Docker
The application runs in a Docker container based on python:3.11-slim.
Dockerfile
FROM python:3.11-slim
ENV PYTHONUNBUFFERED=1
WORKDIR /app
# OpenSSH for StarRocks tunnel
RUN apt-get update && apt-get install -y --no-install-recommends openssh-client
COPY pyproject.toml ./
COPY byoc_agent/ ./byoc_agent/
RUN pip install --no-cache-dir .
COPY .streamlit/ ./.streamlit/
COPY entrypoint.sh ./
EXPOSE 8501
HEALTHCHECK --interval=30s --timeout=10s --start-period=30s --retries=3 \
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8501/_stcore/health')"
ENTRYPOINT ["./entrypoint.sh"]
Key points:
- openssh-client is installed for the SSH tunnel to StarRocks
- Dependencies are installed from
pyproject.toml - Health check hits Streamlit's built-in
/_stcore/healthendpoint - Port 8501 is exposed for the Streamlit UI
Entrypoint Script
entrypoint.sh handles two things: optional SSH tunnel setup, then starting Streamlit.
SSH Tunnel Environment Variables
All optional -- demo mode works without them.
| Variable | Default | Description |
|---|---|---|
SSH_TUNNEL_KEY | -- | Base64-encoded SSH private key |
SSH_TUNNEL_USER | ec2-user | SSH user on the bastion |
SSH_TUNNEL_HOST | -- | Bastion public IP or hostname |
SSH_TUNNEL_REMOTE | -- | Remote host:port to tunnel to |
SSH_TUNNEL_LOCAL_PORT | 9030 | Local port to bind |
What It Does
- If tunnel env vars are set, decodes the SSH key, writes it to
/root/.ssh/tunnel_key, and starts an SSH tunnel in the background with keepalive (ServerAliveInterval=30). - Sets
STARROCKS_HOST=127.0.0.1andSTARROCKS_PORTto the local tunnel port. - Starts Streamlit on
0.0.0.0:8501in headless mode.
Building and Running Locally
docker build -t byoc-agent:latest .
# Without tunnel (demo mode)
docker run -p 8501:8501 byoc-agent:latest
# With tunnel
docker run -p 8501:8501 \
-e SSH_TUNNEL_KEY="$(base64 < ~/.ssh/id_ed25519)" \
-e SSH_TUNNEL_HOST=100.100.118.18 \
-e SSH_TUNNEL_REMOTE=1cogri9tn-internal.cloud-app.celerdata.com:9030 \
byoc-agent:latest