From ea43394b65e9703321ce6a64004da37fd7f4082c Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:00:14 +0900 Subject: [PATCH 1/7] Add claude-code-runner base image Base Docker image for running Claude Code in containers. Includes Claude Code CLI, gh, yq, and common dependencies. Designed to be used as FROM base by teams building their own runner images. Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code-runner/Dockerfile | 52 ++++++++++++++++++++++ claude-code-runner/Makefile | 29 ++++++++++++ claude-code-runner/README.md | 35 +++++++++++++++ claude-code-runner/docker-compose.test.yml | 18 ++++++++ claude-code-runner/entrypoint.sh | 7 +++ claude-code-runner/goss/goss.yaml | 18 ++++++++ claude-code-runner/hooks/test | 3 ++ 7 files changed, 162 insertions(+) create mode 100644 claude-code-runner/Dockerfile create mode 100644 claude-code-runner/Makefile create mode 100644 claude-code-runner/README.md create mode 100644 claude-code-runner/docker-compose.test.yml create mode 100644 claude-code-runner/entrypoint.sh create mode 100644 claude-code-runner/goss/goss.yaml create mode 100755 claude-code-runner/hooks/test diff --git a/claude-code-runner/Dockerfile b/claude-code-runner/Dockerfile new file mode 100644 index 000000000..6d24c8995 --- /dev/null +++ b/claude-code-runner/Dockerfile @@ -0,0 +1,52 @@ +FROM debian:bookworm-slim + +ARG CLAUDE_CODE_VERSION=latest + +LABEL version="${CLAUDE_CODE_VERSION}" + +# Common dependencies + debugging tools +RUN apt-get update && apt-get install -y --no-install-recommends \ + # Claude Code CLI install requirement + curl \ + ca-certificates \ + # Plugin common dependencies + git \ + jq \ + unzip \ + python3 \ + python3-pip \ + awscli \ + # Shell / container debugging + bash \ + less \ + procps \ + net-tools \ + dnsutils \ + iputils-ping \ + vim-tiny \ + strace \ + && rm -rf /var/lib/apt/lists/* + +# Claude Code CLI (Native Install) +ENV PATH="/root/.local/bin:${PATH}" +RUN curl -fsSL https://claude.ai/install.sh | bash + +# yq +ARG YQ_VERSION=4.44.6 +RUN curl -fsSL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(dpkg --print-architecture)" \ + -o /usr/local/bin/yq \ + && chmod +x /usr/local/bin/yq + +# GitHub CLI +RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ + -o /usr/share/keyrings/githubcli-archive-keyring.gpg \ + && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \ + > /etc/apt/sources.list.d/github-cli.list \ + && apt-get update \ + && apt-get install -y --no-install-recommends gh \ + && rm -rf /var/lib/apt/lists/* + +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh + +ENTRYPOINT ["/entrypoint.sh"] diff --git a/claude-code-runner/Makefile b/claude-code-runner/Makefile new file mode 100644 index 000000000..5f5b1b4f1 --- /dev/null +++ b/claude-code-runner/Makefile @@ -0,0 +1,29 @@ +ARCH:=$(shell uname -m) +PLATFORM:=$(shell case "$(ARCH)" in \ + ("arm64"|"aarch64") echo "arm64" ;; \ + ("x86_64") echo "amd64" ;; \ + (*) echo $(ARCH) ;; \ +esac) + +.PHONY: build +build: + @docker buildx build -t chatwork/`basename $$PWD`:latest --platform linux/${PLATFORM} -f Dockerfile --load .; \ + version=$$(docker inspect -f {{.Config.Labels.version}} chatwork/`basename $$PWD`:latest); \ + if [ -n "$$version" ]; then \ + docker tag chatwork/`basename $$PWD`:latest chatwork/`basename $$PWD`:$$version; \ + fi + +.PHONY: test +test: build + docker-compose -f docker-compose.test.yml up --no-start sut + docker cp $(shell pwd)/goss `basename $$PWD`:/goss + docker-compose -f docker-compose.test.yml up --no-recreate --exit-code-from sut sut + +.PHONY: push +push: + @version=$$(docker inspect -f {{.Config.Labels.version}} chatwork/`basename $$PWD`:latest); \ + if docker inspect --format='{{index .RepoDigests 0}}' chatwork/$$(basename $$PWD):$$version >/dev/null 2>&1; then \ + echo "no changes"; \ + else \ + docker buildx build -t chatwork/`basename $$PWD`:$$version -t chatwork/`basename $$PWD`:latest --platform linux/amd64,linux/arm64 -f Dockerfile --push .; \ + fi diff --git a/claude-code-runner/README.md b/claude-code-runner/README.md new file mode 100644 index 000000000..f4851efa3 --- /dev/null +++ b/claude-code-runner/README.md @@ -0,0 +1,35 @@ +# claude-code-runner + +A base Docker image for running [Claude Code](https://claude.ai/code) in containers. Provides the Claude Code CLI and common dependencies pre-installed. + +This image is designed to be used as a base (`FROM chatwork/claude-code-runner`) by teams building their own plugin marketplace runner images. + +## Usage + +### As a base image + +```dockerfile +FROM chatwork/claude-code-runner:latest + +# Copy your marketplace plugins +COPY . /marketplace +RUN claude plugin marketplace add /marketplace + +# (Optional) Override entrypoint +COPY entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh +``` + +### Standalone + +``` +$ docker run chatwork/claude-code-runner +``` + +## Included + +- Claude Code CLI +- curl, ca-certificates, git, jq, yq, unzip +- python3, python3-pip, awscli +- gh (GitHub CLI) +- Debugging tools (bash, less, procps, net-tools, dnsutils, vim-tiny, strace) diff --git a/claude-code-runner/docker-compose.test.yml b/claude-code-runner/docker-compose.test.yml new file mode 100644 index 000000000..6dcf2ada9 --- /dev/null +++ b/claude-code-runner/docker-compose.test.yml @@ -0,0 +1,18 @@ +version: '3' +services: + claude-code-runner: + build: + context: . + image: chatwork/claude-code-runner + sut: + image: chatwork/dgoss:latest + environment: + GOSS_FILES_PATH: /goss + GOSS_FILES_STRATEGY: cp + entrypoint: "" + command: /usr/local/bin/dgoss run --entrypoint '' chatwork/claude-code-runner tail -f /dev/null + container_name: claude-code-runner + volumes: + - /var/run/docker.sock:/var/run/docker.sock + depends_on: + - claude-code-runner diff --git a/claude-code-runner/entrypoint.sh b/claude-code-runner/entrypoint.sh new file mode 100644 index 000000000..ba9e8ff3f --- /dev/null +++ b/claude-code-runner/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/bash +set -euo pipefail + +# Default entrypoint: show Claude Code version. +# Override by mounting your own /entrypoint.sh or using a derived image. +echo "=== claude-code-runner ===" +claude --version diff --git a/claude-code-runner/goss/goss.yaml b/claude-code-runner/goss/goss.yaml new file mode 100644 index 000000000..f04004502 --- /dev/null +++ b/claude-code-runner/goss/goss.yaml @@ -0,0 +1,18 @@ +file: + /root/.local/bin/claude: + exists: true +command: + claude --version: + exit-status: 0 + stdout: + - /\d+\.\d+\.\d+/ + git --version: + exit-status: 0 + jq --version: + exit-status: 0 + python3 --version: + exit-status: 0 + yq --version: + exit-status: 0 + gh --version: + exit-status: 0 diff --git a/claude-code-runner/hooks/test b/claude-code-runner/hooks/test new file mode 100755 index 000000000..3f97d1157 --- /dev/null +++ b/claude-code-runner/hooks/test @@ -0,0 +1,3 @@ +#!/bin/bash + +make test \ No newline at end of file From c6462d93fdcc5ef1f039d7a71eb802be0968b11e Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:16:20 +0900 Subject: [PATCH 2/7] Pin Claude Code version, trim debug packages, add variant mod - Pin Claude Code CLI to 2.1.105 via ARG and pass to installer - Add variant.mod/lock for automated version tracking via npm registry - Remove debug-only packages: vim-tiny, strace, dnsutils, iputils-ping, procps, net-tools, python3-pip - Add gpg and openssh-client for binary verification and SSH git access Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code-runner/Dockerfile | 18 +++++------------- claude-code-runner/README.md | 15 ++++++++++----- claude-code-runner/goss/goss.yaml | 4 +++- claude-code-runner/variant.lock | 4 ++++ claude-code-runner/variant.mod | 19 +++++++++++++++++++ 5 files changed, 41 insertions(+), 19 deletions(-) create mode 100644 claude-code-runner/variant.lock create mode 100644 claude-code-runner/variant.mod diff --git a/claude-code-runner/Dockerfile b/claude-code-runner/Dockerfile