will.anderson
b563fff062
The Dockerfile's --mount=type=secret path was corrupting the SA key JSON due to control character handling differences. Pre-download soul + El SDK in the CI workflow (using already-authenticated gcloud) and COPY them from the build context. No credentials needed inside the Docker build.
91 lines
3.7 KiB
Docker
91 lines
3.7 KiB
Docker
# Neuron Soul — GKE container image
|
|
#
|
|
# Build strategy:
|
|
# 1. CI pre-downloads all artifacts from Artifact Registry into build-artifacts/
|
|
# (neuron soul binary, El compiler, El runtime). No GCP credentials are needed
|
|
# inside the build — all AR access happens in the CI workflow before docker build.
|
|
# 2. Build engram from source (neuron-technologies/engram, cloned by CI into ./engram/).
|
|
# 3. Package soul + engram in an Ubuntu 24.04 runtime image (GLIBC 2.39).
|
|
# 4. entrypoint.sh starts engram on :8742, waits for it to be healthy,
|
|
# then starts the soul with ENGRAM_URL pointing at it (HTTP mode).
|
|
#
|
|
# Expected build context layout (prepared by deploy-gke.yaml before docker build):
|
|
# build-artifacts/neuron — pre-built linux/amd64 soul binary
|
|
# build-artifacts/elc — El compiler (for engram source compilation)
|
|
# build-artifacts/el_runtime.c — El C runtime
|
|
# build-artifacts/el_runtime.h — El C runtime header
|
|
# engram/src/server.el — engram source (cloned by CI)
|
|
# entrypoint.sh — container entrypoint
|
|
#
|
|
# Required env vars (injected via ExternalSecret at runtime):
|
|
# NEURON_PORT, NEURON_LLM_0_URL, NEURON_LLM_0_KEY, NEURON_LLM_0_FORMAT,
|
|
# SOUL_CGI_ID, SOUL_IDENTITY, NEURON_TOKEN, NEURON_API_URL, ENGRAM_URL,
|
|
# ENGRAM_DATA_DIR
|
|
|
|
# ── Stage 1: Build engram from source ────────────────────────────────────────
|
|
FROM ubuntu:24.04 AS engram-builder
|
|
|
|
RUN apt-get update -qq && \
|
|
apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
gcc \
|
|
libc6-dev \
|
|
libcurl4-openssl-dev && \
|
|
rm -rf /var/lib/apt/lists/*
|
|
|
|
# El SDK pre-downloaded by CI into build-artifacts/
|
|
COPY build-artifacts/elc /usr/local/bin/elc
|
|
COPY build-artifacts/el_runtime.c /usr/local/lib/el/el_runtime.c
|
|
COPY build-artifacts/el_runtime.h /usr/local/lib/el/el_runtime.h
|
|
RUN chmod +x /usr/local/bin/elc
|
|
|
|
# engram source cloned by CI into ./engram/
|
|
COPY engram/src/server.el /build/src/server.el
|
|
|
|
RUN mkdir -p /build/dist && \
|
|
/usr/local/bin/elc /build/src/server.el > /build/dist/engram.c && \
|
|
echo "Compiled server.el -> engram.c ($(wc -l < /build/dist/engram.c) lines)" && \
|
|
cc -std=c11 -O2 \
|
|
-I /usr/local/lib/el \
|
|
-o /build/dist/engram \
|
|
/build/dist/engram.c \
|
|
/usr/local/lib/el/el_runtime.c \
|
|
-lcurl -lpthread -lm && \
|
|
echo "Built engram:" && ls -lh /build/dist/engram && \
|
|
chmod +x /build/dist/engram
|
|
|
|
# ── Stage 2: Runtime image ───────────────────────────────────────────────────
|
|
# Ubuntu 24.04: GLIBC 2.39 satisfies both neuron-soul and engram binary deps.
|
|
FROM ubuntu:24.04
|
|
|
|
RUN apt-get update -qq && \
|
|
apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
libcurl4t64 \
|
|
curl && \
|
|
rm -rf /var/lib/apt/lists/* && \
|
|
useradd -r -u 10000 -m -s /bin/bash soul
|
|
|
|
# soul binary pre-downloaded by CI into build-artifacts/
|
|
COPY build-artifacts/neuron /usr/local/bin/neuron
|
|
COPY --from=engram-builder /build/dist/engram /usr/local/bin/engram
|
|
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
|
|
|
|
RUN chmod +x /usr/local/bin/neuron /usr/local/bin/engram /usr/local/bin/entrypoint.sh
|
|
|
|
# /data is the engram mount point (PVC at runtime).
|
|
RUN mkdir -p /data && chown soul:soul /data
|
|
|
|
USER soul
|
|
WORKDIR /home/soul
|
|
|
|
EXPOSE 7770
|
|
|
|
# ENGRAM_URL and ENGRAM_DATA_DIR trigger HTTP mode in the soul.
|
|
# SOUL_ENGRAM_PATH must NOT be set — its presence would enable legacy file mode.
|
|
ENV NEURON_PORT=7770 \
|
|
ENGRAM_URL=http://localhost:8742 \
|
|
ENGRAM_DATA_DIR=/data
|
|
|
|
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
|