Ziang Xie
6e2b854fdb
* fix(docker): remove misleading ENV, add explicit UID/GID, add .dockerignore - Removed `ENV DEEPSEEK_API_KEY=""` and `ENV DEEPSEEK_NO_COLOR=""`: API keys should never be baked into image layers, even as empty strings. Added comments documenting runtime secret passing patterns. - Added explicit UID/GID (1000:1000) for the `deepseek` user: Makes filesystem ownership unambiguous when mounting volumes and avoids the default auto-assigned UID shifting between hosts. - Added `.dockerignore`: Prevents accidental inclusion of .env files, local runtime state, documentation, dev configs, and build artifacts into the build context, keeping the image smaller and avoiding secret leaks. * fix(docker): keep nested build inputs in context --------- Co-authored-by: Hunter Bown <hmbown@gmail.com>
72 lines
2.9 KiB
Docker
72 lines
2.9 KiB
Docker
# syntax=docker/dockerfile:1
|
|
# DeepSeek-TUI multi-arch Docker image (#501)
|
|
#
|
|
# Build: docker buildx build --platform linux/amd64,linux/arm64 -t deepseek-tui:latest .
|
|
# Run: docker run --rm -it -e DEEPSEEK_API_KEY -v ~/.deepseek:/home/deepseek/.deepseek deepseek-tui
|
|
#
|
|
# The image ships both binaries (deepseek dispatcher + deepseek-tui runtime)
|
|
# in a minimal runtime layer. No MCP servers or heavy toolchains are included
|
|
# — keep it slim.
|
|
#
|
|
# API keys MUST be passed at runtime (never baked into the image):
|
|
# docker run --rm -it -e DEEPSEEK_API_KEY deepseek-tui
|
|
# Or mount an env file:
|
|
# docker run --rm -it --env-file .env deepseek-tui
|
|
|
|
ARG RUST_VERSION=1.88
|
|
|
|
# ── Stage 1: Build ────────────────────────────────────────────────────
|
|
FROM --platform=$BUILDPLATFORM rust:${RUST_VERSION}-slim-bookworm AS builder
|
|
ARG TARGETPLATFORM
|
|
ARG BUILDPLATFORM
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
pkg-config libdbus-1-dev \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Translate Docker platform into Rust target triple.
|
|
# linux/amd64 → x86_64-unknown-linux-gnu
|
|
# linux/arm64 → aarch64-unknown-linux-gnu
|
|
RUN case "${TARGETPLATFORM}" in \
|
|
linux/amd64) echo x86_64-unknown-linux-gnu > /rust-target ;; \
|
|
linux/arm64) echo aarch64-unknown-linux-gnu > /rust-target ;; \
|
|
*) echo "Unsupported platform: ${TARGETPLATFORM}" >&2; exit 1 ;; \
|
|
esac
|
|
|
|
RUN rustup target add "$(cat /rust-target)"
|
|
|
|
WORKDIR /build
|
|
COPY . .
|
|
|
|
# Build both binaries for the target platform. --locked ensures
|
|
# reproducible builds from the committed lockfile.
|
|
RUN --mount=type=cache,target=/build/target \
|
|
--mount=type=cache,target=/usr/local/cargo/registry \
|
|
cargo build --release --locked --target "$(cat /rust-target)" \
|
|
&& mkdir -p /out \
|
|
&& cp target/$(cat /rust-target)/release/deepseek /out/ \
|
|
&& cp target/$(cat /rust-target)/release/deepseek-tui /out/
|
|
|
|
# ── Stage 2: Runtime ──────────────────────────────────────────────────
|
|
FROM debian:bookworm-slim
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
ca-certificates \
|
|
libdbus-1-3 \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Non-root user with explicit UID/GID for filesystem ownership clarity.
|
|
RUN groupadd --gid 1000 deepseek \
|
|
&& useradd --create-home --shell /bin/bash --uid 1000 --gid 1000 deepseek
|
|
USER deepseek
|
|
WORKDIR /home/deepseek
|
|
|
|
COPY --from=builder --chown=deepseek:deepseek /out/deepseek /usr/local/bin/deepseek
|
|
COPY --from=builder --chown=deepseek:deepseek /out/deepseek-tui /usr/local/bin/deepseek-tui
|
|
|
|
# The dispatcher expects to find its companion binary next to it.
|
|
# Both are in /usr/local/bin — no further path setup needed.
|
|
|
|
ENTRYPOINT ["deepseek"]
|
|
CMD []
|