index 6d24c8995..cf689c92f 100644 --- a/claude-code-runner/Dockerfile +++ b/claude-code-runner/Dockerfile @@ -1,35 +1,27 @@ FROM debian:bookworm-slim -ARG CLAUDE_CODE_VERSION=latest +ARG CLAUDE_CODE_VERSION=2.1.105 LABEL version="${CLAUDE_CODE_VERSION}" -# Common dependencies + debugging tools +# Common dependencies RUN apt-get update && apt-get install -y --no-install-recommends \ - # Claude Code CLI install requirement curl \ ca-certificates \ - # Plugin common dependencies git \ jq \ unzip \ python3 \ - python3-pip \ awscli \ - # Shell / container debugging + gpg \ + openssh-client \ bash \ less \ - procps \ - net-tools \ - dnsutils \ - iputils-ping \ - vim-tiny \ - strace \ && rm -rf /var/lib/apt/lists/* # Claude Code CLI (Native Install) ENV PATH="/root/.local/bin:${PATH}" -RUN curl -fsSL https://claude.ai/install.sh | bash +RUN curl -fsSL https://claude.ai/install.sh | bash -s "${CLAUDE_CODE_VERSION}" # yq ARG YQ_VERSION=4.44.6 diff --git a/claude-code-runner/README.md b/claude-code-runner/README.md index f4851efa3..77f7b4152 100644 --- a/claude-code-runner/README.md +++ b/claude-code-runner/README.md @@ -28,8 +28,13 @@ $ docker run chatwork/claude-code-runner ## Included -- Claude Code CLI -- curl, ca-certificates, git, jq, yq, unzip -- python3, python3-pip, awscli -- gh (GitHub CLI) -- Debugging tools (bash, less, procps, net-tools, dnsutils, vim-tiny, strace) +| Category | Tools | +|---|---| +| Core | Claude Code CLI, curl, ca-certificates, git, bash, less | +| Data processing | jq, yq, unzip | +| Cloud / CI | awscli, gh (GitHub CLI), python3 | +| Security | gpg, openssh-client | + +## Version management + +Claude Code CLI version is pinned and automatically updated via [variant mod](https://github.com/mumoshu/variant). See `variant.mod` and `variant.lock` for details. diff --git a/claude-code-runner/goss/goss.yaml b/claude-code-runner/goss/goss.yaml index f04004502..3e277b68e 100644 --- a/claude-code-runner/goss/goss.yaml +++ b/claude-code-runner/goss/goss.yaml @@ -5,7 +5,7 @@ command: claude --version: exit-status: 0 stdout: - - /\d+\.\d+\.\d+/ + - 2.1.105 git --version: exit-status: 0 jq --version: @@ -16,3 +16,5 @@ command: exit-status: 0 gh --version: exit-status: 0 + gpg --version: + exit-status: 0 diff --git a/claude-code-runner/variant.lock b/claude-code-runner/variant.lock new file mode 100644 index 000000000..5c4073c1d --- /dev/null +++ b/claude-code-runner/variant.lock @@ -0,0 +1,4 @@ +dependencies: + claude_code: + version: 2.1.105 + previousVersion: 2.1.105 diff --git a/claude-code-runner/variant.mod b/claude-code-runner/variant.mod new file mode 100644 index 000000000..766397685 --- /dev/null +++ b/claude-code-runner/variant.mod @@ -0,0 +1,19 @@ +provisioners: + textReplace: + Dockerfile: + from: "ARG CLAUDE_CODE_VERSION={{ .claude_code.previousVersion }}" + to: "ARG CLAUDE_CODE_VERSION={{ .claude_code.version }}" + goss/goss.yaml: + from: "- {{ .claude_code.previousVersion }}" + to: "- {{ .claude_code.version }}" + +dependencies: + claude_code: + releasesFrom: + exec: + command: curl + args: + - -s + - 'https://registry.npmjs.org/@anthropic-ai/claude-code' + jsonPath: $.versions.*.version + version: "> 2.0" From 4a3f4e7c8796a46bf3933708caff6ffe286ff609 Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:38:35 +0900 Subject: [PATCH 3/7] Add Dockerfile.arm64, switch yq to latest, use GCS for variant mod - Add Dockerfile.arm64 symlink for multi-arch CI builds - Switch yq install from pinned version to latest release - Change variant mod source from npm registry to GCS latest endpoint - Remove hand-written variant.lock, regenerated via mod up Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code-runner/Dockerfile | 5 ++--- claude-code-runner/Dockerfile.arm64 | 1 + claude-code-runner/variant.lock | 5 ++++- claude-code-runner/variant.mod | 7 +++---- 4 files changed, 10 insertions(+), 8 deletions(-) create mode 120000 claude-code-runner/Dockerfile.arm64 diff --git