-
-
Notifications
You must be signed in to change notification settings - Fork 339
feat: Add multi-architecture Docker image support #851
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add QEMU setup for cross-platform builds in docker-publish.yml - Build for both linux/amd64 and linux/arm64 platforms - Add test workflow for validating multi-arch builds in CI - Include testing documentation for local development - Enable GitHub Actions cache for faster builds Addresses #825
@LearningCircuit
LearningCircuit
requested review from
HashedViking and
djpetti
as code owners
September 21, 2025 23:24
@LearningCircuit
LearningCircuit
linked an issue
Sep 21, 2025
that may be
closed
by this pull request
Claude finished @LearningCircuit's task —— View job
PR Review: Multi-Architecture Docker Support
I've completed a comprehensive review of this PR that adds multi-architecture Docker support. Here's my detailed feedback:
✅ Overall Assessment
This is a well-implemented feature that properly adds multi-architecture Docker support with appropriate testing and documentation. The code quality is high and follows Docker best practices.
🔍 Detailed Code Review
New Test Workflow (.github/workflows/docker-multiarch-test.yml)
Strengths:
- Comprehensive testing strategy with matrix builds for both AMD64 and ARM64
- Proper QEMU setup for cross-platform emulation
- Multi-layered validation: build verification, Python functionality, package imports, and web server startup
- Excellent error handling with timeouts and proper cleanup
- GitHub Actions cache integration for performance optimization
- Clear build summary with formatted results
Suggestions:
- Line 47: Consider adding architecture validation to ensure the built image matches the target platform:
- name: Verify architecture run: | PLATFORM_NAME=$(echo "${{ matrix.platform }}" | tr '/' '-') docker load < /tmp/image-${PLATFORM_NAME}.tar ARCH=$(docker image inspect ldr-test:${{ matrix.platform }}-${{ github.sha }} --format='{{.Architecture}}') echo "Built architecture: $ARCH"
Updated Publish Workflow (.github/workflows/docker-publish.yml)
Strengths:
- Clean and minimal changes - only added necessary multi-arch support
- Proper platform specification on line 47:
linux/amd64,linux/arm64 - Maintains existing security practices with secrets management
- GitHub Actions cache optimization maintained
Potential Issues:
- Missing architecture validation in metadata extraction
- Line 37: Consider adding architecture labels to the Docker image metadata for better traceability
Documentation (docs/docker/multiarch-testing.md)
Strengths:
- Excellent comprehensive guide covering multiple testing approaches
- Clear troubleshooting section addressing common ARM64 issues
- Performance expectations clearly documented (3-5x slower builds)
- Practical examples with working command snippets
Minor Suggestions:
- Consider adding a section about image size differences between architectures
- Line 97: The Node.js troubleshooting could mention specific ARM64 compatibility checks
🔒 Security Assessment
✅ No security concerns identified:
- Secrets handling unchanged and appropriate
- No new privileged operations introduced
- QEMU setup follows standard practices
- Docker actions use pinned versions (
@v3,@v5,@v6)
⚡ Performance Considerations
Well-addressed:
- GitHub Actions caching implemented properly with scope separation
- Performance expectations documented (3-5x slower ARM64 builds)
- Parallel testing strategy reduces overall CI time
- Build optimization with proper cache-from/cache-to configuration
Recommendations:
- Monitor CI build times post-merge to ensure caching effectiveness
- Consider ARM64 native runners for production if build times become problematic
🧪 Test Coverage
Excellent coverage:
- Multi-platform build validation
- Container startup verification
- Python environment testing
- Package import verification
- Web server functionality testing
- Proper cleanup and error handling
Enhancement suggestion:
- Consider adding a basic API endpoint test to validate full application stack
🎯 Architecture Compatibility
Potential concern with existing Dockerfile:
The current Dockerfile uses several tools that may have ARM64 compatibility issues:
- Playwright/Chromium (lines 145, 88-89 in Dockerfile) - documented in troubleshooting
- Node.js installation via NodeSource script (line 11) - should auto-detect but worth monitoring
- System dependencies may have different package names on ARM64
Recommendation: Monitor the first few ARM64 builds closely and be prepared to add architecture-specific conditionals if needed.
