forked from HKUDS/LightRAG
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdocker-entrypoint.sh
More file actions
65 lines (60 loc) · 3.39 KB
/
Copy pathdocker-entrypoint.sh
File metadata and controls
65 lines (60 loc) · 3.39 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
#!/bin/sh
set -e
# Run the server as the non-root "lightrag" user (CIS Docker 4.1) while staying
# compatible with existing deployments whose bind-mounted data is root-owned.
#
# Image-internal chown cannot fix runtime mounts, so when the container starts
# as root we chown the data dirs and then drop privileges via gosu. When the
# orchestrator already starts us as non-root (compose `user:` / k8s
# `runAsUser`), we skip the chown and exec directly.
# Preserve the pre-split behavior where `docker run <image> --port 9622` appended
# flags to the server. Now that ENTRYPOINT is this script, a first arg starting
# with "-" means the user only passed flags, so prepend the default command.
if [ "${1#-}" != "$1" ]; then
set -- python -m lightrag.api.lightrag_server "$@"
fi
# On Render, default CORS to this service's own origin instead of LightRAG's
# "*" default. Only applied when the user hasn't set CORS_ORIGINS and Render
# supplies its external URL, so non-Render deployments are left untouched.
# (Done here rather than in the Blueprint's dockerCommand: an sh -c wrapper
# passed as CMD args through this ENTRYPOINT + gosu is not reconstructed into a
# valid shell invocation, so it must live in the entrypoint itself.)
if [ -z "${CORS_ORIGINS}" ] && [ -n "${RENDER_EXTERNAL_URL}" ]; then
export CORS_ORIGINS="${RENDER_EXTERNAL_URL}"
fi
if [ "$(id -u)" = "0" ]; then
# Take ownership of the writable data locations so the dropped-privilege
# process can read/write them, covering bind-mounts/PVCs whose host content
# is root-owned. We create+chown /app/data (the default home for all data)
# plus any custom dirs configured via env (WORKING_DIR/INPUT_DIR/PROMPT_DIR/
# TIKTOKEN_CACHE_DIR/LOG_DIR), so deployments that point these outside
# /app/data keep working. The mkdir matters when only the parent is mounted
# (e.g. a bind mount/PVC at /data with WORKING_DIR=/data/site01/storage): the
# leaf does not exist yet, and once we drop to uid 1000 the server can no
# longer mkdir it under the root-owned parent. Creating it here as root and
# handing it to lightrag avoids that PermissionError.
#
# ERROR_LOG/ACCESS_LOG (gunicorn) are *file* paths, so we chown their parent
# directory rather than the file itself. Unset values and system roots are
# skipped; read-only mounts fail the mkdir/chown harmlessly.
_error_log_dir=""
_access_log_dir=""
[ -n "$ERROR_LOG" ] && _error_log_dir=$(dirname "$ERROR_LOG")
[ -n "$ACCESS_LOG" ] && _access_log_dir=$(dirname "$ACCESS_LOG")
for _d in /app/data "$WORKING_DIR" "$INPUT_DIR" "$PROMPT_DIR" \
"$TIKTOKEN_CACHE_DIR" "$LOG_DIR" "$_error_log_dir" "$_access_log_dir"; do
case "$_d" in
""|.|/|/bin|/boot|/dev|/etc|/home|/lib|/lib64|/proc|/root|/run|/sbin|/sys|/usr|/var) continue ;;
esac
mkdir -p "$_d" 2>/dev/null || true
chown -R lightrag:lightrag "$_d" 2>/dev/null || true
done
# NOTE: we deliberately do NOT chown /app/.env. On a bind-mount that would
# change the *host* file's owner to uid 1000, forcing the host user to sudo
# just to edit their config. .env only needs to be *readable* by uid 1000,
# which the default 0644 already satisfies. A 0600 .env owned by another uid
# must be made readable (chmod/chown on the host) or supplied via env vars
# (compose env_file:/environment:, k8s env/envFrom).
exec gosu lightrag "$@"
fi
exec "$@"