-
-
Notifications
You must be signed in to change notification settings - Fork 648
feat(docker): decouple NestBot service with separate container #3939
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
arkid15r
merged 15 commits into
OWASP:feature/nestbot-ai-assistant
from
Ani07-05:feature/nestbot-ai-assistant
Feb 28, 2026
Merged
Changes from 12 commits
Commits
Show all changes
15 commits
Select commit
Hold shift + click to select a range
5b83548
feat(docker): decouple NestBot service with separate container (#3865)
Ani07-05 f1c4a57
coderabbit suggestions
Ani07-05 faa45dc
fix(docker): address CodeRabbit review suggestions and improve servic…
Ani07-05 a956b96
coderabbit and cubic dev suggestions
Ani07-05 8391621
add NestBot service with dedicated Dockerfile and update dependencies
Ani07-05 a09d9ab
coderabbit suggestions
Ani07-05 4c5e926
Lazy load AI imports, commit poetry.lock, revert healthcheck
Ani07-05 0640077
Update code
rudransh-shrivastava 7c2dd9a
remove langchain, langchain-community, and langgraph
rudransh-shrivastava 6986ee0
Update code
rudransh-shrivastava c67cb5a
add nestbot to clean-backend-docker
rudransh-shrivastava f35cc5e
Update code
rudransh-shrivastava 4d32506
Update code
rudransh-shrivastava afeb675
use exec-nestbot-command
rudransh-shrivastava 90c1b9e
fix tests
rudransh-shrivastava File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,6 +1,5 @@ | ||
| # Docker Hardened Images (DHI) - requires: docker login dhi.io | ||
| # Use -dev variant for builder stage (includes build tools and shell) | ||
| FROM dhi.io/python:3.13-dev AS builder | ||
| # python:slim is used as base image to keep the image size small | ||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. If we don't need backend image to be based on python slim for NestBot I'd prefer to keep it based on alpine. |
||
| FROM python:3.13-slim AS builder | ||
|
Ani07-05 marked this conversation as resolved.
Outdated
|
||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
|
|
@@ -15,6 +14,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ | |
| build-essential \ | ||
| libffi-dev \ | ||
| libssl-dev \ | ||
| libpq-dev \ | ||
| passwd \ | ||
| && rm -rf /var/lib/apt/lists/* && \ | ||
| groupadd -g ${OWASP_GID} owasp && \ | ||
|
|
@@ -28,62 +28,37 @@ RUN --mount=type=cache,target=${PIP_CACHE_DIR} \ | |
| USER owasp | ||
| WORKDIR /home/owasp | ||
|
|
||
| # Copy files as root first, then fix ownership and permissions | ||
| USER root | ||
| COPY --chown=${OWASP_UID}:${OWASP_GID} poetry.lock pyproject.toml ./ | ||
| RUN chmod 644 poetry.lock pyproject.toml | ||
|
|
||
| USER owasp | ||
|
|
||
| # Update lock file if pyproject.toml changed (e.g., Python version upgrade) | ||
| COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./ | ||
| RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \ | ||
| --mount=type=cache,target=${PIP_CACHE_DIR} \ | ||
| poetry install --no-root --without dev --without test --without video | ||
| poetry install --no-root --without dev --without test --without video --without nestbot | ||
|
|
||
| # Use -dev variant for runtime stage to allow installing runtime dependencies | ||
| # Still hardened, just includes shell and package manager for flexibility | ||
| FROM dhi.io/python:3.13-dev | ||
| # Runtime stage using python:slim | ||
| FROM python:3.13-slim | ||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| ENV FORCE_COLOR=1 \ | ||
| PIP_CACHE_DIR="/home/owasp/.cache/pip" \ | ||
| PATH="/home/owasp/.venv/bin:/usr/local/bin:$PATH" \ | ||
| PYTHONPATH="/home/owasp:/home/owasp/.venv/lib/python3.13/site-packages" \ | ||
| VIRTUAL_ENV="/home/owasp/.venv" \ | ||
