From fc501bee61912c1526742c5734caad176bbd90a7 Mon Sep 17 00:00:00 2001 From: Ed Clark Date: Fri, 27 Feb 2026 14:23:59 -0500 Subject: [PATCH 1/4] Update docker customization for CA and pip --- application/single_app/Dockerfile | 16 +++++++++------- .../custom-ca-certificates}/.gitkeep | 0 docker-customization/pip.conf | 1 + docs/how-to/docker_customization.md | 9 +++++++++ pip.conf.d/.gitkeep | 0 5 files changed, 19 insertions(+), 7 deletions(-) rename {custom-ca-certificates => docker-customization/custom-ca-certificates}/.gitkeep (100%) create mode 100644 docker-customization/pip.conf create mode 100644 docs/how-to/docker_customization.md delete mode 100644 pip.conf.d/.gitkeep diff --git a/application/single_app/Dockerfile b/application/single_app/Dockerfile index 65483ac6..96ae421d 100644 --- a/application/single_app/Dockerfile +++ b/application/single_app/Dockerfile @@ -8,14 +8,12 @@ ARG UID ARG GID # Setup pip.conf if has content -COPY pip.conf.d/ /etc/pip.conf.d +COPY docker-customization/pip.conf /etc/pip.conf # CA # copy certs to /etc/pki/ca-trust/source/anchors -COPY custom-ca-certificates/ /etc/ssl/certs -RUN mkdir -p /etc/pki/ca-trust/source/anchors/ \ - && update-ca-trust enable \ - && cp /etc/ssl/certs/*.crt /etc/pki/ca-trust/source/anchors/ \ +COPY docker-customization/custom-ca-certificates/ /etc/pki/ca-trust/source/anchors +RUN update-ca-trust enable \ && update-ca-trust extract ENV PYTHONUNBUFFERED=1 @@ -44,6 +42,7 @@ ARG UID ARG GID COPY --from=builder /etc/pki /etc/pki +COPY --from=builder /etc/ssl/certs /etc/ssl/certs COPY --from=builder /home/nonroot /home/nonroot COPY --from=builder /etc/passwd /etc/passwd COPY --from=builder /etc/group /etc/group @@ -59,8 +58,11 @@ ENV HOME=/home/nonroot \ PYTHONIOENCODING=utf-8 \ LANG=C.UTF-8 \ LC_ALL=C.UTF-8 \ - PYTHONUNBUFFERED=1 - + PYTHONUNBUFFERED=1 \ + CERT_FILE=/etc/ssl/certs/ca-bundle.crt \ + SSL_CERT_DIR=/etc/ssl/certs \ + REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt + WORKDIR /app # Copy application code and set ownership diff --git a/custom-ca-certificates/.gitkeep b/docker-customization/custom-ca-certificates/.gitkeep similarity index 100% rename from custom-ca-certificates/.gitkeep rename to docker-customization/custom-ca-certificates/.gitkeep diff --git a/docker-customization/pip.conf b/docker-customization/pip.conf new file mode 100644 index 00000000..3dc81272 --- /dev/null +++ b/docker-customization/pip.conf @@ -0,0 +1 @@ +# Add pip configuration here \ No newline at end of file diff --git a/docs/how-to/docker_customization.md b/docs/how-to/docker_customization.md new file mode 100644 index 00000000..1b90f071 --- /dev/null +++ b/docs/how-to/docker_customization.md @@ -0,0 +1,9 @@ +# Docker Customization + +## Custom Certificate Authorities + +Add custom certification authorities to [/docker-customization/custom-ca-certificates](/docker-customization/custom-ca-certificates/) and they will be pull in to the system CAs during docker build. Must be in .crt format. + +## Custom pip conf + +Add customization as needed to [/docker-customization/pip.conf](/docker-customization/pip.conf). This will be used during docker build. \ No newline at end of file diff --git a/pip.conf.d/.gitkeep b/pip.conf.d/.gitkeep deleted file mode 100644 index e69de29b..00000000 From eac2ad68326e74beb0d8d53ddc9c2a7ae06395ec Mon Sep 17 00:00:00 2001 From: Ed Clark Date: Fri, 27 Feb 2026 14:25:53 -0500 Subject: [PATCH 2/4] Update release notes --- docs/explanation/release_notes.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md index c474eb28..89e1c326 100644 --- a/docs/explanation/release_notes.md +++ b/docs/explanation/release_notes.md @@ -90,6 +90,11 @@ * **Files Modified**: `chat-citations.js`. * (Ref: Citation parsing, page range handling, `CITATION_IMPROVEMENTS.md`) +* **Docker Customization: CA Certificate and pip.conf** + * Fixed Docker customization issues related to custom CA certificate handling and `pip.conf` configuration. + * Ensures Python package installation works reliably in environments requiring custom certificate trust and pip configuration. + * (Ref: Docker customization, CA cert setup, `pip.conf` handling) + #### User Interface Enhancements * **Extended Document Dropdown Width** @@ -1403,6 +1408,7 @@ - Updated `base.html` and `workspace.html` to reflect visual improvements. 4. **Security Improvements** - Implemented `X-Content-Type-Options: nosniff` header to mitigate MIME sniffing vulnerabilities. + - Enhanced security for loading AI Search index schema JSON files by implementing path validation and using `secure_filename` in backend settings. (Ref: `route_backend_settings.py`) 5. **Build & Deployment** - Added `docker_image_publish_dev.yml` GitHub Action workflow for publishing dev Docker images. - Updated Dockerfile to use **Python 3.12**. @@ -1699,7 +1705,7 @@ We introduced a robust user feedback system, expanded content-safety features fo - **Real-Time Message Scanning**: If Content Safety is enabled, user prompts are scanned for potentially disallowed content. Blocked messages are flagged and a “safety” message is added to the conversation log in place of a normal AI reply. - **Admin Safety Logs**: Site admins (with “Admin” role) can view a new “Safety Violations” page (at /admin/safety_violations) showing blocked or flagged messages. Admins can update the status, action taken, or notes on each violation. 2. **Expanded APIM Support for GPT, Embeddings, and Image Generation** - - **Fine-Grained APIM Toggles**: You can now enable or disable APIM usage independently for GPT, embeddings, and image generation. Each service has its own APIM endpoint, version, and subscription key fields in Admin Settings. + - **Fine-Grained APIM Toggles**: You can now enable or disable APIM usage independently for GPT, embeddings, and image generation. Each service has its own APIM endpoint, version, deployment, and subscription key fields in Admin Settings. - **UI-Driven Switching**: Check/uncheck “Enable APIM” to toggle between native Azure OpenAI endpoints or APIM-managed endpoints, all without redeploying the app. 3. **Workspaces & Documents Configuration** - **User Documents and Group Documents**: A new “Workspaces” tab in Admin Settings (replacing the old “Web Search” tab) lets you enable or disable user-specific documents and group-based documents. From 64a3ab9ecd0edb5f0536668f29b4632695a58997 Mon Sep 17 00:00:00 2001 From: Ed Clark Date: Fri, 27 Feb 2026 14:28:53 -0500 Subject: [PATCH 3/4] Revert changes to older release notes... --- docs/explanation/release_notes.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/explanation/release_notes.md b/docs/explanation/release_notes.md index 89e1c326..0736e4bd 100644 --- a/docs/explanation/release_notes.md +++ b/docs/explanation/release_notes.md @@ -1408,7 +1408,6 @@ - Updated `base.html` and `workspace.html` to reflect visual improvements. 4. **Security Improvements** - Implemented `X-Content-Type-Options: nosniff` header to mitigate MIME sniffing vulnerabilities. - - Enhanced security for loading AI Search index schema JSON files by implementing path validation and using `secure_filename` in backend settings. (Ref: `route_backend_settings.py`) 5. **Build & Deployment** - Added `docker_image_publish_dev.yml` GitHub Action workflow for publishing dev Docker images. - Updated Dockerfile to use **Python 3.12**. @@ -1705,7 +1704,7 @@ We introduced a robust user feedback system, expanded content-safety features fo - **Real-Time Message Scanning**: If Content Safety is enabled, user prompts are scanned for potentially disallowed content. Blocked messages are flagged and a “safety” message is added to the conversation log in place of a normal AI reply. - **Admin Safety Logs**: Site admins (with “Admin” role) can view a new “Safety Violations” page (at /admin/safety_violations) showing blocked or flagged messages. Admins can update the status, action taken, or notes on each violation. 2. **Expanded APIM Support for GPT, Embeddings, and Image Generation** - - **Fine-Grained APIM Toggles**: You can now enable or disable APIM usage independently for GPT, embeddings, and image generation. Each service has its own APIM endpoint, version, deployment, and subscription key fields in Admin Settings. + - **Fine-Grained APIM Toggles**: You can now enable or disable APIM usage independently for GPT, embeddings, and image generation. Each service has its own APIM endpoint, version, and subscription key fields in Admin Settings. - **UI-Driven Switching**: Check/uncheck “Enable APIM” to toggle between native Azure OpenAI endpoints or APIM-managed endpoints, all without redeploying the app. 3. **Workspaces & Documents Configuration** - **User Documents and Group Documents**: A new “Workspaces” tab in Admin Settings (replacing the old “Web Search” tab) lets you enable or disable user-specific documents and group-based documents. From 79670edfadde55f65be41eb323c1c8c9695f846d Mon Sep 17 00:00:00 2001 From: Ed Clark <107473135+clarked-msft@users.noreply.github.com> Date: Fri, 27 Feb 2026 14:47:31 -0500 Subject: [PATCH 4/4] Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --- application/single_app/Dockerfile | 4 ++-- docs/how-to/docker_customization.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/application/single_app/Dockerfile b/application/single_app/Dockerfile index 96ae421d..57f377ee 100644 --- a/application/single_app/Dockerfile +++ b/application/single_app/Dockerfile @@ -7,7 +7,7 @@ FROM mcr.microsoft.com/azurelinux/base/python:3.12 AS builder ARG UID ARG GID -# Setup pip.conf if has content +# Copy pip.conf into the image for pip configuration COPY docker-customization/pip.conf /etc/pip.conf # CA @@ -59,7 +59,7 @@ ENV HOME=/home/nonroot \ LANG=C.UTF-8 \ LC_ALL=C.UTF-8 \ PYTHONUNBUFFERED=1 \ - CERT_FILE=/etc/ssl/certs/ca-bundle.crt \ + SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt \ SSL_CERT_DIR=/etc/ssl/certs \ REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.crt diff --git a/docs/how-to/docker_customization.md b/docs/how-to/docker_customization.md index 1b90f071..a1d50828 100644 --- a/docs/how-to/docker_customization.md +++ b/docs/how-to/docker_customization.md @@ -2,8 +2,8 @@ ## Custom Certificate Authorities -Add custom certification authorities to [/docker-customization/custom-ca-certificates](/docker-customization/custom-ca-certificates/) and they will be pull in to the system CAs during docker build. Must be in .crt format. +Add custom certificate authorities to [/docker-customization/custom-ca-certificates](/docker-customization/custom-ca-certificates/) and they will be pull in to the system CAs during docker build. Must be in .crt format. -## Custom pip conf +## Custom pip.conf Add customization as needed to [/docker-customization/pip.conf](/docker-customization/pip.conf). This will be used during docker build. \ No newline at end of file