✨ Best Practices Followed
- ✅ Proper GitHub Actions workflow structure
- ✅ Comprehensive testing before production deployment
- ✅ Clear documentation with troubleshooting
- ✅ Performance optimization with caching
- ✅ Minimal changes to existing workflows
- ✅ Proper secret management
- ✅ Version pinning for actions
🏁 Final Recommendation
✅ APPROVE - This PR is ready to merge with the following notes:
- Excellent implementation that follows Docker and CI/CD best practices
- Comprehensive testing strategy provides confidence in multi-arch builds
- Well-documented approach for developers and troubleshooting
- No security or major performance concerns
- Minimal risk due to careful implementation and extensive testing
Post-merge monitoring suggested:
- Watch initial ARM64 builds for any Playwright/Chromium issues
- Monitor build times and cache effectiveness
- Validate Docker Hub manifest creation
Great work on this feature! The multi-architecture support is well-implemented and will significantly improve deployment flexibility.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
Adds multi-architecture Docker image support (amd64 and arm64), introduces a CI workflow to validate both architectures, and documents local testing via QEMU.
- Update publish workflow to build and push multi-arch images with caching
- Add multi-arch test workflow with per-arch build and runtime checks
- Provide documentation for local multi-arch builds and troubleshooting
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 6 comments.
| File | Description |
|---|---|
| .github/workflows/docker-publish.yml | Enables QEMU, configures Buildx for multi-arch, and pushes a multi-arch manifest with caching. |
| .github/workflows/docker-multiarch-test.yml | New CI job to build per-arch images, validate startup and imports, and summarize results. |
| docs/docker/multiarch-testing.md | New guide for setting up QEMU, building/testing locally, and CI/CD notes. |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
Claude finished @LearningCircuit's task —— View job
PR Review: Multi-Architecture Docker Support
I've completed my review of this PR that adds multi-architecture Docker image support. Here's my comprehensive analysis:
Review Tasks:
- Read and analyze the new test workflow file
- Review the updated publish workflow changes
- Examine the new documentation
- Assess code quality and best practices
- Identify potential bugs or issues
- Evaluate performance considerations
- Check for security concerns
- Analyze test coverage
- Consider existing copilot review feedback
- Provide final comprehensive review
✅ Overall Assessment
This is a well-implemented feature that properly adds multi-architecture Docker support. The implementation follows Docker best practices and includes comprehensive testing and documentation.
🔍 Detailed Code Review
New Test Workflow (.github/workflows/docker-multiarch-test.yml)
Strengths:
- Comprehensive testing strategy with matrix builds for both AMD64 and ARM64
- Proper QEMU setup for cross-platform emulation
- Multi-layered validation: build verification, Python functionality, package imports, and web server startup
- Excellent error handling with timeouts and proper cleanup
- GitHub Actions cache integration for performance optimization
- Clear build summary with formatted results
Critical Issues to Address:
- Line 46: Invalid Docker tag format -
ldr-test:linux/arm64-${{ github.sha }}contains slashes which aren't allowed in Docker tags - Line 47: File path mismatch - using
${{ matrix.platform }}creates nested paths like/tmp/image-linux/arm64.tarbut later code expects/tmp/image-linux-arm64.tar
Suggested Fixes:
# Line 46-47: Fix tag and file naming tags: ldr-test:${{ matrix.platform.replace('/', '-') }}-${{ github.sha }} outputs: type=docker,dest=/tmp/image-${{ matrix.platform.replace('/', '-') }}.tar
Minor Improvements:
- Line 35: Remove
network=hostdriver option unless specifically needed - Consider adding architecture validation to ensure built image matches target platform
Updated Publish Workflow (.github/workflows/docker-publish.yml)
Strengths:
- Clean and minimal changes - only added necessary multi-arch support
- Proper platform specification on line 47:
linux/amd64,linux/arm64 - Maintains existing security practices with secrets management
- GitHub Actions cache optimization preserved
Minor Optimization:
- Line 22: Consider limiting QEMU to specific platforms:
platforms: arm64instead ofall
Documentation (docs/docker/multiarch-testing.md)
Strengths:
- Excellent comprehensive guide covering multiple testing approaches
- Clear troubleshooting section addressing common ARM64 issues
- Performance expectations clearly documented (3-5x slower builds)
- Practical examples with working command snippets
Suggestions for Enhancement:
- Line 16: Consider using
tonistiigi/binfmtfor QEMU setup as it's more reliable - Line 43: Add concrete examples for exporting multi-arch images
- Consider adding section about image size differences between architectures
🔒 Security Assessment
✅ No security concerns identified:
- Secrets handling unchanged and appropriate
- No new privileged operations introduced
- QEMU setup follows standard practices
- Docker actions use pinned versions (
@v3,@v5,@v6)
⚡ Performance Considerations
Well-addressed:
- GitHub Actions caching implemented properly with platform-specific scopes
- Performance expectations documented (3-5x slower ARM64 builds)
- Parallel testing strategy reduces overall CI time
- Build optimization with proper cache configuration
Recommendations:
- Monitor CI build times post-merge to ensure caching effectiveness
- Consider ARM64 native runners for production if build times become problematic
🧪 Test Coverage
Excellent coverage:
- Multi-platform build validation
- Container startup verification
- Python environment testing
- Package import verification
- Web server functionality testing
- Proper cleanup and error handling
Enhancement suggestion:
- Consider adding basic API endpoint test to validate full application stack
🎯 Architecture Compatibility Analysis
Potential concerns with existing Dockerfile:
- Playwright/Chromium (lines 88-89, 145) - ARM64 compatibility documented in troubleshooting
- Node.js installation via NodeSource script (line 11) - should auto-detect but worth monitoring
- System dependencies may have different package names on ARM64
Recommendation: Monitor the first few ARM64 builds closely and be prepared to add architecture-specific conditionals if needed.
