neuron-technologies/neuron-web
2
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
66e3ac63210e67a2e9f25472356ff2828ff22366
neuron-web/Dockerfile.stage
T
will.anderson c6ee45a374
Dev — Build & local smoke test / build-smoke (pull_request) Failing after 3m54s
Details
fix: run k3s as root, bump HPA CPU threshold to 80% 
k3s needs CAP_SYS_ADMIN to create network namespaces and mount cgroups.
USER landing was preventing this. Cloud Run gen2 is the security boundary.

60% CPU was too conservative for soul-demo — it is I/O-bound (LLM API calls),
not CPU-bound. 80% gives correct headroom before scaling kicks in.
2026-05-09 12:40:27 -05:00

112 lines
4.8 KiB
Docker
Raw Blame History

# Dockerfile.stage — Stage build: landing server + soul-demo in one image.
#
# Both processes run in the same container:
# - neuron-web on port 8080 (landing page server)
# - soul-demo on port 7772 (demo chat, localhost only)
#
# neuron-web is built by `elb build` in CI (not here). elb compiles each
# .el source independently and links the result — no combined mega-file,
# no exponential memory growth. The binary lands at dist/neuron-landing
# (linux/amd64) and is COPY'd directly into the runtime image.
#
# soul-demo.c is pre-committed (small, no OOM risk) and compiled here.
# ── Stage 1: compile soul-demo ────────────────────────────────────────────────
FROM debian:bookworm-slim AS builder
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
build-essential \
curl \
libcurl4-openssl-dev \
libssl-dev \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
WORKDIR /build
COPY runtime/el_runtime.c runtime/el_runtime.h ./
# Pre-compile el_runtime as a separate cached layer.
# el_runtime.c changes rarely; main.c changes every run.
# Splitting this out means el_runtime.o is cached across builds when only main.c changes.
# -DHAVE_CURL: the staged el_runtime.c (from el.git) guards the OTLP observability
# section (emit_metric, emit_log, trace_span_*) behind #ifdef HAVE_CURL.
# libcurl IS installed above, so define HAVE_CURL to enable those functions.
RUN cc -O2 -DHAVE_CURL -c el_runtime.c -I. -o el_runtime.o
COPY dist/soul-demo.c dist/vessel_stubs.c ./
RUN cc -O2 -rdynamic \
-o soul-demo \
soul-demo.c vessel_stubs.c el_runtime.o \
-lcurl -lpthread -ldl -lm -lssl -lcrypto
# ── Download k3s binary ───────────────────────────────────────────────────────
RUN curl -fL https://github.com/k3s-io/k3s/releases/download/v1.32.4%2Bk3s1/k3s -o /usr/local/bin/k3s \
&& chmod +x /usr/local/bin/k3s
# ── Stage 2: runtime image ────────────────────────────────────────────────────
FROM debian:bookworm-slim
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
libcurl4 \
libssl3 \
ca-certificates \
&& rm -rf /var/lib/apt/lists/* \
&& groupadd -r landing && useradd -r -g landing landing \
&& mkdir -p /srv/landing/assets /srv/landing/js /srv/landing/shares \
&& mkdir -p /srv/soul/engram-demo \
&& chown -R landing:landing /srv/landing /srv/soul \
&& mkdir -p /var/lib/rancher/k3s /tmp/k3s \
&& chown -R landing:landing /var/lib/rancher /tmp/k3s
# neuron-web binary — produced by `elb build` in CI (linux/amd64)
COPY dist/neuron-landing /usr/local/bin/neuron-web
RUN chmod +x /usr/local/bin/neuron-web
COPY --from=builder /build/soul-demo /usr/local/bin/soul-demo
# k3s binary
COPY --from=builder /usr/local/bin/k3s /usr/local/bin/k3s
# soul-demo OCI image tar — k3s imports this at startup (no registry needed)
RUN mkdir -p /var/lib/rancher/k3s/agent/images
COPY dist/soul-demo-image.tar /var/lib/rancher/k3s/agent/images/soul-demo.tar
# k3s manifests — auto-applied when k3s starts
RUN mkdir -p /var/lib/rancher/k3s/server/manifests
COPY dist/k3s-soul-demo.yaml /var/lib/rancher/k3s/server/manifests/soul-demo.yaml
# Engram snapshot — baked in so soul has memory from cold start
COPY dist/engram-snapshot.json /srv/soul/engram-demo/snapshot.json
COPY src/assets /srv/landing/assets
COPY dist/js /srv/landing/js
COPY src/llms.txt /srv/landing/llms.txt
# Pre-rendered HTML shells (about, terms, enterprise-terms, index) used as
# fallback when the El page-builder hasn't been seeded yet at startup.
# chown to the landing user so the El runtime's fs_write at startup can
# rewrite them with the freshly-rendered page (extracted JS asset paths,
# updated chat widget, etc.). Without this they stay as their COPY'd root-
# owned shells and the served HTML never reflects post-COPY source edits.
COPY src/about.html src/terms.html src/enterprise-terms.html src/index.html /srv/landing/
RUN chown landing:landing /srv/landing/about.html /srv/landing/terms.html /srv/landing/enterprise-terms.html /srv/landing/index.html /srv/landing/llms.txt
COPY dist/entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
ENV LANDING_ROOT=/srv/landing
ENV PORT=8080
ENV NEURON_HOME=/srv/soul/engram-demo
ENV NEURON_PORT=7772
ENV K3S_DATA_DIR=/var/lib/rancher/k3s
ENV KUBECONFIG=/var/lib/rancher/k3s/server/cred/admin.kubeconfig
# k3s requires root to create network namespaces and mount cgroups.
# Cloud Run gen2 sandbox is the security boundary here.
EXPOSE 8080
CMD ["/usr/local/bin/entrypoint.sh"]
Reference in New Issue View Git Blame Copy Permalink