From afc81ed0da34443e857b0c9dcffc82bae3d9e229 Mon Sep 17 00:00:00 2001
From: Dimitar Mirchev <28221091+dimityrmirchev@users.noreply.github.com>
Date: Tue, 28 Apr 2026 16:18:00 +0300
Subject: [PATCH] feat: switch gateway image to distroless base

Replace the Ubuntu-based gateway image with gcr.io/distroless/cc-debian13
to minimize attack surface and image size.
---
 deploy/docker/Dockerfile.images | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/deploy/docker/Dockerfile.images b/deploy/docker/Dockerfile.images
index 300dd1b46..3490f840c 100644
--- a/deploy/docker/Dockerfile.images
+++ b/deploy/docker/Dockerfile.images
@@ -227,24 +227,31 @@ FROM scratch AS supervisor-output
 COPY --from=supervisor-binary /build/out/openshell-sandbox /openshell-sandbox
 
 # ---------------------------------------------------------------------------
-# Final gateway image
+# Passwd stage – inject an openshell user (UID 1000) into distroless.
+# Distroless has no shell or useradd, so we craft the entry externally and
+# COPY it into the final image.
 # ---------------------------------------------------------------------------
-FROM nvcr.io/nvidia/base/ubuntu:noble-20251013 AS gateway
+FROM gcr.io/distroless/cc-debian13 AS gateway-base
 
-RUN apt-get update && apt-get install -y --no-install-recommends \
-    ca-certificates && \
-    apt-get install -y --only-upgrade gpgv && \
-    rm -rf /var/lib/apt/lists/*
+# Copy the minimal /etc/passwd and /etc/group from the distroless base image,
+# so we preserve any existing users/groups and only add the openshell user.
+FROM debian:trixie-slim AS gateway-passwd
+COPY --from=gateway-base /etc/passwd /etc/passwd
+COPY --from=gateway-base /etc/group /etc/group
+RUN echo 'openshell:x:1000:1000::/home/openshell:/sbin/nologin' >> /etc/passwd && \
+    echo 'openshell:x:1000:' >> /etc/group && \
+    mkdir -p /home/openshell && chown 1000:1000 /home/openshell
 
-RUN useradd --create-home --user-group openshell
+FROM gateway-base AS gateway
+
+COPY --from=gateway-passwd /etc/passwd /etc/passwd
+COPY --from=gateway-passwd /etc/group /etc/group
+COPY --from=gateway-passwd --chown=1000:1000 /home/openshell /home/openshell
 
 WORKDIR /app
 
 COPY --from=gateway-binary /build/out/openshell-gateway /usr/local/bin/
 
-RUN mkdir -p /build/crates/openshell-server
-COPY --chmod=755 crates/openshell-server/migrations /build/crates/openshell-server/migrations
-
 USER openshell
 EXPOSE 8080