📋 Comparison with Existing Review
The copilot review identified the same critical issues I found:
- Invalid Docker tag format with slashes
- File path naming inconsistencies
- Minor optimizations for QEMU and documentation
✨ Best Practices Followed
- ✅ Proper GitHub Actions workflow structure
- ✅ Comprehensive testing before production deployment
- ✅ Clear documentation with troubleshooting
- ✅ Performance optimization with caching
- ✅ Minimal changes to existing workflows
- ✅ Proper secret management
- ✅ Version pinning for actions
🏁 Final Recommendation
✅ APPROVE with minor fixes - This PR implements multi-architecture support excellently but has two critical issues that must be addressed:
Required fixes:
- Fix Docker tag format in test workflow (line 46)
- Fix file path naming consistency (line 47)
Optional improvements:
- Remove unnecessary
network=hostoption - Limit QEMU platforms to
arm64only - Enhance documentation examples
Once the critical tag/path issues are fixed, this PR will provide robust multi-architecture Docker support with excellent testing and documentation.
- Fix Docker tag format by using platform_slug without slashes - Fix file path naming consistency in workflow - Remove unnecessary network=host option from buildx - Optimize QEMU platform setup to only use arm64 instead of all - Update documentation to use recommended tonistiigi/binfmt - Add concrete examples for exporting multi-arch images Addresses critical issues identified by Copilot and Claude bots
- sqlcipher3-binary doesn't have ARM64 wheels available - Use pysqlcipher3 for ARM64 architectures - Keep sqlcipher3-binary for x86_64 for better performance - Conditionally modify installation based on architecture detection This fixes the ARM64 build failure in the multi-arch Docker workflow
- Use specific pysqlcipher3 version (1.2.1) for stability - Install toml package for proper pyproject.toml manipulation - Properly filter out sqlcipher3-binary from dependencies on ARM64 - Add architecture-specific handling in test stage - Restore original pyproject.toml after dependency installation
- Install pysqlcipher3 in PDM virtual environment - Create symbolic link from pysqlcipher3 to sqlcipher3 for import compatibility - Apply fix to both builder and test stages - This resolves the 'No module named sqlcipher3' error on ARM64
- Create get_sqlcipher_module() function to handle platform-specific imports - Support both sqlcipher3 (x86_64) and pysqlcipher3 (ARM64) transparently - Update all SQLCipher imports to use the new function - Remove symlink workarounds from Dockerfile - Install pysqlcipher3 directly on ARM64 builds
🚨🚨🚨 CRITICAL SECURITY FILES MODIFIED 🚨🚨🚨
This PR modifies security-critical files. Please review with extra care!