a/claude-code-runner/Dockerfile b/claude-code-runner/Dockerfile index cf689c92f..f42ad0623 100644 --- a/claude-code-runner/Dockerfile +++ b/claude-code-runner/Dockerfile @@ -23,9 +23,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ ENV PATH="/root/.local/bin:${PATH}" RUN curl -fsSL https://claude.ai/install.sh | bash -s "${CLAUDE_CODE_VERSION}" -# yq -ARG YQ_VERSION=4.44.6 -RUN curl -fsSL "https://github.com/mikefarah/yq/releases/download/v${YQ_VERSION}/yq_linux_$(dpkg --print-architecture)" \ +# yq (latest) +RUN curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture)" \ -o /usr/local/bin/yq \ && chmod +x /usr/local/bin/yq diff --git a/claude-code-runner/Dockerfile.arm64 b/claude-code-runner/Dockerfile.arm64 new file mode 120000 index 000000000..1d1fe94df --- /dev/null +++ b/claude-code-runner/Dockerfile.arm64 @@ -0,0 +1 @@ +Dockerfile \ No newline at end of file diff --git a/claude-code-runner/variant.lock b/claude-code-runner/variant.lock index 5c4073c1d..f16d7610d 100644 --- a/claude-code-runner/variant.lock +++ b/claude-code-runner/variant.lock @@ -1,4 +1,7 @@ dependencies: claude_code: version: 2.1.105 - previousVersion: 2.1.105 + previousVersion: 2.1.100 + versions: + - 2.1.100 + - 2.1.105 diff --git a/claude-code-runner/variant.mod b/claude-code-runner/variant.mod index 766397685..9f7d5aad3 100644 --- a/claude-code-runner/variant.mod +++ b/claude-code-runner/variant.mod @@ -11,9 +11,8 @@ dependencies: claude_code: releasesFrom: exec: - command: curl + command: bash args: - - -s - - 'https://registry.npmjs.org/@anthropic-ai/claude-code' - jsonPath: $.versions.*.version + - -c + - "curl -s https://storage.googleapis.com/claude-code-dist-86c565f3-f756-42ad-8dfa-d59b1c096819/claude-code-releases/latest" version: "> 2.0" From 205ca23a615adb54af6aedb1fcfbbe67a2f81515 Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:47:22 +0900 Subject: [PATCH 4/7] Remove ENTRYPOINT and entrypoint.sh Jobs provide their own command via K8s command/args or docker run. No common init needed at this point; can be added later if required. Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code-runner/Dockerfile | 5 ----- claude-code-runner/entrypoint.sh | 7 ------- 2 files changed, 12 deletions(-) delete mode 100644 claude-code-runner/entrypoint.sh diff --git a/claude-code-runner/Dockerfile b/claude-code-runner/Dockerfile index f42ad0623..e4d8d4201 100644 --- a/claude-code-runner/Dockerfile +++ b/claude-code-runner/Dockerfile @@ -36,8 +36,3 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ && apt-get update \ && apt-get install -y --no-install-recommends gh \ && rm -rf /var/lib/apt/lists/* - -COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh - -ENTRYPOINT ["/entrypoint.sh"] diff --git a/claude-code-runner/entrypoint.sh b/claude-code-runner/entrypoint.sh deleted file mode 100644 index ba9e8ff3f..000000000 --- a/claude-code-runner/entrypoint.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -set -euo pipefail - -# Default entrypoint: show Claude Code version. -# Override by mounting your own /entrypoint.sh or using a derived image. -echo "=== claude-code-runner ===" -claude --version From 1676b48ded928b69552d4368e299aff480260493 Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:50:49 +0900 Subject: [PATCH 5/7] Update README: remove entrypoint refs, add CronJob usage example Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code-runner/README.