| PATH="/home/owasp/.venv/bin:$PATH" \ | ||
| PYTHONUNBUFFERED=1 | ||
|
|
||
| RUN apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| postgresql-client \ | ||
| libpq5 \ | ||
| passwd \ | ||
| curl \ | ||
| && rm -rf /var/lib/apt/lists/* && \ | ||
| groupadd -g 1000 owasp && \ | ||
| useradd -u 1000 -g owasp -m -s /bin/bash owasp | ||
|
|
||
| # Install poetry for runtime (needed for volume-based development setup) | ||
| RUN --mount=type=cache,target=/root/.cache/pip \ | ||
| python3 -m pip install poetry --cache-dir /root/.cache/pip | ||
| RUN --mount=type=cache,target=${PIP_CACHE_DIR} \ | ||
| python -m pip install poetry --cache-dir ${PIP_CACHE_DIR} | ||
|
|
||
| EXPOSE 8000 | ||
|
|
||
| USER owasp | ||
| WORKDIR /home/owasp | ||
|
|
||
| COPY --from=builder --chmod=555 --chown=root:root /home/owasp /home/owasp | ||
|
|
||
| # Fix ownership and permissions for volume compatibility | ||
| # Also backup .venv to /tmp for volume initialization | ||
| USER root | ||
| RUN if [ -d /home/owasp/.venv ]; then \ | ||
| chown -R 1000:1000 /home/owasp/.venv && \ | ||
| chmod -R u+w /home/owasp/.venv && \ | ||
| cp -r /home/owasp/.venv /tmp/.venv-backup && \ | ||
| chown -R 1000:1000 /tmp/.venv-backup; \ | ||
| fi && \ | ||
| mkdir -p /home/owasp/.local/share && \ | ||
| chown -R 1000:1000 /home/owasp/.local && \ | ||
| chmod -R u+w /home/owasp/.local | ||
|
|
||
| USER owasp | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| # python:slim is used as base image to keep the image size small | ||
| FROM python:3.13.7-slim AS builder | ||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| ENV OWASP_GID=1000 \ | ||
| OWASP_UID=1000 \ | ||
| PIP_CACHE_DIR="/home/owasp/.cache/pip" \ | ||
| POETRY_CACHE_DIR="/home/owasp/.cache/pypoetry" \ | ||
| POETRY_VIRTUALENVS_IN_PROJECT=true \ | ||
| PYTHONUNBUFFERED=1 | ||
|
|
||
| RUN apt-get update && apt-get install -y --no-install-recommends \ | ||
| build-essential \ | ||
| libffi-dev \ | ||
| libssl-dev \ | ||
| libpq-dev \ | ||
| passwd \ | ||
| && rm -rf /var/lib/apt/lists/* && \ | ||
| groupadd -g ${OWASP_GID} owasp && \ | ||
| useradd -u ${OWASP_UID} -g owasp -m -s /bin/bash owasp && \ | ||
| mkdir -p ${POETRY_CACHE_DIR} /home/owasp/.local/share && \ | ||
| chown -R owasp:owasp /home/owasp | ||
|
|
||
| RUN --mount=type=cache,target=${PIP_CACHE_DIR} \ | ||
| python -m pip install poetry --cache-dir ${PIP_CACHE_DIR} | ||
|
|
||
| USER owasp | ||
| WORKDIR /home/owasp | ||
|
|
||
| COPY --chmod=444 --chown=root:root poetry.lock pyproject.toml ./ | ||
| RUN --mount=type=cache,target=${POETRY_CACHE_DIR},uid=${OWASP_UID},gid=${OWASP_GID} \ | ||
| --mount=type=cache,target=${PIP_CACHE_DIR} \ | ||
| poetry install --no-root --without dev --without test --without video | ||
|
|
||
| # Runtime stage using python:slim | ||
| FROM python:3.13-slim | ||
|
|
||
| SHELL ["/bin/bash", "-o", "pipefail", "-c"] | ||
|
|
||
| ENV FORCE_COLOR=1 \ | ||
| PIP_CACHE_DIR="/home/owasp/.cache/pip" \ | ||
| PATH="/home/owasp/.venv/bin:$PATH" \ | ||
| PYTHONUNBUFFERED=1 | ||
|
|
||
| RUN apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| postgresql-client \ | ||
| libpq5 \ | ||
| passwd \ | ||
| curl \ | ||
| && rm -rf /var/lib/apt/lists/* && \ | ||
| groupadd -g 1000 owasp && \ | ||
| useradd -u 1000 -g owasp -m -s /bin/bash owasp | ||
|
|
||
| RUN --mount=type=cache,target=${PIP_CACHE_DIR} \ | ||
| python -m pip install poetry --cache-dir ${PIP_CACHE_DIR} | ||
|
|
||
| EXPOSE 8001 | ||
|
|
||
| USER owasp | ||
| WORKDIR /home/owasp | ||
|
|
||
| COPY --from=builder --chmod=555 --chown=root:root /home/owasp /home/owasp |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.