Spaces:
Paused
Paused
refactor: use official iii binary, pinned versions, HMAC secret, tini init
Browse files- Dockerfile +99 -19
- start.sh +30 -18
Dockerfile
CHANGED
|
@@ -1,34 +1,114 @@
|
|
| 1 |
-
|
| 2 |
|
| 3 |
-
#
|
| 4 |
-
|
| 5 |
-
|
| 6 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 7 |
&& apt-get update && apt-get install -y caddy \
|
| 8 |
&& pip3 install --break-system-packages huggingface_hub \
|
| 9 |
-
&&
|
| 10 |
|
| 11 |
-
#
|
| 12 |
-
|
| 13 |
-
|
|
|
|
|
|
|
|
|
|
| 14 |
|
| 15 |
-
# Install agentmemory
|
| 16 |
-
|
| 17 |
-
RUN
|
|
|
|
|
|
|
|
|
|
|
|
|
| 18 |
|
| 19 |
-
#
|
| 20 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 21 |
|
| 22 |
-
# Switch to non-root user
|
| 23 |
USER user
|
| 24 |
-
ENV HOME=/app
|
| 25 |
|
| 26 |
-
# Copy Caddyfile and startup script
|
| 27 |
COPY --chown=user:user Caddyfile /app/Caddyfile
|
| 28 |
COPY --chown=user:user start.sh /app/start.sh
|
|
|
|
| 29 |
RUN chmod +x /app/start.sh
|
| 30 |
|
| 31 |
-
# Expose HF default port
|
| 32 |
EXPOSE 7860
|
| 33 |
|
| 34 |
-
|
|
|
|
| 1 |
+
ARG III_VERSION=0.11.2
|
| 2 |
|
| 3 |
+
# Pull the official iii engine binary
|
| 4 |
+
FROM iiidev/iii:${III_VERSION} AS iii-image
|
| 5 |
+
|
| 6 |
+
FROM node:22-slim
|
| 7 |
+
|
| 8 |
+
ARG AGENTMEMORY_VERSION=0.9.21
|
| 9 |
+
ARG III_VERSION=0.11.2
|
| 10 |
+
ARG III_SDK_VERSION=0.11.2
|
| 11 |
+
|
| 12 |
+
# Install Caddy + runtime deps
|
| 13 |
+
RUN apt-get update \
|
| 14 |
+
&& apt-get install -y --no-install-recommends \
|
| 15 |
+
debian-keyring debian-archive-keyring apt-transport-https \
|
| 16 |
+
curl openssl ca-certificates tini gosu python3 python3-pip \
|
| 17 |
+
&& curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' \
|
| 18 |
+
| gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg \
|
| 19 |
+
&& curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' \
|
| 20 |
+
| tee /etc/apt/sources.list.d/caddy-stable.list \
|
| 21 |
&& apt-get update && apt-get install -y caddy \
|
| 22 |
&& pip3 install --break-system-packages huggingface_hub \
|
| 23 |
+
&& rm -rf /var/lib/apt/lists/*
|
| 24 |
|
| 25 |
+
# Copy iii binary from official image (avoids re-downloading on every boot)
|
| 26 |
+
COPY --from=iii-image /app/iii /usr/local/bin/iii
|
| 27 |
+
|
| 28 |
+
# Set up HF Spaces user (uid 1000 required)
|
| 29 |
+
RUN userdel -r node 2>/dev/null || true \
|
| 30 |
+
&& useradd -m -u 1000 user
|
| 31 |
|
| 32 |
+
# Install agentmemory with pinned iii-sdk to match engine version
|
| 33 |
+
WORKDIR /opt/agentmemory
|
| 34 |
+
RUN printf '{"name":"agentmemory-deploy","version":"1.0.0","private":true,"overrides":{"iii-sdk":"%s"}}\n' \
|
| 35 |
+
"${III_SDK_VERSION}" > package.json \
|
| 36 |
+
&& npm install "@agentmemory/agentmemory@${AGENTMEMORY_VERSION}" \
|
| 37 |
+
--omit=optional --no-fund --no-audit \
|
| 38 |
+
&& ln -s /opt/agentmemory/node_modules/.bin/agentmemory /usr/local/bin/agentmemory
|
| 39 |
|
| 40 |
+
# Override iii-config.yaml at build time:
|