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/claude-code-runner/README.md b/claude-code-runner/README.md index 77f7b4152..f053eba2a 100644 --- a/claude-code-runner/README.md +++ b/claude-code-runner/README.md @@ -2,7 +2,7 @@ A base Docker image for running [Claude Code](https://claude.ai/code) in containers. Provides the Claude Code CLI and common dependencies pre-installed. -This image is designed to be used as a base (`FROM chatwork/claude-code-runner`) by teams building their own plugin marketplace runner images. +This image is designed to be used as a base (`FROM chatwork/claude-code-runner`) by teams building their own plugin marketplace runner images, or directly in Kubernetes CronJobs. ## Usage @@ -14,16 +14,25 @@ FROM chatwork/claude-code-runner:latest # Copy your marketplace plugins COPY . /marketplace RUN claude plugin marketplace add /marketplace +``` -# (Optional) Override entrypoint -COPY entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh +### In a Kubernetes CronJob + +```yaml +containers: + - name: task + image: chatwork/claude-code-runner:latest + command: ["/bin/bash", "-lc"] + args: + - | + set -euo pipefail + claude --print "Generate weekly report" ``` ### Standalone ``` -$ docker run chatwork/claude-code-runner +$ docker run --rm chatwork/claude-code-runner claude --version ``` ## Included @@ -37,4 +46,4 @@ $ docker run chatwork/claude-code-runner ## Version management -Claude Code CLI version is pinned and automatically updated via [variant mod](https://github.com/mumoshu/variant). See `variant.mod` and `variant.lock` for details. +Claude Code CLI version is pinned and automatically updated via [variant mod](https://github.com/variantdev/mod). See `variant.mod` and `variant.lock` for details. From 7e967eced0d06df1cb0b289da013e4e52680c837 Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 12:53:14 +0900 Subject: [PATCH 6/7] Rename claude-code-runner to claude-code Not just a runner - a general-purpose base image for Claude Code. Co-Authored-By: Claude Opus 4.6 (1M context) --- {claude-code-runner => claude-code}/Dockerfile | 0 {claude-code-runner => claude-code}/Dockerfile.arm64 | 0 {claude-code-runner => claude-code}/Makefile | 0 {claude-code-runner => claude-code}/README.md | 10 +++++----- .../docker-compose.test.yml | 10 +++++----- {claude-code-runner => claude-code}/goss/goss.yaml | 0 {claude-code-runner => claude-code}/hooks/test | 0 {claude-code-runner => claude-code}/variant.lock | 0 {claude-code-runner => claude-code}/variant.mod | 0 9 files changed, 10 insertions(+), 10 deletions(-) rename {claude-code-runner => claude-code}/Dockerfile (100%) rename {claude-code-runner => claude-code}/Dockerfile.arm64 (100%) rename {claude-code-runner => claude-code}/Makefile (100%) rename {claude-code-runner => claude-code}/README.md (78%) rename {claude-code-runner => claude-code}/docker-compose.test.yml (66%) rename {claude-code-runner => claude-code}/goss/goss.yaml (100%) rename {claude-code-runner => claude-code}/hooks/test (100%) rename {claude-code-runner => claude-code}/variant.lock (100%) rename {claude-code-runner => claude-code}/variant.mod (100%) diff --git a/claude-code-runner/Dockerfile b/claude-code/Dockerfile similarity index 100% rename from claude-code-runner/Dockerfile rename to claude-code/Dockerfile diff --git a/claude-code-runner/Dockerfile.arm64 b/claude-code/Dockerfile.arm64 similarity index 100% rename from claude-code-runner/Dockerfile.arm64 rename to claude-code/Dockerfile.arm64 diff --git a/claude-code-runner/Makefile b/claude-code/Makefile similarity index 100% rename from claude-code-runner/Makefile rename to claude-code/Makefile diff --git a/claude-code-runner/README.md b/claude-code/README.md similarity index 78% rename from claude-code-runner/README.md rename to claude-code/README.md index f053eba2a..75a823c59 100644 --- a/claude-code-runner/README.md +++ b/claude-code/README.md @@ -1,15 +1,15 @@ -# claude-code-runner +# claude-code A base Docker image for running [Claude Code](https://claude.ai/code) in containers. Provides the Claude Code CLI and common dependencies pre-installed. -This image is designed to be used as a base (`FROM chatwork/claude-code-runner`) by teams building their own plugin marketplace runner images, or directly in Kubernetes CronJobs. +This image is designed to be used as a base (`FROM chatwork/claude-code`) by teams building their own plugin marketplace runner images, or directly in Kubernetes CronJobs. ## Usage ### As a base image ```dockerfile -FROM