Litellm chainguard fixes 12 02 2025 p1 (#17406)

* build: update dockerfile non root

* build: update build

* build: update non root

* build: dockerfile fixes

* build: ensure dockerfile + dockerfile.database also work

Dockerfile

@@ -1,8 +1,8 @@
 # Base image for building
-ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/wolfi-base
 
 # Runtime image
-ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base
 # Builder stage
 FROM $LITELLM_BUILD_IMAGE AS builder
 
@@ -12,11 +12,9 @@ WORKDIR /app
 USER root
 
 # Install build dependencies
-RUN apk add --no-cache gcc python3-dev openssl openssl-dev
+RUN apk add --no-cache bash gcc py3-pip python3 python3-dev openssl openssl-dev
 
-
+RUN python -m pip install build
-RUN pip install --upgrade pip>=24.3.1 && \
-    pip install build
 
 # Copy the current directory contents into the container at /app
 COPY . .
@@ -48,10 +46,7 @@ FROM $LITELLM_RUNTIME_IMAGE AS runtime
 USER root
 
 # Install runtime dependencies
-RUN apk add --no-cache openssl tzdata nodejs npm
+RUN apk add --no-cache bash openssl tzdata nodejs npm python3 py3-pip
-
-# Upgrade pip to fix CVE-2025-8869
-RUN pip install --upgrade pip>=24.3.1
 
 WORKDIR /app
 # Copy the current directory contents into the container at /app

docker/Dockerfile.database

@@ -1,8 +1,8 @@
 # Base image for building
-ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/wolfi-base
 
 # Runtime image
-ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base
 # Builder stage
 FROM $LITELLM_BUILD_IMAGE AS builder
 
@@ -13,13 +13,15 @@ USER root
 
 # Install build dependencies
 RUN apk add --no-cache \
-    build-base \
+    bash \
+    gcc \
+    py3-pip \
+    python3 \
     python3-dev \
+    openssl \
     openssl-dev
 
-
+RUN python -m pip install build
-RUN pip install --upgrade pip && \
-    pip install build
 
 # Copy the current directory contents into the container at /app
 COPY . .
@@ -46,7 +48,7 @@ FROM $LITELLM_RUNTIME_IMAGE AS runtime
 USER root
 
 # Install runtime dependencies
-RUN apk add --no-cache openssl
+RUN apk add --no-cache bash openssl tzdata nodejs npm python3 py3-pip
 
 WORKDIR /app
 # Copy the current directory contents into the container at /app

docker/Dockerfile.non_root

@@ -1,6 +1,6 @@
 # Base images
-ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_BUILD_IMAGE=cgr.dev/chainguard/wolfi-base
-ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/python:latest-dev
+ARG LITELLM_RUNTIME_IMAGE=cgr.dev/chainguard/wolfi-base
 
 # -----------------
 # Builder Stage
@@ -11,6 +11,8 @@ WORKDIR /app
 # Install build dependencies including Node.js for UI build
 USER root
 RUN apk add --no-cache \
+    python3 \
+    py3-pip \
     clang \
     llvm \
     lld \
@@ -71,7 +73,7 @@ WORKDIR /app
 # Install runtime dependencies
 USER root
 RUN apk upgrade --no-cache && \
-  apk add --no-cache bash libstdc++ ca-certificates openssl supervisor
+  apk add --no-cache python3 py3-pip bash openssl tzdata nodejs npm supervisor
 
 # Copy only necessary artifacts from builder stage for runtime
 COPY . .