From 2fe5326ed447b36d369919a3a8dec480667ff101 Mon Sep 17 00:00:00 2001 From: Jiadong Bai Date: Mon, 4 May 2026 21:48:08 -0700 Subject: [PATCH 1/2] feat(docker): run service containers as non-root user Add a system user (UID/GID 1001 "texera") and a USER directive at the end of every service runtime stage so containers don't run as root. Aligns with Kubernetes runAsNonRoot PSS guidance and clears the Docker Hub "non-root user for the final stage" finding. - 7 Debian-derived runtimes (eclipse-temurin:*-jammy): groupadd/useradd with --system, chown -R /texera, USER 1001:1001 - texera-web-application also chowns /frontend (frontend dist) - agent-service uses Alpine syntax (addgroup -S / adduser -S), chown -R /app Sidecars under bin/y-websocket-server/ and bin/pylsp/ are out of scope; they have separate base-image issues tracked elsewhere. Closes #4940 --- bin/access-control-service.dockerfile | 6 ++++++ bin/agent-service.dockerfile | 5 +++++ bin/computing-unit-master.dockerfile | 6 ++++++ bin/computing-unit-worker.dockerfile | 6 ++++++ bin/config-service.dockerfile | 6 ++++++ bin/file-service.dockerfile | 6 ++++++ bin/texera-web-application.dockerfile | 6 ++++++ bin/workflow-compiling-service.dockerfile | 6 ++++++ bin/workflow-computing-unit-managing-service.dockerfile | 6 ++++++ 9 files changed, 53 insertions(+) diff --git a/bin/access-control-service.dockerfile b/bin/access-control-service.dockerfile index fac67fb08b0..886629fc476 100644 --- a/bin/access-control-service.dockerfile +++ b/bin/access-control-service.dockerfile @@ -69,6 +69,12 @@ COPY --from=build /texera/access-control-service/LICENSE-binary /texera/LICENSE COPY --from=build /texera/access-control-service/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/access-control-service"] EXPOSE 9096 \ No newline at end of file diff --git a/bin/agent-service.dockerfile b/bin/agent-service.dockerfile index b2fcdea5704..cb4594dbb75 100644 --- a/bin/agent-service.dockerfile +++ b/bin/agent-service.dockerfile @@ -40,6 +40,11 @@ COPY NOTICE ./NOTICE COPY DISCLAIMER ./DISCLAIMER COPY licenses ./licenses +RUN addgroup -S -g 1001 texera \ + && adduser -S -u 1001 -G texera -h /app texera \ + && chown -R texera:texera /app +USER 1001:1001 + EXPOSE 3001 CMD ["bun", "run", "src/server.ts"] diff --git a/bin/computing-unit-master.dockerfile b/bin/computing-unit-master.dockerfile index 8f2fa2b999e..c3190657c31 100644 --- a/bin/computing-unit-master.dockerfile +++ b/bin/computing-unit-master.dockerfile @@ -99,6 +99,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined /texera/LICENSE COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/computing-unit-master"] EXPOSE 8085 diff --git a/bin/computing-unit-worker.dockerfile b/bin/computing-unit-worker.dockerfile index c36a5a2698d..00c30cf0384 100644 --- a/bin/computing-unit-worker.dockerfile +++ b/bin/computing-unit-worker.dockerfile @@ -97,6 +97,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined /texera/LICENSE COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/computing-unit-worker"] EXPOSE 8085 \ No newline at end of file diff --git a/bin/config-service.dockerfile b/bin/config-service.dockerfile index 251d5fdb8a0..78ea4c4199c 100644 --- a/bin/config-service.dockerfile +++ b/bin/config-service.dockerfile @@ -70,6 +70,12 @@ COPY --from=build /texera/config-service/LICENSE-binary /texera/LICENSE COPY --from=build /texera/config-service/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/config-service"] EXPOSE 9094 \ No newline at end of file diff --git a/bin/file-service.dockerfile b/bin/file-service.dockerfile index 4decf696127..fd046f55a27 100644 --- a/bin/file-service.dockerfile +++ b/bin/file-service.dockerfile @@ -69,6 +69,12 @@ COPY --from=build /texera/file-service/LICENSE-binary /texera/LICENSE COPY --from=build /texera/file-service/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/file-service"] EXPOSE 9092 \ No newline at end of file diff --git a/bin/texera-web-application.dockerfile b/bin/texera-web-application.dockerfile index f0d8fbdbf9d..e6602048c4e 100644 --- a/bin/texera-web-application.dockerfile +++ b/bin/texera-web-application.dockerfile @@ -101,6 +101,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined /texera/LICENSE COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera /frontend +USER 1001:1001 + CMD ["bin/texera-web-application"] EXPOSE 8080 \ No newline at end of file diff --git a/bin/workflow-compiling-service.dockerfile b/bin/workflow-compiling-service.dockerfile index a2617d7a4bc..991d7a7f502 100644 --- a/bin/workflow-compiling-service.dockerfile +++ b/bin/workflow-compiling-service.dockerfile @@ -70,6 +70,12 @@ COPY --from=build /texera/workflow-compiling-service/LICENSE-binary /texera/LICE COPY --from=build /texera/workflow-compiling-service/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/workflow-compiling-service"] EXPOSE 9090 \ No newline at end of file diff --git a/bin/workflow-computing-unit-managing-service.dockerfile b/bin/workflow-computing-unit-managing-service.dockerfile index 1edb94019a6..8c979f06127 100644 --- a/bin/workflow-computing-unit-managing-service.dockerfile +++ b/bin/workflow-computing-unit-managing-service.dockerfile @@ -70,6 +70,12 @@ COPY --from=build /texera/computing-unit-managing-service/LICENSE-binary /texera COPY --from=build /texera/computing-unit-managing-service/NOTICE-binary /texera/NOTICE COPY --from=build /texera/licenses /texera/licenses COPY --from=build /texera/DISCLAIMER /texera/ + +RUN groupadd --system --gid 1001 texera \ + && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ + && chown -R texera:texera /texera +USER 1001:1001 + CMD ["bin/computing-unit-managing-service"] EXPOSE 8888 \ No newline at end of file From c82b8d54660a141dfd0d005a7c137b54c88ee5fc Mon Sep 17 00:00:00 2001 From: Jiadong Bai Date: Tue, 5 May 2026 13:51:07 -0700 Subject: [PATCH 2/2] change number to texera --- bin/access-control-service.dockerfile | 2 +- bin/agent-service.dockerfile | 2 +- bin/computing-unit-master.dockerfile | 2 +- bin/computing-unit-worker.dockerfile | 2 +- bin/config-service.dockerfile | 2 +- bin/file-service.dockerfile | 2 +- bin/texera-web-application.dockerfile | 2 +- bin/workflow-compiling-service.dockerfile | 2 +- bin/workflow-computing-unit-managing-service.dockerfile | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bin/access-control-service.dockerfile b/bin/access-control-service.dockerfile index 886629fc476..1429171a5a5 100644 --- a/bin/access-control-service.dockerfile +++ b/bin/access-control-service.dockerfile @@ -73,7 +73,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/access-control-service"] diff --git a/bin/agent-service.dockerfile b/bin/agent-service.dockerfile index cb4594dbb75..7edf38287aa 100644 --- a/bin/agent-service.dockerfile +++ b/bin/agent-service.dockerfile @@ -43,7 +43,7 @@ COPY licenses ./licenses RUN addgroup -S -g 1001 texera \ && adduser -S -u 1001 -G texera -h /app texera \ && chown -R texera:texera /app -USER 1001:1001 +USER texera EXPOSE 3001 diff --git a/bin/computing-unit-master.dockerfile b/bin/computing-unit-master.dockerfile index c3190657c31..5fcb54968dc 100644 --- a/bin/computing-unit-master.dockerfile +++ b/bin/computing-unit-master.dockerfile @@ -103,7 +103,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/computing-unit-master"] diff --git a/bin/computing-unit-worker.dockerfile b/bin/computing-unit-worker.dockerfile index 00c30cf0384..f600a9c05fb 100644 --- a/bin/computing-unit-worker.dockerfile +++ b/bin/computing-unit-worker.dockerfile @@ -101,7 +101,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/computing-unit-worker"] diff --git a/bin/config-service.dockerfile b/bin/config-service.dockerfile index 78ea4c4199c..17c3d57de1f 100644 --- a/bin/config-service.dockerfile +++ b/bin/config-service.dockerfile @@ -74,7 +74,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/config-service"] diff --git a/bin/file-service.dockerfile b/bin/file-service.dockerfile index fd046f55a27..3966b5122b8 100644 --- a/bin/file-service.dockerfile +++ b/bin/file-service.dockerfile @@ -73,7 +73,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/file-service"] diff --git a/bin/texera-web-application.dockerfile b/bin/texera-web-application.dockerfile index e6602048c4e..706b0fdcfb5 100644 --- a/bin/texera-web-application.dockerfile +++ b/bin/texera-web-application.dockerfile @@ -105,7 +105,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera /frontend -USER 1001:1001 +USER texera CMD ["bin/texera-web-application"] diff --git a/bin/workflow-compiling-service.dockerfile b/bin/workflow-compiling-service.dockerfile index 991d7a7f502..b8f7f6c3923 100644 --- a/bin/workflow-compiling-service.dockerfile +++ b/bin/workflow-compiling-service.dockerfile @@ -74,7 +74,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/workflow-compiling-service"] diff --git a/bin/workflow-computing-unit-managing-service.dockerfile b/bin/workflow-computing-unit-managing-service.dockerfile index 8c979f06127..78d0ba89db4 100644 --- a/bin/workflow-computing-unit-managing-service.dockerfile +++ b/bin/workflow-computing-unit-managing-service.dockerfile @@ -74,7 +74,7 @@ COPY --from=build /texera/DISCLAIMER /texera/ RUN groupadd --system --gid 1001 texera \ && useradd --system --uid 1001 --gid texera --home-dir /texera --no-create-home texera \ && chown -R texera:texera /texera -USER 1001:1001 +USER texera CMD ["bin/computing-unit-managing-service"]