| 41 |
+
# - bind 0.0.0.0 (not 127.0.0.1) so Caddy can reach it
|
| 42 |
+
# - use absolute /home/user/.agentmemory paths so data lands in our sync dir
|
| 43 |
+
RUN cat > /opt/agentmemory/node_modules/@agentmemory/agentmemory/dist/iii-config.yaml <<'EOF'
|
| 44 |
+
workers:
|
| 45 |
+
- name: iii-http
|
| 46 |
+
config:
|
| 47 |
+
port: 3111
|
| 48 |
+
host: 0.0.0.0
|
| 49 |
+
default_timeout: 180000
|
| 50 |
+
cors:
|
| 51 |
+
allowed_origins:
|
| 52 |
+
- "http://localhost:3111"
|
| 53 |
+
- "http://localhost:3113"
|
| 54 |
+
- "http://127.0.0.1:3111"
|
| 55 |
+
- "http://127.0.0.1:3113"
|
| 56 |
+
allowed_methods: [GET, POST, PUT, DELETE, OPTIONS]
|
| 57 |
+
- name: iii-state
|
| 58 |
+
config:
|
| 59 |
+
adapter:
|
| 60 |
+
name: kv
|
| 61 |
+
config:
|
| 62 |
+
store_method: file_based
|
| 63 |
+
file_path: /home/user/.agentmemory/state_store.db
|
| 64 |
+
- name: iii-queue
|
| 65 |
+
config:
|
| 66 |
+
adapter:
|
| 67 |
+
name: builtin
|
| 68 |
+
- name: iii-pubsub
|
| 69 |
+
config:
|
| 70 |
+
adapter:
|
| 71 |
+
name: local
|
| 72 |
+
- name: iii-cron
|
| 73 |
+
config:
|
| 74 |
+
adapter:
|
| 75 |
+
name: kv
|
| 76 |
+
- name: iii-stream
|
| 77 |
+
config:
|
| 78 |
+
port: 3112
|
| 79 |
+
host: 0.0.0.0
|
| 80 |
+
adapter:
|
| 81 |
+
name: kv
|
| 82 |
+
config:
|
| 83 |
+
store_method: file_based
|
| 84 |
+
file_path: /home/user/.agentmemory/stream_store
|
| 85 |
+
- name: iii-observability
|
| 86 |
+
config:
|
| 87 |
+
enabled: true
|
| 88 |
+
service_name: agentmemory
|
| 89 |
+
exporter: memory
|
| 90 |
+
sampling_ratio: 1.0
|
| 91 |
+
metrics_enabled: true
|
| 92 |
+
logs_enabled: true
|
| 93 |
+
logs_console_output: true
|
| 94 |
+
EOF
|
| 95 |
+
|
| 96 |
+
# Give user 1000 ownership of everything it needs to write at runtime
|
| 97 |
+
RUN chown -R user:user /opt/agentmemory /home/user
|
| 98 |
+
|
| 99 |
+
ENV TINI_SUBREAPER=1 \
|
| 100 |
+
HOME=/home/user
|
| 101 |
+
|
| 102 |
+
WORKDIR /app
|
| 103 |
+
RUN chown user:user /app
|
| 104 |
|
|
|
|
| 105 |
USER user
|
|
|
|
| 106 |
|
|
|
|
| 107 |
COPY --chown=user:user Caddyfile /app/Caddyfile
|
| 108 |
COPY --chown=user:user start.sh /app/start.sh
|
| 109 |
+
COPY --chown=user:user sync.py /app/sync.py
|
| 110 |
RUN chmod +x /app/start.sh
|
| 111 |
|
|
|
|
| 112 |
EXPOSE 7860
|
| 113 |
|
| 114 |
+
ENTRYPOINT ["/usr/bin/tini", "--", "/app/start.sh"]
|
start.sh
CHANGED
|
@@ -1,16 +1,18 @@
|
|
| 1 |
#!/bin/bash
|
|
|
|
| 2 |
|
| 3 |
-
# Create
|
| 4 |
-
mkdir -p
|
| 5 |
|
| 6 |
# =============================================================================
|
| 7 |
# Persistent storage via HF Dataset repo (free)
|
| 8 |
-
#
|
| 9 |
-
#
|
|
|
|
|
|
|
| 10 |
# =============================================================================
|
| 11 |
export AGENTMEMORY_DATASET_REPO="${AGENTMEMORY_DATASET_REPO:-Yash030/agentmemory-data}"
|
| 12 |
|
| 13 |
-
# Restore DB from HF Dataset on startup
|
| 14 |
echo "[start] Restoring data from HF Dataset..."
