clairvoyance/Dockerfile at release · amithc001-source/clairvoyance · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
# Use Python 3.11 slim image for better performance and security
FROM python:3.11-slim

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE=1 \
    PYTHONUNBUFFERED=1 \
    PYTHONPATH=/app \
    PORT=8000 \
    NLTK_DATA=/usr/local/nltk_data\
    KRISP_MODEL_PATH=/app/models/voice/krisp/krisp-viva-tel-v2.kef \
    UV_CACHE_DIR=/app/.uv-cache

# Install system dependencies required for audio processing and compilation + curl for GCP CLI
# Added cmake for Krisp native component compilation, unzip for manual wheel extraction
RUN apt-get update && apt-get install -y \
    build-essential \
    cmake \
    ffmpeg \
    libffi-dev \
    libssl-dev \
    pkg-config \
    portaudio19-dev \
    python3-dev \
    curl \
    unzip \
    && rm -rf /var/lib/apt/lists/*


# Create app and krisp directory
WORKDIR /app
RUN mkdir -p /app/models/voice/krisp

# Install uv
COPY --from=ghcr.io/astral-sh/uv:latest /uv /uvx /bin/

# Copy dependency files first for better Docker layer caching
COPY pyproject.toml uv.lock ./

# Install Python dependencies (without Krisp first) using uv
# Use --no-install-project to avoid installing the app/ package at this stage
# This allows optimal Docker layer caching - dependencies layer is cached separately
RUN uv sync --frozen --no-dev --no-install-project && \
    uv pip show pipecat-ai

# Start of Krisp installation process
# Download Krisp assets from GCP Storage using authenticated context
ARG KRISP_BUCKET_PATH=gs://clairvoyance-models/krisp

# Install Google Cloud CLI and download Krisp files (only for GCP deployments)
# Use BuildKit secret mount to avoid leaking token in image layers
RUN --mount=type=secret,id=gcp_token \
    if [ -f /run/secrets/gcp_token ]; then \
        echo "=== Installing Google Cloud CLI for Krisp assets ===" && \
        curl -sSL https://sdk.cloud.google.com | bash && \
        export PATH=$PATH:/root/google-cloud-sdk/bin && \
        gcloud storage cp --access-token-file=/run/secrets/gcp_token ${KRISP_BUCKET_PATH}/krisp-viva-tel-v2.kef /app/models/voice/krisp/ || echo "Warning: Krisp model not found"; \
        gcloud storage cp --access-token-file=/run/secrets/gcp_token ${KRISP_BUCKET_PATH}/*linux_x86_64.whl /tmp/ || echo "Warning: x86_64 wheel not found"; \
        gcloud storage cp --access-token-file=/run/secrets/gcp_token ${KRISP_BUCKET_PATH}/*linux_aarch64.whl /tmp/ || echo "Warning: aarch64 wheel not found"; \
    else \
        echo "Warning: GCP token secret not provided, skipping Krisp installation (AWS deployment)"; \
    fi

# Install Krisp wheel package (if downloaded) - auto-detect architecture
RUN if ls /tmp/*linux_*.whl 1> /dev/null 2>&1; then \
        ARCH=$(uv run python -c "import platform; print(platform.machine())") && \
        echo "=== Platform Debug Info ===" && \
        echo "Detected architecture: $ARCH" && \
        if [ "$ARCH" = "x86_64" ]; then \
            WHEEL_FILE="/tmp/*linux_x86_64.whl"; \
        elif [ "$ARCH" = "aarch64" ]; then \
            WHEEL_FILE="/tmp/*linux_aarch64.whl"; \
        else \
            echo "Unsupported architecture: $ARCH" && exit 1; \
        fi && \
        echo "Using wheel file: $WHEEL_FILE" && \
        if ls $WHEEL_FILE 1> /dev/null 2>&1; then \
            echo "=== Attempting pip install ===" && \
            uv pip install -v $WHEEL_FILE && \
            echo "Krisp audio package installed successfully"; \
        else \
            echo "Warning: No wheel file found for architecture $ARCH"; \
        fi; \
    else \
        echo "Warning: No Krisp wheel files found, skipping installation"; \
    fi

# End of Krisp installation process

# Create NLTK data directory and download required data
RUN mkdir -p /usr/local/nltk_data && \
    uv run python -m nltk.downloader punkt punkt_tab -d /usr/local/nltk_data

# Copy application code
COPY . .

# Set proper permissions
RUN chmod +x run.py

# Create non-root user for security
RUN groupadd -r appuser && useradd -r -g appuser appuser
RUN mkdir -p /app/.uv-cache && \
    chown -R appuser:appuser /app && \
    chown -R appuser:appuser /usr/local/nltk_data
USER appuser

# Expose port
EXPOSE ${PORT}

# Run the application
CMD ["uv", "run", "python", "run.py"]