akios/Dockerfile at main · akios-ai/akios · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
# AKIOS v1.0 - Secure Cross-Platform Docker Deployment
# Multi-stage build: separate build dependencies from runtime image
# GPL-3.0-only Compliance: Legal files baked into image, source pointer included
# OCI Compliant: Proper labels and metadata for container registries

# Build stage - includes all build dependencies
FROM ubuntu:24.04 AS builder

# Cache-busting build arguments to ensure fresh builds
ARG CACHE_BUST
ARG GIT_HASH
ARG BUILD_TIMESTAMP

# Create cache-busting marker file (this will invalidate COPY cache when values change)
RUN echo "${CACHE_BUST}-${GIT_HASH}-${BUILD_TIMESTAMP}" > /tmp/build_marker

ENV CACHE_BUST=${CACHE_BUST}
ENV GIT_HASH=${GIT_HASH}
ENV BUILD_TIMESTAMP=${BUILD_TIMESTAMP}

# Install Python build dependencies (Ubuntu base)
RUN apt-get update && \
    apt-get install -y --no-install-recommends --fix-missing \
    python3.12 \
    python3.12-venv \
    python3-pip \
    gcc \
    g++ \
    && rm -rf /var/lib/apt/lists/*

# Set working directory for build
WORKDIR /build

# Copy requirements first for better caching
COPY pyproject.toml .

# Install build dependencies in a virtual environment
RUN python3 -m venv /opt/venv && \
    /opt/venv/bin/pip install --upgrade pip && \
    /opt/venv/bin/pip install --no-cache-dir build wheel

# ABSOLUTE CACHE INVALIDATION - Create and copy timestamp file
RUN echo "$(date +%s)-${CACHE_BUST}-${GIT_HASH}-${BUILD_TIMESTAMP}" > /tmp/force_rebuild_$(date +%s)
RUN cp /tmp/force_rebuild_* /tmp/force_rebuild

# Copy entire src directory to force cache invalidation
COPY src/ ./src/

# Build the wheel package
RUN /opt/venv/bin/python -m build --wheel --outdir /build/dist

# Runtime stage - Ubuntu 24.04 for maximum security
FROM ubuntu:24.04

# Redeclare build args for use in this stage
ARG GIT_HASH
ARG BUILD_TIMESTAMP

# OCI Labels for container metadata and GPL-3.0-only compliance
LABEL org.opencontainers.image.title="AKIOS - Secure AI Workflow Engine"
LABEL org.opencontainers.image.description="GPL-3.0-only licensed AI agent execution engine with military-grade security"
LABEL org.opencontainers.image.version="1.6.0"
LABEL org.opencontainers.image.source="https://github.com/akios-ai/akios"
LABEL org.opencontainers.image.licenses="GPL-3.0-only"
LABEL org.opencontainers.image.vendor="AKIOUD AI, SAS"
LABEL org.opencontainers.image.url="https://github.com/akios-ai/akios"
LABEL org.opencontainers.image.revision="${GIT_HASH}"

# Install Python and essential system dependencies
RUN apt-get update && \
    apt-get install -y --no-install-recommends \
    python3.12 \
    python3.12-venv \
    python3-pip \
    ca-certificates \
    && apt-get clean && \
    rm -rf /var/lib/apt/lists/* /var/cache/apt/* /tmp/* /var/tmp/* && \
    rm -rf /usr/share/doc/* /usr/share/man/* /usr/share/locale/* 2>/dev/null || true

# Create legal files directory for GPL-3.0-only compliance
RUN mkdir -p /usr/share/akios/legal

# Security: Create non-root user
RUN groupadd -r akios -g 1001 && \
    useradd -r -g akios -u 1001 -m -s /usr/sbin/nologin akios

# Security: Remove setuid/setgid privileges from all binaries
RUN echo "Removing setuid binaries..." && \
    chmod u-s /usr/bin/* 2>/dev/null || true && \
    chmod u-s /bin/* 2>/dev/null || true && \
    chmod u-s /sbin/* 2>/dev/null || true && \
    echo "Setuid removal complete"

# Set working directory
WORKDIR /app

# Copy legal files for GPL-3.0-only compliance (baked into image)
COPY LICENSE /usr/share/akios/legal/
COPY NOTICE /usr/share/akios/legal/
COPY THIRD_PARTY_LICENSES.md /usr/share/akios/legal/
COPY TRADEMARKS.md /usr/share/akios/legal/

# Create SOURCE.txt pointer for GPL-3.0-only source availability (GPLv3 §6)
RUN echo "SOURCE AVAILABILITY\n\
\n\
This Docker image contains GPL-3.0-only licensed software.\n\
GPL-3.0-only requires that corresponding source code be available.\n\
\n\
Source Location: https://github.com/akios-ai/akios/releases/tag/v1.6.0\n\
Build Instructions: See https://github.com/akios-ai/akios/blob/v1.6.0/GETTING_STARTED.md\n\
License Text: See /usr/share/akios/legal/LICENSE\n\
\n\
Source Availability Commitment: 3 years minimum (until 2029-03-12)\n\
This source will remain available for at least 3 years from the release date.\n\
Earlier versions remain available via GitHub releases history.\n\
\n\
For more information on your rights: https://www.gnu.org/licenses/gpl-3.0.en.html\n\
For more information on AKIOS: https://github.com/akios-ai/akios" > /usr/share/akios/legal/SOURCE.txt

# Set proper permissions on legal files
RUN chmod 644 /usr/share/akios/legal/*

# Copy the built wheel from builder stage
COPY --from=builder /build/dist/ .

# Install the wheel package + boto3 for AWS Bedrock support
RUN python3 -m pip install --no-cache-dir --break-system-packages *.whl "boto3>=1.34.0" && \
    rm *.whl && \
    find /usr/local/lib/python3.12 -name "*.pyc" -delete 2>/dev/null || true && \
    find /usr/local/lib/python3.12 -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true && \
    rm -rf /root/.cache/pip/* 2>/dev/null || true

# Security hardening, cleanup, and directory setup in single layer
RUN mkdir -p /app/data/input /app/data/output /app/audit /app/workflows /app/.akios && \
    chown -R akios:akios /app && \
    rm -rf /tmp/* /var/tmp/* /root/.cache/* 2>/dev/null || true

# Switch to non-root user
USER akios

# Health check (optional but recommended)
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
    CMD python3 -c "import akios; print('AKIOS OK')" || exit 1

# Default entrypoint
ENTRYPOINT ["python3", "-m", "akios"]