🔐 DATABASE ENCRYPTION CHANGES DETECTED
- Changes to encryption can corrupt existing databases
- Verify SQLCipher pragma order is correct
- Test with existing encrypted databases
- Ensure backward compatibility
🔑 AUTHENTICATION CHANGES DETECTED
- Could affect user access and security
- Verify session handling is secure
- Test login/logout flows thoroughly
- Check for privilege escalation risks
📁 Modified Security Files:
- 🔐
src/local_deep_research/database/encrypted_db.py - 🔐
src/local_deep_research/database/sqlcipher_compat.py - 🔐
src/local_deep_research/database/sqlcipher_utils.py - 🔑
src/local_deep_research/web/auth/queue_middleware.py
✅ Required Review Checklist
Reviewers: Please verify ALL items before approving:
Encryption Review:
- SQLCipher pragmas are in correct order (key before other pragmas)
- No hardcoded encryption keys or passwords
- Backward compatibility maintained
- Tested with existing encrypted databases
- Migration path provided if schema changes
Authentication Review:
- No bypass of authentication checks
- Session management is secure
- Password hashing uses proper algorithms
- No privilege escalation vulnerabilities
- Rate limiting still enforced
General Security Review:
- No secrets or credentials in code
- No debug code that bypasses security
- Error messages don't leak sensitive info
- Logging doesn't expose sensitive data
- Input validation is proper
💡 Tips for reviewers:
- Take extra time with these changes
- Test locally with production-like data
- When in doubt, request additional review
- Consider running security tests manually
...ARM64 - Extract get_sqlcipher_module() to separate sqlcipher_compat.py file - This resolves circular import between encrypted_db and sqlcipher_utils - Add verification step after pysqlcipher3 installation in Docker - Ensure pysqlcipher3 is installed AFTER pdm install to prevent overwriting - Add import verification to confirm installation success
- Add sqlcipher and pkg-config to build dependencies for pysqlcipher3 compilation - Add verification steps after installation to confirm modules are available - Check packages persist after copying to production stage - Add debug output to help diagnose any installation issues - Ensure build fails fast if SQLCipher modules are not properly installed
The issue was that .venv/bin/pip doesn't exist because PDM manages its own virtual environment location. Using 'pdm run pip' ensures we're installing in the correct environment that PDM is managing.
Version 1.2.1 does not exist in PyPI. The available versions are 1.0.3, 1.0.4, 1.1.0, and 1.2.0. This was causing the ARM64 Docker build to fail during dependency installation.
The previous approach using 'pdm run pip install' was not properly installing pysqlcipher3 into the PDM-managed virtual environment. Changed to use 'pdm add pysqlcipher3==1.2.0' which correctly adds the package to the project dependencies and installs it in the venv. Also removed the redundant final verification step and simplified the ARM64 installation logic by removing the pyproject.toml manipulation which is no longer needed.
The previous approach was failing because PDM was still trying to install sqlcipher3-binary from the lock file. This fix: 1. Removes sqlcipher3-binary from pyproject.toml on ARM64 builds 2. Regenerates the lock file without sqlcipher3-binary 3. Installs all other dependencies successfully 4. Then installs pysqlcipher3 separately using pdm run pip install This ensures PDM doesn't try to install the non-existent ARM64 wheel for sqlcipher3-binary.
djpetti
djpetti
previously approved these changes
Oct 1, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be clear, this doesn't actually auto-build and push an ARM64 version of the Docker, right? It just enabled building it locally.
To be clear, this doesn't actually auto-build and push an ARM64 version of the Docker, right? It just enabled building it locally.
Its not completed. Tests are still failing
This commit improves the ARM64 Docker build with: 1. Added debug output to identify where the build is failing 2. Fixed sed command to remove both sqlcipher3-binary and sqlcipher3 lines (both lines need to be removed for ARM64 as neither is compatible) 3. Added error tolerance for grep commands with || true 4. More verbose logging to help diagnose build issues The issue was that the original sed command wasn't removing the sqlcipher3>=0.5.0 dependency, which was also causing problems on ARM64.
The issue was that 'pdm run pip' creates a subprocess that doesn't properly persist the pip installation. By using the direct path to the venv's pip (/install/.venv/bin/pip), we ensure the package is installed in the correct environment that will be used later.
The issue was that /install/.venv/bin/pip doesn't exist until PDM creates the venv. Using /home/martin/code/LDR5/local-deep-research/.venv2/bin/python ensures we get the correct Python interpreter path that PDM is using, which will work after pdm install creates the venv.
@LearningCircuit
LearningCircuit
added
enhancement
New feature or request
docker
Docker and containerization related issues
CI/CD
Continuous Integration/Deployment and GitHub Actions
labels
Oct 3, 2025
- pysqlcipher3 has a different API structure than sqlcipher3 - Import dbapi2 directly from pysqlcipher3 and wrap it for compatibility - This ensures both modules expose the same .dbapi2 interface
The previous class-based wrapper had a scope issue where `dbapi2 = dbapi2` tried to reference dbapi2 in the class body, but Python couldn't resolve it. Changed to use SimpleNamespace which directly wraps pysqlcipher3.dbapi2 and provides the same API as sqlcipher3 (a module with dbapi2 attribute). Fixes ARM64 Docker build failure.
