misc-images/helicone-jawn (latest)
Published 2026-03-05 22:19:05 +00:00 by rebecca
Installation
docker pull git.puddi.ng/public-infra/misc-images/helicone-jawn:latestsha256:6b196eb1a80b42b260c285cab4c83b2faa49d99fcf7fc16a62dfc0c97bc85aebImage Layers
| # debian.sh --arch 'amd64' out/ 'bookworm' '@1754870400' |
| RUN /bin/sh -c groupadd --gid 1000 node && useradd --uid 1000 --gid node --shell /bin/bash --create-home node # buildkit |
| ENV NODE_VERSION=20.19.4 |
| RUN /bin/sh -c ARCH= OPENSSL_ARCH= && dpkgArch="$(dpkg --print-architecture)" && case "${dpkgArch##*-}" in amd64) ARCH='x64' OPENSSL_ARCH='linux-x86_64';; ppc64el) ARCH='ppc64le' OPENSSL_ARCH='linux-ppc64le';; s390x) ARCH='s390x' OPENSSL_ARCH='linux*-s390x';; arm64) ARCH='arm64' OPENSSL_ARCH='linux-aarch64';; armhf) ARCH='armv7l' OPENSSL_ARCH='linux-armv4';; i386) ARCH='x86' OPENSSL_ARCH='linux-elf';; *) echo "unsupported architecture"; exit 1 ;; esac && set -ex && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr xz-utils libatomic1 --no-install-recommends && rm -rf /var/lib/apt/lists/* && export GNUPGHOME="$(mktemp -d)" && for key in C0D6248439F1D5604AAFFB4021D900FFDB233756 DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 CC68F5A3106FF448322E48ED27F5E38D5B0A215F 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4 C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C 108F52B48DB57BB0CC439B2997B01419BD92F80A A363A499291CBBC940DD62E41F10027AF002F8B0 ; do { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; done && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/node-v$NODE_VERSION-linux-$ARCH.tar.xz" && curl -fsSLO --compressed "https://nodejs.org/dist/v$NODE_VERSION/SHASUMS256.txt.asc" && gpg --batch --decrypt --output SHASUMS256.txt SHASUMS256.txt.asc && gpgconf --kill all && rm -rf "$GNUPGHOME" && grep " node-v$NODE_VERSION-linux-$ARCH.tar.xz\$" SHASUMS256.txt | sha256sum -c - && tar -xJf "node-v$NODE_VERSION-linux-$ARCH.tar.xz" -C /usr/local --strip-components=1 --no-same-owner && rm "node-v$NODE_VERSION-linux-$ARCH.tar.xz" SHASUMS256.txt.asc SHASUMS256.txt && find /usr/local/include/node/openssl/archs -mindepth 1 -maxdepth 1 ! -name "$OPENSSL_ARCH" -exec rm -rf {} \; && apt-mark auto '.*' > /dev/null && find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && ln -s /usr/local/bin/node /usr/local/bin/nodejs && node --version && npm --version && rm -rf /tmp/* # buildkit |
| ENV YARN_VERSION=1.22.22 |
| RUN /bin/sh -c set -ex && savedAptMark="$(apt-mark showmanual)" && apt-get update && apt-get install -y ca-certificates curl wget gnupg dirmngr --no-install-recommends && rm -rf /var/lib/apt/lists/* && export GNUPGHOME="$(mktemp -d)" && for key in 6A010C5166006599AA17F08146C2130DFD2497F5 ; do { gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys "$key" && gpg --batch --fingerprint "$key"; } || { gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key" && gpg --batch --fingerprint "$key"; } ; done && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz" && curl -fsSLO --compressed "https://yarnpkg.com/downloads/$YARN_VERSION/yarn-v$YARN_VERSION.tar.gz.asc" && gpg --batch --verify yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && gpgconf --kill all && rm -rf "$GNUPGHOME" && mkdir -p /opt && tar -xzf yarn-v$YARN_VERSION.tar.gz -C /opt/ && ln -s /opt/yarn-v$YARN_VERSION/bin/yarn /usr/local/bin/yarn && ln -s /opt/yarn-v$YARN_VERSION/bin/yarnpkg /usr/local/bin/yarnpkg && rm yarn-v$YARN_VERSION.tar.gz.asc yarn-v$YARN_VERSION.tar.gz && apt-mark auto '.*' > /dev/null && { [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; } && find /usr/local -type f -executable -exec ldd '{}' ';' | awk '/=>/ { so = $(NF-1); if (index(so, "/usr/local/") == 1) { next }; gsub("^/(usr/)?", "", so); print so }' | sort -u | xargs -r dpkg-query --search | cut -d: -f1 | sort -u | xargs -r apt-mark manual && apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && yarn --version && rm -rf /tmp/* # buildkit |
| COPY docker-entrypoint.sh /usr/local/bin/ # buildkit |
| ENTRYPOINT ["docker-entrypoint.sh"] |
| CMD ["node"] |
| ARG TARGETARCH=amd64 |
| WORKDIR /usr/src/app/valhalla/prompt_security |
| SHELL [/bin/bash -c] |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y python3-venv python3 # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c python3 -m venv venv # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c . venv/bin/activate && pip3 install --upgrade pip>=23.3 setuptools>=70.0.0 # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y supervisor # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get upgrade -y && apt-get install -y --no-install-recommends libexpat1-dev expat libpam0g libpam-modules libmbedtls14 libc6 && apt-get autoremove -y && apt-get clean # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c expat_version=$(dpkg-query -W -f='${Version}' libexpat1 2>/dev/null || echo "0") && echo "Installed expat version: $expat_version" && if dpkg --compare-versions "$expat_version" lt "2.5.0-2"; then echo "Expat version is vulnerable, forcing update from security repos"; echo "deb http://security.debian.org/debian-security bookworm-security main" >> /etc/apt/sources.list.d/security.list && apt-get update && apt-get install -y --reinstall libexpat1 libexpat1-dev expat && rm -f /etc/apt/sources.list.d/security.list; fi # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y libcjson-dev libxml2-dev sqlite3 libsqlite3-0 libsqlite3-dev && apt-get clean # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y --reinstall libmbedtls14 libmbedtls-dev && apt-get clean # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y wget build-essential cmake git python3 python3-pip python3-venv && apt-get clean # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c echo "Applying critical security patches..." && echo "deb http://deb.debian.org/debian unstable main" >> /etc/apt/sources.list.d/unstable.list && apt-get update && apt-get install -y -t unstable expat libexpat1 libexpat1-dev && rm -f /etc/apt/sources.list.d/unstable.list && apt-get update && (dpkg -l | grep -q libmbedtls && apt-get remove -y libmbedtls14 libmbedtls-dev || echo "mbedtls packages not installed, skipping removal") && cd /tmp && wget https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-3.6.4/mbedtls-3.6.4.tar.bz2 && tar -xjf mbedtls-3.6.4.tar.bz2 && cd mbedtls-3.6.4 && python3 -m venv /tmp/mbedtls-build-venv && . /tmp/mbedtls-build-venv/bin/activate && pip install -r scripts/basic.requirements.txt && python3 scripts/generate_driver_wrappers.py && mkdir build && cd build && cmake .. -DCMAKE_BUILD_TYPE=Release -DCMAKE_INSTALL_PREFIX=/usr && make -j$(nproc) && make install && ldconfig && cd / && rm -rf /tmp/mbedtls* && echo '#!/bin/bash' > /usr/bin/mbedtls_version && echo 'echo "mbedTLS 3.6.4"' >> /usr/bin/mbedtls_version && chmod +x /usr/bin/mbedtls_version && echo "Verifying security patches applied:" && mbedtls_version && dpkg-query -W -f='expat: ${Version} (fixes CVE-2023-52425)\n' expat # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c echo "deb https://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/testing.list && apt-get update && apt-get install -y -t testing libaom3 && rm /etc/apt/sources.list.d/testing.list && apt-get update # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c echo "deb https://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/ffmpeg-testing.list && apt-get update && (apt-get install -y -t testing ffmpeg libavfilter10 libavdevice61 && echo "FFmpeg installed from testing repo") || (echo "Warning: Testing repo FFmpeg failed, falling back to bookworm FFmpeg" && rm /etc/apt/sources.list.d/ffmpeg-testing.list && apt-get update && apt-get install -y ffmpeg) && rm -f /etc/apt/sources.list.d/ffmpeg-testing.list && apt-get update && ffmpeg -version && echo "FFmpeg security patches applied" # buildkit |
| ENV FFMPEG_PATH=/usr/bin/ffmpeg |
| ENV FFPROBE_PATH=/usr/bin/ffprobe |
| RUN |1 TARGETARCH=amd64 /bin/bash -c echo "Applying additional medium-priority security patches..." && echo "deb https://deb.debian.org/debian testing main" > /etc/apt/sources.list.d/medium-security.list && apt-get update && (dpkg -l | grep -q "libssl3 " && apt-get remove -y libssl3 || echo "libssl3 not installed, skipping removal") && apt-get install -y -t testing krb5-user libkrb5-3 libkrb5-dev tar libssh-4 libssh-dev openssl libssl3t64 libssl-dev libopenjp2-7 libopenjp2-7-dev && rm /etc/apt/sources.list.d/medium-security.list && apt-get update && echo "Medium-priority system library vulnerabilities patched" # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt-get update && apt-get install -y --reinstall python3 python3-venv python3-pip && rm -rf venv && python3 -m venv venv && . venv/bin/activate && pip3 install --upgrade pip>=23.3 setuptools>=70.0.0 # buildkit |
| COPY ./valhalla/prompt_security/requirements.txt ./ # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c . venv/bin/activate && if [ "$TARGETARCH" = "arm64" ]; then pip3 install torch==2.7.1 torchvision==0.22.1 -f https://download.pytorch.org/whl/torch_stable.html; else pip3 install torch==2.7.1 torchvision==0.22.1 --index-url https://download.pytorch.org/whl/cpu; fi && pip3 install "transformers[torch]" # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c . venv/bin/activate && pip3 install tokenizers safetensors fastapi tqdm uvicorn boto3 # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c . venv/bin/activate && pip3 install regex numpy packaging requests tqdm filelock typing-extensions # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c . venv/bin/activate && pip3 install --upgrade "Jinja2>=3.1.6" "setuptools>=78.1.1" "requests>=2.32.4" "urllib3>=2.0.0" "starlette>=0.27.0" "h11>=0.14.0" "aiohttp>=3.9.0" && echo "Python package vulnerabilities patched" # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c apt install curl -y # buildkit |
| WORKDIR /usr/src/app |
| COPY ./shared ./shared # buildkit |
| COPY ./packages ./packages # buildkit |
| COPY ./package.json ./package.json # buildkit |
| WORKDIR /usr/src/app/valhalla/jawn |
| COPY ./valhalla/jawn . # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c find /usr/src/app/valhalla/jawn -name ".env.*" -exec rm {} \; # buildkit |
| ENV PORT=8585 |
| RUN |1 TARGETARCH=amd64 /bin/bash -c yarn # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c yarn build # buildkit |
| COPY ./valhalla/prompt_security/main.py /usr/src/app/valhalla/prompt_security/main.py # buildkit |
| COPY ./valhalla/prompt_security/run_service.sh /usr/src/app/valhalla/prompt_security/run_service.sh # buildkit |
| RUN |1 TARGETARCH=amd64 /bin/bash -c chmod +x /usr/src/app/valhalla/prompt_security/run_service.sh # buildkit |
| ENV PYTHONUNBUFFERED=1 |
| ENV PYTHONFAULTHANDLER=1 |
| ENV DLQ_MESSAGES_PER_MINI_BATCH=1 |
| ENV DLQ_WORKER_COUNT=1 |
| ENV NORMAL_WORKER_COUNT=3 |
| ENV CSB_API_KEY=1234567890 |
| ENV ENABLE_PROMPT_SECURITY=true |
| ENV DD_DOGSTATSD_NON_LOCAL_TRAFFIC=true |
| COPY ./valhalla/supervisord.conf /etc/supervisor/conf.d/supervisord.conf # buildkit |
| CMD ["/usr/bin/supervisord" "-n" "-c" "/etc/supervisor/supervisord.conf"] |