From c54096550b38645b25091025f6ca822709c0ea3f Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Tue, 27 Aug 2024 12:17:25 -0400
Subject: [PATCH] Harden build of libsodium

Libsodium is being built with default CFLAGS. This adds optimization on par
with cmake release builds. It also adds security hardening flags suggested
for RHEL 9 to protect against various issues.
---
 Dockerfile.ubi | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Dockerfile.ubi b/Dockerfile.ubi
index 87a2dd621101e..c9a91d87640b0 100644
--- a/Dockerfile.ubi
+++ b/Dockerfile.ubi
@@ -146,7 +146,8 @@ RUN curl -LO https://github.com/jedisct1/libsodium/releases/download/${LIBSODIUM
     && rm -f libsodium*.tar.gz \
     && mv libsodium*/* ./
 
-RUN ./configure --prefix="/usr/" && make && make check
+RUN CFLAGS="-O3 -Wall -Werror=format-security -Wno-unused-function -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -fstack-clash-protection -fcf-protection"\
+    ./configure --prefix="/usr/" && make -j $MAX_JOBS && make check
 
 ## Release #####################################################################
 FROM python-install AS vllm-openai
@@ -220,5 +221,7 @@ ENV GRPC_PORT=8033 \
     # see: https://github.com/vllm-project/vllm/pull/6485
     DISABLE_LOGPROBS_DURING_SPEC_DECODING=false
 
-USER 2000
-ENTRYPOINT ["python3", "-m", "vllm_tgis_adapter", "--uvicorn-log-level=warning"]
+#USER 2000
+#ENTRYPOINT ["python3", "-m", "vllm_tgis_adapter", "--uvicorn-log-level=warning"]
+USER root
+ENTRYPOINT ["/bin/sh" ]