fix(docker): updated docker to use non-root user for k8s/helm deployments (#1626)

waleedlatif1 · web-flow · commit f345c4d1d8c4 · 2025-10-14T15:54:51.000-07:00
* fix(docker): updated docker to use non-root user for k8s/helm deployments

* ack PR comments
diff --git a/docker/app.Dockerfile b/docker/app.Dockerfile
@@ -63,19 +63,31 @@ RUN apk add --no-cache python3 py3-pip bash
 
 ENV NODE_ENV=production
 
-COPY --from=builder /app/apps/sim/public ./apps/sim/public
-COPY --from=builder /app/apps/sim/.next/standalone ./
-COPY --from=builder /app/apps/sim/.next/static ./apps/sim/.next/static
+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
 
-# Copy guardrails setup script and requirements
-COPY --from=builder /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh
-COPY --from=builder /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt
-COPY --from=builder /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/public ./apps/sim/public
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/static ./apps/sim/.next/static
 
-# Run guardrails setup to create venv and install Python dependencies
+# Guardrails setup (files need to be owned by nextjs for runtime)
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py
+
+# Run guardrails setup as root, then fix ownership of generated venv files
 RUN chmod +x ./apps/sim/lib/guardrails/setup.sh && \
     cd ./apps/sim/lib/guardrails && \
-    ./setup.sh
+    ./setup.sh && \
+    chown -R nextjs:nodejs /app/apps/sim/lib/guardrails
+
+# Create .next/cache directory with correct ownership
+RUN mkdir -p apps/sim/.next/cache && \
+    chown -R nextjs:nodejs /app
+
+# Switch to non-root user
+USER nextjs
 
 EXPOSE 3000
 ENV PORT=3000 \
diff --git a/docker/db.Dockerfile b/docker/db.Dockerfile
@@ -17,9 +17,16 @@ RUN bun install --ignore-scripts
 FROM oven/bun:1.2.22-alpine AS runner
 WORKDIR /app
 
+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
 # Copy only the necessary files from deps
-COPY --from=deps /app/node_modules ./node_modules
-COPY packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts
-COPY packages/db ./packages/db
+COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --chown=nextjs:nodejs packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts
+COPY --chown=nextjs:nodejs packages/db ./packages/db
+
+# Switch to non-root user
+USER nextjs
 
 WORKDIR /app/packages/db
diff --git a/docker/realtime.Dockerfile b/docker/realtime.Dockerfile
@@ -36,11 +36,18 @@ WORKDIR /app
 
 ENV NODE_ENV=production
 
+# Create non-root user and group
+RUN addgroup -g 1001 -S nodejs && \
+    adduser -S nextjs -u 1001
+
 # Copy the sim app and the shared db package needed by socket-server
-COPY --from=builder /app/apps/sim ./apps/sim
-COPY --from=builder /app/packages/db ./packages/db
-COPY --from=builder /app/node_modules ./node_modules
-COPY --from=builder /app/package.json ./package.json
+COPY --from=builder --chown=nextjs:nodejs /app/apps/sim ./apps/sim
+COPY --from=builder --chown=nextjs:nodejs /app/packages/db ./packages/db
+COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules
+COPY --from=builder --chown=nextjs:nodejs /app/package.json ./package.json
+
+# Switch to non-root user
+USER nextjs
 
 # Expose socket server port (default 3002, but configurable via PORT env var)
 EXPOSE 3002
