feat(agents): Updates to dockerfiles

Integrating updates from #646 to add a number of improvements to the
dockerfiles for different project types.

Author: dwayn

pkg/agentfs/examples/node.bun.Dockerfile

@@ -11,7 +11,8 @@
 # Final image contains only: compiled JS, node_modules, and runtime dependencies
 
 # Use official Bun image as base
-FROM oven/bun:1 AS base
+ARG BUN_VERSION=1
+FROM oven/bun:${BUN_VERSION} AS base
 
 # Define the program entrypoint file where your agent is started.
 ARG PROGRAM_MAIN="{{.ProgramMain}}"
@@ -29,26 +30,49 @@ COPY package.json bun.lock* ./
 
 # Install dependencies using bun
 # Bun automatically uses the lock file if it exists
+# Install all dependencies including dev for the build stage
 RUN bun install --frozen-lockfile
 
+# Set production environment
+ENV NODE_ENV=production
+
 # Copy all application files into the build container
 COPY . .
 
 # Build the TypeScript application (if needed)
 # Bun can run TypeScript directly, but building may still be needed for bundling
 RUN bun run build
 
+# Prune any dev dependencies that might have been needed for build
+# This keeps only production dependencies
+RUN bun install --production
+
 # === FINAL PRODUCTION STAGE ===
 # Start from the base image without build tools
 FROM base
 
+# Create a non-privileged user that the app will run under.
+# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
+ARG UID=10001
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/app" \
+    --shell "/sbin/nologin" \
+    --uid "${UID}" \
+    appuser
+
 # Copy the built application from the build stage
 # This includes node_modules and compiled JavaScript files
 COPY --from=build /app /app
 
-# Expose the healthcheck port
-# This allows Docker and orchestration systems to check if the container is healthy
-EXPOSE 8081
+# Change ownership of all app files to the non-privileged user
+# This ensures the application can read/write files as needed
+RUN chown -R appuser:appuser /app
+
+# Switch to the non-privileged user for all subsequent operations
+# This improves security by not running as root
+USER appuser
 
 # Run the application using Bun
 # The "start" command tells the agent to connect to LiveKit and begin waiting for jobs
@@ -126,4 +150,5 @@ CMD [ "bun", "run", "{{.ProgramMain}}", "start" ]
 #    - Check that required environment variables are set
 #    - Ensure the healthcheck endpoint (8081) is accessible
 #
-# For more help: https://bun.sh/docs
+# For more help: https://bun.sh/docs
+# For LiveKit agent build help: https://docs.livekit.io/agents/ops/deployment/cloud/build

pkg/agentfs/examples/node.bun.dockerignore

@@ -1,61 +1,70 @@
-# Node.js/Bun artifacts
+# Node.js dependencies
 node_modules/
-.bun/
-bun-debug.log*
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*
 lerna-debug.log*
+bun-debug.log*
 
-# Build artifacts
+# Build outputs
 dist/
 build/
-*.tsbuildinfo
-
-# Testing
+out/
+.next/
 coverage/
 .nyc_output/
 
-# IDE & Editor files
-.vscode/
+# Environment variables
+.env
+.env.*
+
+# VCS, editor, OS
+.git/
+.gitignore
+.gitattributes
+.github/
+.gitlab-ci.yml
+.travis.yml
 .idea/
+.vscode/
 *.swp
 *.swo
 *~
 .DS_Store
-
-# Environment files
-.env
-.env.local
-.env.*.local
-
-# Docker artifacts
-Dockerfile*
-.dockerignore
-
-# Git files
-.git/
-.gitignore
+Thumbs.db
 
 # Documentation
 README.md
+LICENSE
 docs/
 
-# CI/CD
-.github/
-.gitlab-ci.yml
-.travis.yml
+# Tests
+test/
+tests/
+__tests__/
+*.test.js
+*.spec.js
+*.test.ts
+*.spec.ts
 
-# Logs
+# TypeScript
+*.tsbuildinfo
+
+# Docker files
+Dockerfile*
+.dockerignore
+docker-compose*.yml
+
+# Package manager specific - Bun
+.bun/
+.bun-cache/
+bun.lockb.log
+
+# Logs and temporary files
 logs/
 *.log
-
-# Temporary files
 .tmp/
 .temp/
 tmp/
-temp/
-
-# Bun specific
-.bun-cache/
+temp/

pkg/agentfs/examples/node.npm.Dockerfile

@@ -10,7 +10,8 @@
 # Benefits: Smaller final image without build tools and source files
 # Final image contains only: compiled JS, node_modules, and runtime dependencies
 