chatwork/claude-code-runner:latest +FROM chatwork/claude-code:latest # Copy your marketplace plugins COPY . /marketplace @@ -21,7 +21,7 @@ RUN claude plugin marketplace add /marketplace ```yaml containers: - name: task - image: chatwork/claude-code-runner:latest + image: chatwork/claude-code:latest command: ["/bin/bash", "-lc"] args: - | @@ -32,7 +32,7 @@ containers: ### Standalone ``` -$ docker run --rm chatwork/claude-code-runner claude --version +$ docker run --rm chatwork/claude-code claude --version ``` ## Included diff --git a/claude-code-runner/docker-compose.test.yml b/claude-code/docker-compose.test.yml similarity index 66% rename from claude-code-runner/docker-compose.test.yml rename to claude-code/docker-compose.test.yml index 6dcf2ada9..5cfeb3454 100644 --- a/claude-code-runner/docker-compose.test.yml +++ b/claude-code/docker-compose.test.yml @@ -1,18 +1,18 @@ version: '3' services: - claude-code-runner: + claude-code: build: context: . - image: chatwork/claude-code-runner + image: chatwork/claude-code sut: image: chatwork/dgoss:latest environment: GOSS_FILES_PATH: /goss GOSS_FILES_STRATEGY: cp entrypoint: "" - command: /usr/local/bin/dgoss run --entrypoint '' chatwork/claude-code-runner tail -f /dev/null - container_name: claude-code-runner + command: /usr/local/bin/dgoss run --entrypoint '' chatwork/claude-code tail -f /dev/null + container_name: claude-code volumes: - /var/run/docker.sock:/var/run/docker.sock depends_on: - - claude-code-runner + - claude-code diff --git a/claude-code-runner/goss/goss.yaml b/claude-code/goss/goss.yaml similarity index 100% rename from claude-code-runner/goss/goss.yaml rename to claude-code/goss/goss.yaml diff --git a/claude-code-runner/hooks/test b/claude-code/hooks/test similarity index 100% rename from claude-code-runner/hooks/test rename to claude-code/hooks/test diff --git a/claude-code-runner/variant.lock b/claude-code/variant.lock similarity index 100% rename from claude-code-runner/variant.lock rename to claude-code/variant.lock diff --git a/claude-code-runner/variant.mod b/claude-code/variant.mod similarity index 100% rename from claude-code-runner/variant.mod rename to claude-code/variant.mod From 9ac2753e2b27eb60154dccfb522d3b4be59a3122 Mon Sep 17 00:00:00 2001 From: Tasuku Yamashita Date: Tue, 14 Apr 2026 13:00:35 +0900 Subject: [PATCH 7/7] Run as non-root user Create dedicated 'claude' user and install Claude Code CLI under /home/claude/.local/bin. System tools (yq, gh, etc.) remain in system paths, accessible to all users. Co-Authored-By: Claude Opus 4.6 (1M context) --- claude-code/Dockerfile | 14 ++++++++++---- claude-code/goss/goss.yaml | 2 +- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/claude-code/Dockerfile b/claude-code/Dockerfile index e4d8d4201..373427537 100644 --- a/claude-code/Dockerfile +++ b/claude-code/Dockerfile @@ -19,10 +19,6 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ less \ && rm -rf /var/lib/apt/lists/* -# Claude Code CLI (Native Install) -ENV PATH="/root/.local/bin:${PATH}" -RUN curl -fsSL https://claude.ai/install.sh | bash -s "${CLAUDE_CODE_VERSION}" - # yq (latest) RUN curl -fsSL "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_$(dpkg --print-architecture)" \ -o /usr/local/bin/yq \ @@ -36,3 +32,13 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg \ && apt-get update \ && apt-get install -y --no-install-recommends gh \ && rm -rf /var/lib/apt/lists/* + +# Non-root user +RUN useradd -m -s /bin/bash claude +USER claude +ENV HOME=/home/claude +ENV PATH="/home/claude/.local/bin:${PATH}" +WORKDIR /home/claude + +# Claude Code CLI (Native Install) +RUN curl -fsSL https://claude.ai/install.sh | bash -s "${CLAUDE_CODE_VERSION}" diff --git a/claude-code/goss/goss.yaml b/claude-code/goss/goss.yaml index 3e277b68e..71db1504f 100644 --- a/claude-code/goss/goss.yaml +++ b/claude-code/goss/goss.yaml @@ -1,5 +1,5 @@ file: - /root/.local/bin/claude: + /home/claude/.local/bin/claude: exists: true command: claude --version: