fix: run api container as non-root dograh user (#360)

* fix: run api container as non-root dograh user The runner stage had no USER directive, causing the API process to run as root inside the container. Add a system user/group and transfer ownership of /app before switching to it, so the container process runs with minimal privileges. * fix: chown /app and use COPY --chown for non-root runner Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Abhishek Kumar <abhishek@a6k.me> Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-07 07:55:16 +02:00 · 2026-05-27 02:30:45 -07:00 · 2026-05-27 02:30:45 -07:00 · 573dd68d76
commit 573dd68d76
parent 62d3749219
1 changed files with 12 additions and 5 deletions
--- a/api/Dockerfile
+++ b/api/Dockerfile
@ -71,6 +71,10 @@ FROM python:3.13-slim AS runner

 WORKDIR /app

+RUN groupadd --system dograh \
+ && useradd --system --gid dograh --no-log-init --home-dir /app --shell /usr/sbin/nologin dograh \
+ && chown dograh:dograh /app
+
 # Static ffmpeg + ffprobe (used by audio_converter, audio_file_cache, etc.)
 COPY --from=ffmpeg-static /usr/local/bin/ffmpeg /usr/local/bin/ffmpeg
 COPY --from=ffmpeg-static /usr/local/bin/ffprobe /usr/local/bin/ffprobe
@ -93,23 +97,26 @@ ENV PYTHONDONTWRITEBYTECODE=1
 # Unbuffered output for better container logging
 ENV PYTHONUNBUFFERED=1

-# Copy application code
-COPY ./api ./api
-COPY ./scripts/start_services_docker.sh ./scripts/start_services_docker.sh
+# Copy application code (chown at copy-time avoids a duplicate /app layer
+# from a later `RUN chown -R`, which would double the on-disk size of /app).
+COPY --chown=dograh:dograh ./api ./api
+COPY --chown=dograh:dograh ./scripts/start_services_docker.sh ./scripts/start_services_docker.sh

 # ts_validator Node deps (built in ts-deps stage with full node:22-slim image).
 # The validator runs as a short-lived subprocess from api/mcp_server/ts_bridge.py.
-COPY --from=ts-deps /ts_validator/node_modules ./api/mcp_server/ts_validator/node_modules
+COPY --from=ts-deps --chown=dograh:dograh /ts_validator/node_modules ./api/mcp_server/ts_validator/node_modules

 # Product documentation — read at runtime by the MCP docs tools
 # (search_dograh_docs / fetch_dograh_doc) so agents can learn Dograh.
-COPY ./docs ./docs
+COPY --chown=dograh:dograh ./docs ./docs

 ENV PYTHONPATH=/app

 # Disable file logging in Docker - logs go to stdout for docker logs
 ENV LOG_TO_FILE=false

+USER dograh
+
 # Expose the port FastAPI will run on
 EXPOSE 8000