# Install build dependencies in one layer
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
gcc \
|
|
python3-dev \
|
|
libssl-dev \
|
|
pkg-config \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& pip install --upgrade pip build
|
|
|
|
# Copy requirements first for better layer caching
|
|
COPY requirements.txt .
|
|
|
|
# Install Python dependencies with cache mount for faster rebuilds
|
|
RUN --mount=type=cache,target=/root/.cache/pip \
|
|
pip wheel --no-cache-dir --wheel-dir=/wheels/ -r requirements.txt
|
|
|
|
# Fix JWT dependency conflicts early
|
|
RUN pip uninstall jwt -y || true && \
|
|
pip uninstall PyJWT -y || true && \
|
|
pip install PyJWT==2.9.0 --no-cache-dir
|
|
|
|
# Copy only necessary files for build
|
|
COPY pyproject.toml README.md schema.prisma poetry.lock ./
|
|
COPY litellm/ ./litellm/
|
|
COPY enterprise/ ./enterprise/
|
|
COPY docker/ ./docker/
|
|
|
|
# Build Admin UI once
|
|
# Convert Windows line endings to Unix and make executable
|
|
RUN sed -i 's/\r$//' docker/build_admin_ui.sh && chmod +x docker/build_admin_ui.sh && ./docker/build_admin_ui.sh
|
|
|
|
# Build the package
|
|
RUN rm -rf dist/* && python -m build
|
|
|
|
# Install the built package
|
|
RUN pip install dist/*.whl
|
|
|
|
# Runtime stage
|
|
FROM $LITELLM_RUNTIME_IMAGE AS runtime
|
|
|
|
# Ensure runtime stage runs as root
|
|
USER root
|
|
|
|
# Install only runtime dependencies
|
|
RUN apt-get update && apt-get upgrade -y \
|
|
libxml2 \
|
|
libexpat1 \
|
|
openssl \
|
|
libssl3 \
|
|
git \
|
|
libkrb5-3 \
|
|
libglib2.0-0 \
|
|
wget \
|
|
libaom3 \
|
|
libxslt1.1 \
|
|
libgnutls30 \
|
|
libc6 \
|
|
&& apt-get install -y --no-install-recommends \
|
|
libssl3 \
|
|
libatomic1 \
|
|
nodejs \
|
|
npm \
|
|
&& rm -rf /var/lib/apt/lists/* \
|
|
&& npm install -g npm@latest tar@7.5.10 glob@11.1.0 @isaacs/brace-expansion@5.0.1 minimatch@10.2.4 diff@8.0.3 \
|
|
&& GLOBAL="$(npm root -g)" \
|
|
&& find "$GLOBAL/npm" -type d -name "tar" -path "*/node_modules/tar" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/tar" "$d"; \
|
|
done \
|
|
&& find "$GLOBAL/npm" -type d -name "glob" -path "*/node_modules/glob" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/glob" "$d"; \
|
|
done \
|
|
&& find "$GLOBAL/npm" -type d -name "brace-expansion" -path "*/node_modules/@isaacs/brace-expansion" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/@isaacs/brace-expansion" "$d"; \
|
|
done \
|
|
&& find "$GLOBAL/npm" -type d -name "minimatch" -path "*/node_modules/minimatch" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/minimatch" "$d"; \
|
|
done \
|
|
&& find "$GLOBAL/npm" -type d -name "diff" -path "*/node_modules/diff" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/diff" "$d"; \
|
|
done \
|
|
&& find /usr/local/lib /usr/lib -path "*/node_modules/npm/package.json" -exec \
|
|
sed -i 's/"tar": "\^7\.5\.[0-9]*"/"tar": "^7.5.10"/g; s/"minimatch": "\^10\.[0-9.]*"/"minimatch": "^10.2.4"/g' {} + 2>/dev/null \
|
|
&& npm cache clean --force \
|
|
&& apt-get purge -y npm
|
|
|
|
WORKDIR /app
|
|
|
|
# Copy only necessary runtime files
|
|
COPY docker/entrypoint.sh docker/prod_entrypoint.sh ./docker/
|
|
COPY litellm/ ./litellm/
|
|
COPY pyproject.toml README.md schema.prisma poetry.lock ./
|
|
|
|
# Copy pre-built wheels and install everything at once
|
|
COPY --from=builder /wheels/ /wheels/
|
|
COPY --from=builder /app/dist/*.whl .
|
|
|
|
# Install all dependencies in one step with no-cache for smaller image
|
|
RUN pip install --no-cache-dir *.whl /wheels/* --no-index --find-links=/wheels/ && \
|
|
rm -f *.whl && \
|
|
rm -rf /wheels
|
|
|
|
# SECURITY FIX: nodejs-wheel-binaries (pip package used by Prisma) bundles a complete
|
|
# npm with old vulnerable deps at /usr/lib/python3.*/site-packages/nodejs_wheel/.
|
|
# Patch every copy of tar, glob, and brace-expansion inside that tree.
|
|
RUN GLOBAL="$(npm root -g)" && \
|
|
[ -n "$GLOBAL" ] || { echo "ERROR: npm root -g returned empty; aborting"; exit 1; } && \
|
|
find /usr/lib -type d -name "tar" -path "*/node_modules/tar" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/tar" "$d"; \
|
|
done && \
|
|
find /usr/lib -type d -name "glob" -path "*/node_modules/glob" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/glob" "$d"; \
|
|
done && \
|
|
find /usr/lib -type d -name "brace-expansion" -path "*/node_modules/@isaacs/brace-expansion" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/@isaacs/brace-expansion" "$d"; \
|
|
done && \
|
|
find /usr/lib -type d -name "minimatch" -path "*/node_modules/minimatch" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/minimatch" "$d"; \
|
|
done && \
|
|
find /usr/lib -type d -name "diff" -path "*/node_modules/diff" | while read d; do \
|
|
rm -rf "$d" && cp -rL "$GLOBAL/diff" "$d"; \
|
|
done
|
|
|
|
# Generate prisma client and set permissions
|
|
# Convert Windows line endings to Unix for entrypoint scripts
|
|
RUN prisma generate && \
|
|
sed -i 's/\r$//' docker/entrypoint.sh && \
|
|
sed -i 's/\r$//' docker/prod_entrypoint.sh && \
|
|
chmod +x docker/entrypoint.sh && \
|
|
chmod +x docker/prod_entrypoint.sh
|
|
|
|
EXPOSE 4000/tcp
|
|
|
|
ENTRYPOINT ["docker/prod_entrypoint.sh"]
|
|
|
|
# Append "--detailed_debug" to the end of CMD to view detailed debug logs
|
|
CMD ["--port", "4000"] |