apunkt/dograh
1
0
Fork 0
mirror of https://github.com/dograh-hq/dograh.git synced 2026-06-28 08:49:42 +02:00
Code Issues Projects Releases Packages Wiki Activity

fix: run api container as non-root dograh user (#360)

Browse source 
* fix: run api container as non-root dograh user

The runner stage had no USER directive, causing the API process to run
as root inside the container. Add a system user/group and transfer
ownership of /app before switching to it, so the container process
runs with minimal privileges.

* fix: chown /app and use COPY --chown for non-root runner

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Abhishek Kumar <abhishek@a6k.me>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
nuthalapativarun 2026-05-27 02:30:45 -07:00 committed by GitHub
parent 62d3749219
commit 573dd68d76
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

17
api/Dockerfile
View file

@ -71,6 +71,10 @@ FROM python:3.13-slim AS runner
WORKDIR /app WORKDIR /app
RUN groupadd --system dograh \
&& useradd --system --gid dograh --no-log-init --home-dir /app --shell /usr/sbin/nologin dograh \
&& chown dograh:dograh /app
# Static ffmpeg + ffprobe (used by audio_converter, audio_file_cache, etc.) # Static ffmpeg + ffprobe (used by audio_converter, audio_file_cache, etc.)
COPY --from=ffmpeg-static /usr/local/bin/ffmpeg /usr/local/bin/ffmpeg COPY --from=ffmpeg-static /usr/local/bin/ffmpeg /usr/local/bin/ffmpeg
COPY --from=ffmpeg-static /usr/local/bin/ffprobe /usr/local/bin/ffprobe COPY --from=ffmpeg-static /usr/local/bin/ffprobe /usr/local/bin/ffprobe
@ -93,23 +97,26 @@ ENV PYTHONDONTWRITEBYTECODE=1
# Unbuffered output for better container logging # Unbuffered output for better container logging
ENV PYTHONUNBUFFERED=1 ENV PYTHONUNBUFFERED=1
# Copy application code # Copy application code (chown at copy-time avoids a duplicate /app layer
COPY ./api ./api # from a later `RUN chown -R`, which would double the on-disk size of /app).
COPY ./scripts/start_services_docker.sh ./scripts/start_services_docker.sh COPY --chown=dograh:dograh ./api ./api
COPY --chown=dograh:dograh ./scripts/start_services_docker.sh ./scripts/start_services_docker.sh
# ts_validator Node deps (built in ts-deps stage with full node:22-slim image). # ts_validator Node deps (built in ts-deps stage with full node:22-slim image).
# The validator runs as a short-lived subprocess from api/mcp_server/ts_bridge.py. # The validator runs as a short-lived subprocess from api/mcp_server/ts_bridge.py.
COPY --from=ts-deps /ts_validator/node_modules ./api/mcp_server/ts_validator/node_modules COPY --from=ts-deps --chown=dograh:dograh /ts_validator/node_modules ./api/mcp_server/ts_validator/node_modules
# Product documentation — read at runtime by the MCP docs tools # Product documentation — read at runtime by the MCP docs tools
# (search_dograh_docs / fetch_dograh_doc) so agents can learn Dograh. # (search_dograh_docs / fetch_dograh_doc) so agents can learn Dograh.
COPY ./docs ./docs COPY --chown=dograh:dograh ./docs ./docs
ENV PYTHONPATH=/app ENV PYTHONPATH=/app
# Disable file logging in Docker - logs go to stdout for docker logs # Disable file logging in Docker - logs go to stdout for docker logs
ENV LOG_TO_FILE=false ENV LOG_TO_FILE=false
USER dograh
# Expose the port FastAPI will run on # Expose the port FastAPI will run on
EXPOSE 8000 EXPOSE 8000