fix(security): Containerized Backend application is running as root#1329
Open
fix(security): Containerized Backend application is running as root#1329
Conversation
Issue - #1322 Summary - Configured the backend container to run as a non-root user (appuser, UID/GID 1000) by introducing a dedicated entrypoint script, updating the Dockerfile, and ensuring host volume directories are pre-created with correct permissions. Dockerfile Changes - Installed `gosu` to enable privilege dropping from root to appuser at container startup. - Created the `appuser` group (GID 1000) and user (UID 1000) in the image. - Added `COPY entrypoint.sh /entrypoint.sh` and set it as the `ENTRYPOINT`. - Pre-created all runtime-writable directories (`keys/`, `data/`, `config/`, `flows/backup/`, `openrag-documents/`) and `chown`-ed them to `appuser` in the image layer so defaults are correct when no volume is attached. New: entrypoint.sh - Added `entrypoint.sh` that runs as root on container start. - Re-`chown`s all volume-mounted directories (`keys`, `flows`, `config`, `data`, `openrag-documents`) to `appuser:appuser` to handle Docker hosts where `:U` remapping is not supported. - Execs the application process as `appuser` via `gosu`, dropping root privileges before `src/main.py` starts. Makefile Changes - Added `ensure-backend-volumes` target that creates and sets `775` permissions on `flows/`, `keys/`, `config/`, and `data/` on the host before Docker mounts them. - Added `ensure-backend-volumes` as a prerequisite to all `dev`, `dev-cpu`, `dev-local`, `dev-local-cpu`, `dev-local-build-lf`, `dev-local-build-lf-cpu`, `dev-branch`, `dev-branch-cpu`, `restart-dev`, `test-ci`, and `test-ci-local` targets. TUI (src/tui/main.py) - Extended `setup_host_directories()` to apply `chmod 0o775` on all backend volume-mounted directories (`documents/`, `flows/`, `keys/`, `config/`, `data/`) so the container's `appuser` (UID 1000) can write to them even on Docker hosts that do not remap UIDs.
github-actions
bot
added
backend
github-actions
bot
added
ci
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Summary
Dockerfile Changes
gosuto enable privilege dropping from root to appuser at container startup.appusergroup (GID 1000) and user (UID 1000) in the image.COPY entrypoint.sh /entrypoint.shand set it as theENTRYPOINT.keys/,data/,config/,flows/backup/,openrag-documents/) andchown-ed them toappuserin the image layer so defaults are correct when no volume is attached.New: entrypoint.sh
entrypoint.shthat runs as root on container start.chowns all volume-mounted directories (keys,flows,config,data,openrag-documents) toappuser:appuserto handle Docker hosts where:Uremapping is not supported.appuserviagosu, dropping root privileges beforesrc/main.pystarts.Makefile Changes
ensure-backend-volumestarget that creates and sets775permissions onflows/,keys/,config/, anddata/on the host before Docker mounts them.ensure-backend-volumesas a prerequisite to alldev,dev-cpu,dev-local,dev-local-cpu,dev-local-build-lf,dev-local-build-lf-cpu,dev-branch,dev-branch-cpu,restart-dev,test-ci, andtest-ci-localtargets.TUI (src/tui/main.py)
setup_host_directories()to applychmod 0o775on all backend volume-mounted directories (documents/,flows/,keys/,config/,data/) so the container'sappuser(UID 1000) can write to them even on Docker hosts that do not remap UIDs.