fix(docker): updated docker to use non-root user for k8s/helm deployments (#1626)

* fix(docker): updated docker to use non-root user for k8s/helm deployments * ack PR comments
2026-01-09 15:07:55 -05:00 · 2025-10-14 15:54:51 -07:00
parent f147eaee1c
commit f345c4d1d8
3 changed files with 42 additions and 16 deletions
--- a/docker/app.Dockerfile
+++ b/docker/app.Dockerfile
@@ -63,19 +63,31 @@ RUN apk add --no-cache python3 py3-pip bash

 ENV NODE_ENV=production

-COPY --from=builder /app/apps/sim/public ./apps/sim/public
-COPY --from=builder /app/apps/sim/.next/standalone ./
-COPY --from=builder /app/apps/sim/.next/static ./apps/sim/.next/static
+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001

-# Copy guardrails setup script and requirements
-COPY --from=builder /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh
-COPY --from=builder /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt
-COPY --from=builder /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/public ./apps/sim/public
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/static ./apps/sim/.next/static

-# Run guardrails setup to create venv and install Python dependencies
+# Guardrails setup (files need to be owned by nextjs for runtime)
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py
+
+# Run guardrails setup as root, then fix ownership of generated venv files
 RUN chmod +x ./apps/sim/lib/guardrails/setup.sh && \
    cd ./apps/sim/lib/guardrails && \
-    ./setup.sh
+    ./setup.sh && \
+    chown -R nextjs:nodejs /app/apps/sim/lib/guardrails
+
+# Create .next/cache directory with correct ownership
+RUN mkdir -p apps/sim/.next/cache && \
+    chown -R nextjs:nodejs /app
+
+# Switch to non-root user
+USER nextjs

 EXPOSE 3000
 ENV PORT=3000 \
--- a/docker/db.Dockerfile
+++ b/docker/db.Dockerfile
@@ -17,9 +17,16 @@ RUN bun install --ignore-scripts
 FROM oven/bun:1.2.22-alpine AS runner
 WORKDIR /app

+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
 # Copy only the necessary files from deps
-COPY --from=deps /app/node_modules ./node_modules
-COPY packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts
-COPY packages/db ./packages/db
+COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --chown=nextjs:nodejs packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts
+COPY --chown=nextjs:nodejs packages/db ./packages/db
+
+# Switch to non-root user
+USER nextjs

 WORKDIR /app/packages/db
--- a/docker/realtime.Dockerfile
+++ b/docker/realtime.Dockerfile
@@ -36,11 +36,18 @@ WORKDIR /app

 ENV NODE_ENV=production

+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
 # Copy the sim app and the shared db package needed by socket-server
-COPY --from=builder /app/apps/sim ./apps/sim
-COPY --from=builder /app/packages/db ./packages/db
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/package.json ./package.json
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim ./apps/sim
+COPY --from=builder --chown=nextjs:nodejs /app/packages/db ./packages/db
+COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --from=builder --chown=nextjs:nodejs /app/package.json ./package.json
+
+# Switch to non-root user
+USER nextjs

 # Expose socket server port (default 3002, but configurable via PORT env var)
 EXPOSE 3002