The pysqlcipher3 module doesn't expose dbapi2 as a module attribute. Instead, dbapi2 must be imported directly using `from pysqlcipher3 import dbapi2`.
...ility ARM64 tests run under QEMU emulation which is very slow for CPU-intensive operations like PBKDF2. Reducing iterations from 256,000 to 1,000 for tests speeds up startup significantly while still validating encryption works.
djpetti
djpetti
requested changes
Oct 5, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Requesting changes to ensure that PDM is used correctly.
Dockerfile
Outdated
echo "=== ARM64 detected, using pysqlcipher3 instead of sqlcipher3-binary ===" && \
# Remove sqlcipher3-binary from pyproject.toml for ARM64 \
sed -i '/sqlcipher3-binary/d' pyproject.toml && \
echo "=== Checking original pyproject.toml ===" && \
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the best way to handle this. PDM and the pyproject.toml format support having specific dependencies for different targets. If you want, I can implement this myself, because I've used this particular feature of PDM quite a bit in the past.
Replace sed-based pyproject.toml manipulation with proper PEP 508 environment markers to handle platform-specific SQLCipher packages: - x86_64 Linux: sqlcipher3-binary - ARM64 Linux: pysqlcipher3 - Other platforms: sqlcipher3 This simplifies the Dockerfile significantly and follows PDM best practices.
djpetti
djpetti
previously approved these changes
Oct 5, 2025
The --check flag causes PDM to fail if the lockfile hash doesn't match. Remove it to allow Docker builds to proceed with the committed lockfile.
djpetti
djpetti
previously approved these changes
Oct 6, 2025
... tests
The ARM64 Docker image was hanging during startup due to APScheduler's
BackgroundScheduler having threading issues under QEMU emulation. This
commit addresses the issue in two ways:
1. **Fix boolean environment variable handling**: The settings manager
was incorrectly converting boolean environment variables. In Python,
bool("false") returns True, which meant setting LDR_NEWS_SCHEDULER_ENABLED=false
would not actually disable the scheduler. Added proper string-to-boolean
conversion that recognizes 'true', '1', 'yes', 'on' as True and everything
else as False.
2. **Disable news scheduler in Docker tests**: Added LDR_NEWS_SCHEDULER_ENABLED=false
environment variable to the multi-arch Docker test workflow to prevent the
scheduler from starting during tests, avoiding the threading hang under QEMU.
This fix ensures ARM64 Docker images can start successfully while maintaining
full functionality in production environments.
djpetti
djpetti
previously approved these changes
Oct 7, 2025
The news scheduler was being initialized even when disabled via environment variable, causing hangs under QEMU. Now we check the enabled setting BEFORE calling initialize_with_settings() to completely skip initialization when the scheduler is disabled.
The code was hanging during imports before reaching the enabled check. Now we check LDR_NEWS_SCHEDULER_ENABLED environment variable BEFORE importing any scheduler modules, completely avoiding the hang under QEMU when the scheduler is disabled. Also updated pre-commit hook to allow app_factory.py to access env vars directly since it needs to check before any imports.
- Increase server startup timeout from 30s to 120s for ARM64 under QEMU - Add progress logging every 10 seconds during startup wait - Add strategic logging in app_factory to identify where startup hangs - Log each major initialization step (middleware, cache, blueprints, etc.) - Log individual blueprint imports to pinpoint any problematic imports This will help diagnose the ARM64 startup hang issue where the server initializes databases but never starts listening on port 5000.
Add detailed logging for each middleware import in apply_middleware() to identify which specific import causes the ARM64 hang.
...mport Move queue_processor import from module level to function level in queue_middleware.py to avoid triggering heavy dependency chain during app startup. The import chain was: queue_middleware -> queue/processor -> research_service -> search_system -> search_engines_config -> search_engine_local -> FAISS FAISS initialization hangs on ARM64 under QEMU emulation due to OpenMP/threading issues. By making this a lazy import, we avoid loading FAISS during startup while preserving queue functionality for when it's actually needed (on user requests). This fixes the 120+ second hang during Docker container startup in ARM64 CI tests.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Changes
docker-publish.ymlto build forlinux/amd64andlinux/arm64docker-multiarch-test.ymlfor CI validation of both architecturesTesting
Performance Notes
Addresses #825