Skip to content

fix(docker): updated docker to use non-root user for k8s/helm deployments #1626

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 14, 2025
Merged

fix(docker): updated docker to use non-root user for k8s/helm deployments #1626

merged 2 commits into from
Oct 14, 2025

Conversation

@waleedlatif1
Copy link
Collaborator

Summary

updated docker to use non-root user for k8s/helm deployments to follow https://github.com/vercel/next.js/tree/canary/examples/with-docker and https://www.docker.com/blog/understanding-the-docker-user-instruction/

Type of Change

  • Bug fix

Testing

Tested manually, follows nextjs best practice docs

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Oct 14, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
docs Ready Ready Preview Comment Oct 14, 2025 10:49pm

greptile-apps[bot]
greptile-apps bot reviewed Oct 14, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Greptile Overview

Summary

Implements non-root user (nextjs:nodejs, UID 1001) across all three Dockerfiles following Next.js and Docker security best practices for Kubernetes/Helm deployments.

Key changes:

  • Creates non-root user with consistent UID 1001 across all containers
  • Adds --chown=nextjs:nodejs to COPY commands for proper file ownership
  • Switches to non-root user before starting application processes

Issues found:

  • app.Dockerfile: Missing --chown on public directory COPY (line 70)
  • app.Dockerfile: Guardrails setup script runs as root, creating venv files owned by root, then attempts to fix with chown -R - this creates a permission inconsistency that could cause runtime errors when the app tries to update the Python virtual environment

Confidence Score: 2/5

  • This PR has critical permission issues in app.Dockerfile that will likely cause runtime failures
  • While the overall approach follows best practices, app.Dockerfile has two permission issues: (1) public directory missing --chown flag, and (2) guardrails setup running as root before USER switch, which will create root-owned venv files that the non-root user cannot modify at runtime. The db.Dockerfile and realtime.Dockerfile are implemented correctly.
  • docker/app.Dockerfile requires immediate attention for permission issues on lines 70 and 75-80

Important Files Changed

File Analysis

Filename Score Overview
docker/app.Dockerfile 2/5 Non-root user implementation has permission issues with guardrails setup and public directory
docker/db.Dockerfile 5/5 Clean non-root user implementation with proper file ownership
docker/realtime.Dockerfile 5/5 Clean non-root user implementation with proper file ownership

Sequence Diagram

sequenceDiagram
    participant K8s as Kubernetes/Helm
    participant AppContainer as App Container
    participant DBContainer as DB Container
    participant RealtimeContainer as Realtime Container
    participant User as nextjs:nodejs (UID 1001)
    
    Note over K8s,RealtimeContainer: Deployment Phase
    
    K8s->>AppContainer: Deploy app.Dockerfile
    AppContainer->>AppContainer: Create nextjs:nodejs user (UID 1001)
    AppContainer->>AppContainer: Copy files with --chown=nextjs:nodejs
    AppContainer->>AppContainer: Run guardrails setup as root
    AppContainer->>AppContainer: Create cache dir & chown -R nextjs:nodejs
    AppContainer->>User: Switch USER to nextjs
    User->>AppContainer: Start Next.js on port 3000
    
    K8s->>DBContainer: Deploy db.Dockerfile
    DBContainer->>DBContainer: Create nextjs:nodejs user (UID 1001)
    DBContainer->>DBContainer: Copy files with --chown=nextjs:nodejs
    DBContainer->>User: Switch USER to nextjs
    User->>DBContainer: Run database migrations
    
    K8s->>RealtimeContainer: Deploy realtime.Dockerfile
    RealtimeContainer->>RealtimeContainer: Create nextjs:nodejs user (UID 1001)
    RealtimeContainer->>RealtimeContainer: Copy files with --chown=nextjs:nodejs
    RealtimeContainer->>User: Switch USER to nextjs
    User->>RealtimeContainer: Start socket server on port 3002
    
    Note over AppContainer,RealtimeContainer: All containers run as non-root (UID 1001)
Loading

3 files reviewed, 2 comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit f345c4d into staging Oct 14, 2025
9 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/docker branch October 14, 2025 22:54
@waleedlatif1 waleedlatif1 mentioned this pull request Oct 15, 2025
Merged
Sg312 pushed a commit that referenced this pull request Oct 15, 2025
@waleedlatif1 @Sg312
fix(docker): updated docker to use non-root user for k8s/helm deploym…
cb329a6 
…ents (#1626)

* fix(docker): updated docker to use non-root user for k8s/helm deployments

* ack PR comments
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1