ci: update docker image configuration for secure deployments (#5259)

* changes required for openshift to work with read-only dirs

docker/build_and_push_ep.Dockerfile

@@ -88,4 +88,4 @@ ENV LANGFLOW_HOST=0.0.0.0
 ENV LANGFLOW_PORT=7860
 
 USER 1000
-ENTRYPOINT ["python", "-m", "langflow", "run", "--host", "0.0.0.0", "--backend-only"]
+CMD ["python", "-m", "langflow", "run", "--host", "0.0.0.0", "--backend-only"]

docker/frontend/build_and_push_frontend.Dockerfile

@@ -23,7 +23,7 @@ LABEL org.opencontainers.image.url=https://github.com/langflow-ai/langflow
 LABEL org.opencontainers.image.source=https://github.com/langflow-ai/langflow
 
 COPY --from=builder-base --chown=nginx /frontend/build /usr/share/nginx/html
-COPY --chown=nginx ./docker/frontend/nginx.conf /etc/nginx/conf.d/default.conf
 COPY --chown=nginx ./docker/frontend/start-nginx.sh /start-nginx.sh
+COPY --chown=nginx ./docker/frontend/default.conf.template /etc/nginx/conf.d/default.conf.template
 RUN chmod +x /start-nginx.sh
 ENTRYPOINT ["/start-nginx.sh"]

docker/frontend/default.conf.template

@@ -0,0 +1,43 @@
+worker_processes auto;
+pid /tmp/nginx.pid;
+events {}
+
+http {
+    include /etc/nginx/mime.types;
+    default_type text/plain;
+
+    types {
+        text/html html;
+        text/css css;
+        application/javascript js;
+    }
+
+    server {
+        gzip on;
+        gzip_comp_level 2;
+        gzip_min_length 1000;
+        gzip_types text/xml text/css;
+        gzip_http_version 1.1;
+        gzip_vary on;
+        gzip_disable "MSIE [4-6] \.";
+
+        listen ${FRONTEND_PORT};
+
+        location / {
+            root /usr/share/nginx/html;
+            index index.html index.htm;
+            try_files $uri $uri/ /index.html =404;
+        }
+        location /api {
+            proxy_pass ${BACKEND_URL};
+        }
+        location /health_check {
+            proxy_pass ${BACKEND_URL};
+        }
+        location /health {
+            proxy_pass ${BACKEND_URL};
+        }
+
+        include /etc/nginx/extra-conf.d/*.conf;
+    }
+}

docker/frontend/start-nginx.sh

@@ -1,6 +1,11 @@
 #!/bin/sh
 set -e
-trap 'kill -TERM $PID' TERM INT
+
+# Define writable directory for the final config
+CONFIG_DIR="/tmp/nginx"
+mkdir -p $CONFIG_DIR
+
+# Check and set environment variables
 if [ -z "$BACKEND_URL" ]; then
   BACKEND_URL="$1"
 fi
@@ -14,12 +19,12 @@ if [ -z "$BACKEND_URL" ]; then
   echo "BACKEND_URL must be set as an environment variable or as first parameter. (e.g. http://localhost:7860)"
   exit 1
 fi
-echo "BACKEND_URL: $BACKEND_URL"
-echo "FRONTEND_PORT: $FRONTEND_PORT"
-sed -i "s|__BACKEND_URL__|$BACKEND_URL|g" /etc/nginx/conf.d/default.conf
-sed -i "s|__FRONTEND_PORT__|$FRONTEND_PORT|g" /etc/nginx/conf.d/default.conf
-cat /etc/nginx/conf.d/default.conf
 
+# Export variables for envsubst
+export BACKEND_URL FRONTEND_PORT
+
+# Use envsubst to substitute environment variables in the template
+envsubst '${BACKEND_URL} ${FRONTEND_PORT}' < /etc/nginx/conf.d/default.conf.template > $CONFIG_DIR/default.conf
 
-# Start nginx
-exec nginx -g 'daemon off;'
+# Start nginx with the new configuration
+exec nginx -c $CONFIG_DIR/default.conf -g 'daemon off;'

src/backend/base/langflow/services/database/service.py

@@ -62,6 +62,10 @@ def __init__(self, settings_service: SettingsService):
         else:
             # Construct the path using the langflow directory.
             self.alembic_log_path = Path(langflow_dir) / alembic_log_file
+
+        # Ensure the directory and file for the alembic log file exists
+        self.alembic_log_path.parent.mkdir(parents=True, exist_ok=True)
+        self.alembic_log_path.touch(exist_ok=True)
         self._logged_pragma = False
 
     def reload_engine(self) -> None: