diff --git a/docker/app.Dockerfile b/docker/app.Dockerfile index 712e4cb4ed..6dc13eec71 100644 --- a/docker/app.Dockerfile +++ b/docker/app.Dockerfile @@ -63,19 +63,31 @@ RUN apk add --no-cache python3 py3-pip bash ENV NODE_ENV=production -COPY --from=builder /app/apps/sim/public ./apps/sim/public -COPY --from=builder /app/apps/sim/.next/standalone ./ -COPY --from=builder /app/apps/sim/.next/static ./apps/sim/.next/static +# Create non-root user and group +RUN addgroup -g 1001 -S nodejs && \ + adduser -S nextjs -u 1001 -# Copy guardrails setup script and requirements -COPY --from=builder /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh -COPY --from=builder /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt -COPY --from=builder /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/public ./apps/sim/public +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/standalone ./ +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/.next/static ./apps/sim/.next/static -# Run guardrails setup to create venv and install Python dependencies +# Guardrails setup (files need to be owned by nextjs for runtime) +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/setup.sh ./apps/sim/lib/guardrails/setup.sh +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/requirements.txt ./apps/sim/lib/guardrails/requirements.txt +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim/lib/guardrails/validate_pii.py ./apps/sim/lib/guardrails/validate_pii.py + +# Run guardrails setup as root, then fix ownership of generated venv files RUN chmod +x ./apps/sim/lib/guardrails/setup.sh && \ cd ./apps/sim/lib/guardrails && \ - ./setup.sh + ./setup.sh && \ + chown -R nextjs:nodejs /app/apps/sim/lib/guardrails + +# Create .next/cache directory with correct ownership +RUN mkdir -p apps/sim/.next/cache && \ + chown -R nextjs:nodejs /app + +# Switch to non-root user +USER nextjs EXPOSE 3000 ENV PORT=3000 \ diff --git a/docker/db.Dockerfile b/docker/db.Dockerfile index 40a9d47c86..32c8f3addc 100644 --- a/docker/db.Dockerfile +++ b/docker/db.Dockerfile @@ -17,9 +17,16 @@ RUN bun install --ignore-scripts FROM oven/bun:1.2.22-alpine AS runner WORKDIR /app +# Create non-root user and group +RUN addgroup -g 1001 -S nodejs && \ + adduser -S nextjs -u 1001 + # Copy only the necessary files from deps -COPY --from=deps /app/node_modules ./node_modules -COPY packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts -COPY packages/db ./packages/db +COPY --from=deps --chown=nextjs:nodejs /app/node_modules ./node_modules +COPY --chown=nextjs:nodejs packages/db/drizzle.config.ts ./packages/db/drizzle.config.ts +COPY --chown=nextjs:nodejs packages/db ./packages/db + +# Switch to non-root user +USER nextjs WORKDIR /app/packages/db \ No newline at end of file diff --git a/docker/realtime.Dockerfile b/docker/realtime.Dockerfile index 7fb83bae12..8488d6b32c 100644 --- a/docker/realtime.Dockerfile +++ b/docker/realtime.Dockerfile @@ -36,11 +36,18 @@ WORKDIR /app ENV NODE_ENV=production +# Create non-root user and group +RUN addgroup -g 1001 -S nodejs && \ + adduser -S nextjs -u 1001 + # Copy the sim app and the shared db package needed by socket-server -COPY --from=builder /app/apps/sim ./apps/sim -COPY --from=builder /app/packages/db ./packages/db -COPY --from=builder /app/node_modules ./node_modules -COPY --from=builder /app/package.json ./package.json +COPY --from=builder --chown=nextjs:nodejs /app/apps/sim ./apps/sim +COPY --from=builder --chown=nextjs:nodejs /app/packages/db ./packages/db +COPY --from=builder --chown=nextjs:nodejs /app/node_modules ./node_modules +COPY --from=builder --chown=nextjs:nodejs /app/package.json ./package.json + +# Switch to non-root user +USER nextjs # Expose socket server port (default 3002, but configurable via PORT env var) EXPOSE 3002