# ============================================================================== # Open Notebook - HuggingFace Spaces Dockerfile # Based on Dockerfile.single, adapted for HuggingFace Spaces constraints: # - Single container with supervisord # - Nginx reverse proxy on port 7860 (HF mandatory port) # - Runs as UID 1000 (HF mandatory user) # - Persistent storage at /data/ # ============================================================================== # Stage 1: Frontend Builder FROM node:20-slim AS frontend-builder WORKDIR /app/frontend # Copy dependency files first to leverage cache COPY frontend/package.json frontend/package-lock.json ./ ARG NPM_REGISTRY=https://registry.npmjs.org/ RUN npm config set registry ${NPM_REGISTRY} \ && npm config set fetch-retries 5 \ && npm config set fetch-retry-mintimeout 20000 \ && npm config set fetch-retry-maxtimeout 120000 # Retry npm ci to survive transient registry ECONNRESETs RUN i=0; until npm ci; do \ i=$((i+1)); \ if [ "$i" -ge 5 ]; then echo "npm ci failed after $i attempts"; exit 1; fi; \ echo "npm ci failed (attempt $i); retrying in 15s"; sleep 15; \ done # Copy the rest of the frontend source COPY frontend/ ./ # Build the frontend RUN npm run build # Stage 2: SurrealDB binary (pinned to v2 to match docker-compose.yml) FROM surrealdb/surrealdb:v2 AS surreal-binary # Stage 3: Backend Builder FROM python:3.12-slim-bookworm AS backend-builder # Install build dependencies RUN apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends build-essential && rm -rf /var/lib/apt/lists/* # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ WORKDIR /app # Set build optimization environment variables ENV UV_HTTP_TIMEOUT=120 # Copy dependency files first COPY pyproject.toml uv.lock ./ COPY open_notebook/__init__.py ./open_notebook/__init__.py # Install dependencies RUN uv sync --frozen --no-dev # Pre-download tiktoken encoding so the app works offline (issue #264). ENV TIKTOKEN_CACHE_DIR=/app/tiktoken-cache RUN mkdir -p /app/tiktoken-cache && \ .venv/bin/python -c "import tiktoken; tiktoken.get_encoding('o200k_base')" # ============================================================================== # Stage 4: Runtime (HuggingFace Spaces optimized) # ============================================================================== FROM python:3.12-slim-bookworm AS runtime # Install runtime dependencies (including nginx for reverse proxy) # All apt installs MUST happen before switching to non-root user RUN apt-get update && apt-get upgrade -y && apt-get install -y \ ffmpeg \ supervisor \ nginx \ curl \ && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ && apt-get install -y nodejs \ && rm -rf /var/lib/apt/lists/* # Install SurrealDB binary (from pinned v2 image) COPY --from=surreal-binary /surreal /usr/local/bin/surreal # Install uv COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/ # ============================================================================== # HuggingFace Spaces: Create user with UID 1000 (mandatory) # ============================================================================== RUN useradd -m -u 1000 user WORKDIR /app # Copy backend virtualenv and source code COPY --from=backend-builder /app/.venv /app/.venv COPY . /app/ # Copy pre-downloaded tiktoken encoding from builder COPY --from=backend-builder /app/tiktoken-cache /app/tiktoken-cache # Copy built frontend from standalone output COPY --from=frontend-builder /app/frontend/.next/standalone /app/frontend/ COPY --from=frontend-builder /app/frontend/.next/static /app/frontend/.next/static COPY --from=frontend-builder /app/frontend/public /app/frontend/public # Bind Next.js to all interfaces ENV HOSTNAME=0.0.0.0 # Point the app at the pre-baked tiktoken encoding ENV TIKTOKEN_CACHE_DIR=/app/tiktoken-cache # ============================================================================== # Setup directories, Nginx, and permissions for UID 1000 # ============================================================================== # Copy HuggingFace-specific configuration files COPY nginx.hf.conf /etc/nginx/nginx.conf COPY supervisord.hf.conf /etc/supervisor/conf.d/supervisord.conf COPY start.sh /app/start.sh RUN chmod +x /app/start.sh # Ensure wait-for-api script is executable RUN chmod +x /app/scripts/wait-for-api.sh # Setup directories with proper permissions for UID 1000 RUN mkdir -p /app/data /data /var/log/supervisor /var/log/nginx \ /var/lib/nginx /var/lib/nginx/body /var/lib/nginx/proxy \ /var/lib/nginx/fastcgi /var/lib/nginx/uwsgi /var/lib/nginx/scgi \ /run /tmp/nginx # Set ownership for non-root user (UID 1000) RUN chown -R 1000:1000 /app /data /var/log/supervisor /var/log/nginx \ /var/lib/nginx /run /tmp/nginx /etc/nginx && \ chown -R 1000:1000 /var/run 2>/dev/null || true # Remove default nginx configs that might conflict RUN rm -rf /etc/nginx/sites-enabled /etc/nginx/sites-available /etc/nginx/conf.d # ============================================================================== # Environment defaults for HuggingFace # ============================================================================== ENV SURREAL_URL=ws://localhost:8000/rpc ENV SURREAL_USER=root ENV SURREAL_PASSWORD=root ENV SURREAL_NAMESPACE=open_notebook ENV SURREAL_DATABASE=open_notebook ENV OPEN_NOTEBOOK_ENCRYPTION_KEY=change-me-in-hf-secrets # Switch to non-root user (HF Spaces requirement) USER user # Expose HuggingFace's mandatory port EXPOSE 7860 # Start via our initialization script CMD ["/app/start.sh"]