-FROM node:20-slim AS base
+ARG NODE_VERSION=22
+FROM node:${NODE_VERSION}-slim AS base
 
 # Define the program entrypoint file where your agent is started.
 ARG PROGRAM_MAIN="{{.ProgramMain}}"
@@ -33,6 +34,9 @@ COPY package*.json ./
 # Install dependencies using npm ci
 # npm ci is faster and more reliable for production builds than npm install
 # It requires package-lock.json and installs exact versions
+# must run this without --only=production because it won't work with typescript
+# projects because typescript is not a production dependency, npm prune will
+# remove dev dependencies further down
 RUN npm ci
 
 # Copy all application files into the build container
@@ -42,20 +46,42 @@ COPY . .
 # This compiles TypeScript to JavaScript and prepares for production
 RUN npm run build
 
+# Remove development dependencies after build
+# This reduces the final image size
+RUN npm prune --production
+
 # === FINAL PRODUCTION STAGE ===
 # Start from the base image without build tools
 FROM base
 
+# Set production environment for runtime
+ENV NODE_ENV=production
+
+# Create a non-privileged user that the app will run under.
+# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user
+ARG UID=10001
+RUN adduser \
+    --disabled-password \
+    --gecos "" \
+    --home "/app" \
+    --shell "/sbin/nologin" \
+    --uid "${UID}" \
+    appuser
+
 # Copy the built application from the build stage
 # This includes node_modules and compiled JavaScript files
 COPY --from=build /app /app
 
 # Copy SSL certificates for HTTPS connections at runtime
 COPY --from=build /etc/ssl/certs /etc/ssl/certs
 
-# Expose the healthcheck port
-# This allows Docker and orchestration systems to check if the container is healthy
-EXPOSE 8081
+# Change ownership of all app files to the non-privileged user
+# This ensures the application can read/write files as needed
+RUN chown -R appuser:appuser /app
+
+# Switch to the non-privileged user for all subsequent operations
+# This improves security by not running as root
+USER appuser
 
 # Run the application
 # The "start" command tells the agent to connect to LiveKit and begin waiting for jobs
@@ -130,4 +156,5 @@ CMD [ "node", "{{.ProgramMain}}", "start" ]
 #    - Check that required environment variables are set
 #    - Ensure the healthcheck endpoint (8081) is accessible
 #
-# For more help: https://docs.livekit.io/agents/
+# For more help: https://docs.livekit.io/agents/
+# For build options and troubleshooting: https://docs.livekit.io/agents/ops/deployment/cloud/build

pkg/agentfs/examples/node.npm.dockerignore

@@ -1,33 +1,60 @@
 # Node.js dependencies
-node_modules
-npm-debug.log
-yarn-error.log
-pnpm-debug.log
+node_modules/
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+pnpm-debug.log*
+lerna-debug.log*
 
 # Build outputs
-dist
-build
-coverage
+dist/
+build/
+out/
+.next/
+coverage/
 
-# Local environment & config files
+# Environment variables
 .env
-.env.local
+.env.*
+
+# VCS, editor, OS
+.git/
+.gitignore
+.gitattributes
+.github/
+.idea/
+.vscode/
 .DS_Store
+Thumbs.db
+
+# Documentation
+README.md
+LICENSE
+docs/
 
-# Logs & temp files
-*.log
-*.gz
-*.tgz
-.tmp
-.cache
+# Tests
+test/
+tests/
+__tests__/
+*.test.js
+*.spec.js
+*.test.ts
+*.spec.ts
 
-# Docker artifacts
+# TypeScript
+*.tsbuildinfo
+
+# Docker files
 Dockerfile*
 .dockerignore
+docker-compose*.yml
 
-# Git & Editor files
-.git
-.gitignore
-.idea
-.vscode
+# Package manager specific
+.pnp.*
+.yarn/*
+!.yarn/patches
+!.yarn/plugins
+!.yarn/releases
+!.yarn/sdks
+!.yarn/versions