Build last step of DOCKERFILE

[coyotte508]

Those last commands:

RUN --mount=type=secret,id=DOTENV_LOCAL,mode=0444,required=true cat /run/secrets/DOTENV_LOCAL > .env.local

RUN npm run build

ENV PORT 7860

CMD pm2 start build/index.js -i $CPU_CORES --no-daemon

Should be run in a .sh script called by the last CMD of the Dockerfile. Because the cache layers aren't invalidated when secrets change.

It would also allow people to download the docker image (would probably need to delete & recreate the space though, as for now we allow to download either all or none of the docker images)

cc @XciD @christophe-rannou

[XciD]

Does this work:

RUN --mount=type=secret,id=DOTENV_LOCAL,dst=.env.local npm run build
ENV PORT 7860
CMD pm2 start build/index.js -i $CPU_CORES --no-daemon

?

[coyotte508]

# read the doc: https://huggingface.co/docs/hub/spaces-sdks-docker
# you will also find guides on how best to write your Dockerfile

FROM node:19

RUN npm install -g pm2

WORKDIR /app

COPY . .

RUN npm i

RUN chown -R 1000:1000 /app

ENV PORT 7860

RUN --mount=type=secret,id=DOTENV_LOCAL,dst=.env.local npm run build
CMD pm2 start build/index.js -i $CPU_CORES --no-daemon

This docker file works & is cleaner indeed, it doesn't solve the problem of secret updating = we need to trigger a rebuild by changing the code

If we do this for the last command:

CMD cat $DOTENV_LOCAL > .env.local && npm run build && pm2 start build/index.js -i $CPU_CORES --no-daemon

Will there be downtime during updates? (during the time that it takes to build in that last command before launching the process)

[XciD]

We have no down time as we unscale only when port is up.

This being said, from here: https://stackoverflow.com/questions/68469643/docker-build-time-secrets-with-layer-caching

Cache should be invalidated

[coyotte508]

So we need to use ARG instead of secrets to invalidate cache? :(