|
| 15 |
python3 /app/sync.py restore
|
| 16 |
|
|
@@ -22,23 +24,33 @@ python3 /app/sync.py restore
|
|
| 22 |
done
|
| 23 |
) &
|
| 24 |
|
| 25 |
-
#
|
| 26 |
-
# container ports. Use the public hf.space URL only from your local machine.
|
| 27 |
export AGENTMEMORY_URL=http://localhost:3111
|
| 28 |
export III_ENGINE_URL=ws://localhost:49134
|
| 29 |
|
| 30 |
-
#
|
| 31 |
-
# viewer rejects unknown Host headers unless they are explicitly allowed.
|
| 32 |
if [ -n "${SPACE_HOST}" ]; then
|
| 33 |
export VIEWER_ALLOWED_HOSTS="${VIEWER_ALLOWED_HOSTS:-${SPACE_HOST},${SPACE_HOST}:443,${SPACE_HOST}:7860}"
|
| 34 |
export VIEWER_ALLOWED_ORIGINS="${VIEWER_ALLOWED_ORIGINS:-https://${SPACE_HOST},http://${SPACE_HOST},http://localhost:3111,http://localhost:3113,http://127.0.0.1:3111,http://127.0.0.1:3113}"
|
| 35 |
fi
|
| 36 |
|
| 37 |
-
#
|
| 38 |
-
|
| 39 |
-
|
| 40 |
-
|
| 41 |
-
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 42 |
GEMINI_API_KEY=${GEMINI_API_KEY}
|
| 43 |
AGENTMEMORY_SECRET=${AGENTMEMORY_SECRET}
|
| 44 |
AGENTMEMORY_URL=${AGENTMEMORY_URL}
|
|
@@ -53,11 +65,11 @@ VIEWER_ALLOWED_HOSTS=${VIEWER_ALLOWED_HOSTS}
|
|
| 53 |
VIEWER_ALLOWED_ORIGINS=${VIEWER_ALLOWED_ORIGINS}
|
| 54 |
EOF
|
| 55 |
|
| 56 |
-
# Start agentmemory daemon
|
| 57 |
-
|
| 58 |
|
| 59 |
-
# Wait for
|
| 60 |
sleep 5
|
| 61 |
|
| 62 |
-
# Start Caddy reverse proxy
|
| 63 |
caddy run --config /app/Caddyfile --adapter caddyfile
|
|
|
|
| 1 |
#!/bin/bash
|
| 2 |
+
set -e
|
| 3 |
|
| 4 |
+
# Create agentmemory data dir
|
| 5 |
+
mkdir -p /home/user/.agentmemory
|
| 6 |
|
| 7 |
# =============================================================================
|
| 8 |
# Persistent storage via HF Dataset repo (free)
|
| 9 |
+
# Secrets to set in HF Space settings:
|
| 10 |
+
# HF_TOKEN — write access to the dataset repo
|
| 11 |
+
# GEMINI_API_KEY — powers graph, embeddings, compression, crystals
|
| 12 |
+
# AGENTMEMORY_DATASET_REPO — optional override (default: Yash030/agentmemory-data)
|
| 13 |
# =============================================================================
|
| 14 |
export AGENTMEMORY_DATASET_REPO="${AGENTMEMORY_DATASET_REPO:-Yash030/agentmemory-data}"
|
| 15 |
|
|
|
|
| 16 |
echo "[start] Restoring data from HF Dataset..."
|
| 17 |
python3 /app/sync.py restore
|
| 18 |
|
|
|
|
| 24 |
done
|
| 25 |
) &
|
| 26 |
|
| 27 |
+
# Internal service URLs (daemon talks to itself on localhost)
|
|
|
|
| 28 |
export AGENTMEMORY_URL=http://localhost:3111
|
| 29 |
export III_ENGINE_URL=ws://localhost:49134
|
| 30 |
|
| 31 |
+
# Allow HF Space's public host through the viewer's host check
|
|
|
|
| 32 |
if [ -n "${SPACE_HOST}" ]; then
|
| 33 |
export VIEWER_ALLOWED_HOSTS="${VIEWER_ALLOWED_HOSTS:-${SPACE_HOST},${SPACE_HOST}:443,${SPACE_HOST}:7860}"
|
| 34 |
export VIEWER_ALLOWED_ORIGINS="${VIEWER_ALLOWED_ORIGINS:-https://${SPACE_HOST},http://${SPACE_HOST},http://localhost:3111,http://localhost:3113,http://127.0.0.1:3111,http://127.0.0.1:3113}"
|
| 35 |
fi
|
| 36 |
|
| 37 |
+
# Generate HMAC secret on first boot, persist it so it survives dataset restore
|
| 38 |
+
HMAC_FILE="/home/user/.agentmemory/.hmac"
|
| 39 |
+
if [ ! -s "$HMAC_FILE" ]; then
|
| 40 |
+
SECRET="$(openssl rand -hex 32)"
|
| 41 |
+
printf '%s\n' "$SECRET" > "$HMAC_FILE"
|
| 42 |
+
chmod 600 "$HMAC_FILE"
|
| 43 |
+
echo "================================================================"
|
| 44 |
+
echo "agentmemory: generated HMAC secret on first boot"
|
| 45 |
+
echo "AGENTMEMORY_SECRET=$SECRET"
|
| 46 |
+
echo "Copy this to your Space secrets as AGENTMEMORY_SECRET."
|
| 47 |
+
echo "It will not be printed again."
|
| 48 |
+
echo "================================================================"
|
| 49 |
+
fi
|
| 50 |
+
export AGENTMEMORY_SECRET="${AGENTMEMORY_SECRET:-$(cat "$HMAC_FILE")}"
|
| 51 |
+
|
| 52 |
+
# Write .env config for the daemon
|
| 53 |
+
cat > /home/user/.agentmemory/.env <<EOF
|
| 54 |
GEMINI_API_KEY=${GEMINI_API_KEY}
|
| 55 |
AGENTMEMORY_SECRET=${AGENTMEMORY_SECRET}
|
| 56 |
AGENTMEMORY_URL=${AGENTMEMORY_URL}
|
|
|
|
| 65 |
VIEWER_ALLOWED_ORIGINS=${VIEWER_ALLOWED_ORIGINS}
|
| 66 |
EOF
|
| 67 |
|
| 68 |
+
# Start agentmemory daemon (installed binary, not npx)
|
| 69 |
+
agentmemory &
|
| 70 |
|
| 71 |
+
# Wait for daemon to be ready
|
| 72 |
sleep 5
|
| 73 |
|
| 74 |
+
# Start Caddy reverse proxy (serves everything on port 7860)
|
| 75 |
caddy run --config /app/Caddyfile --adapter caddyfile
|