fix(docker): updated docker to use non-root user for k8s/helm deployments#1626
Merged
waleedlatif1 merged 2 commits intostagingfrom Oct 14, 2025
Merged
fix(docker): updated docker to use non-root user for k8s/helm deployments#1626waleedlatif1 merged 2 commits intostagingfrom
waleedlatif1 merged 2 commits intostagingfrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Greptile Overview
Summary
Implements non-root user (nextjs:nodejs, UID 1001) across all three Dockerfiles following Next.js and Docker security best practices for Kubernetes/Helm deployments.
Key changes:
- Creates non-root user with consistent UID 1001 across all containers
- Adds
--chown=nextjs:nodejsto COPY commands for proper file ownership - Switches to non-root user before starting application processes
Issues found:
- app.Dockerfile: Missing
--chownon public directory COPY (line 70) - app.Dockerfile: Guardrails setup script runs as root, creating venv files owned by root, then attempts to fix with
chown -R- this creates a permission inconsistency that could cause runtime errors when the app tries to update the Python virtual environment
Confidence Score: 2/5
- This PR has critical permission issues in app.Dockerfile that will likely cause runtime failures
- While the overall approach follows best practices, app.Dockerfile has two permission issues: (1) public directory missing --chown flag, and (2) guardrails setup running as root before USER switch, which will create root-owned venv files that the non-root user cannot modify at runtime. The db.Dockerfile and realtime.Dockerfile are implemented correctly.
- docker/app.Dockerfile requires immediate attention for permission issues on lines 70 and 75-80
Important Files Changed
File Analysis
| Filename | Score | Overview |
|---|---|---|
| docker/app.Dockerfile | 2/5 | Non-root user implementation has permission issues with guardrails setup and public directory |
| docker/db.Dockerfile | 5/5 | Clean non-root user implementation with proper file ownership |
| docker/realtime.Dockerfile | 5/5 | Clean non-root user implementation with proper file ownership |
Sequence Diagram
sequenceDiagram
participant K8s as Kubernetes/Helm
participant AppContainer as App Container
participant DBContainer as DB Container
participant RealtimeContainer as Realtime Container
participant User as nextjs:nodejs (UID 1001)
Note over K8s,RealtimeContainer: Deployment Phase
K8s->>AppContainer: Deploy app.Dockerfile
AppContainer->>AppContainer: Create nextjs:nodejs user (UID 1001)
AppContainer->>AppContainer: Copy files with --chown=nextjs:nodejs
AppContainer->>AppContainer: Run guardrails setup as root
AppContainer->>AppContainer: Create cache dir & chown -R nextjs:nodejs
AppContainer->>User: Switch USER to nextjs
User->>AppContainer: Start Next.js on port 3000
K8s->>DBContainer: Deploy db.Dockerfile
DBContainer->>DBContainer: Create nextjs:nodejs user (UID 1001)
DBContainer->>DBContainer: Copy files with --chown=nextjs:nodejs
DBContainer->>User: Switch USER to nextjs
User->>DBContainer: Run database migrations
K8s->>RealtimeContainer: Deploy realtime.Dockerfile
RealtimeContainer->>RealtimeContainer: Create nextjs:nodejs user (UID 1001)
RealtimeContainer->>RealtimeContainer: Copy files with --chown=nextjs:nodejs
RealtimeContainer->>User: Switch USER to nextjs
User->>RealtimeContainer: Start socket server on port 3002
Note over AppContainer,RealtimeContainer: All containers run as non-root (UID 1001)
3 files reviewed, 2 comments
Sg312
pushed a commit
that referenced
this pull request
Oct 15, 2025
…ents (#1626) * fix(docker): updated docker to use non-root user for k8s/helm deployments * ack PR comments
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
updated docker to use non-root user for k8s/helm deployments to follow https://github.com/vercel/next.js/tree/canary/examples/with-docker and https://www.docker.com/blog/understanding-the-docker-user-instruction/
Type of Change
Testing
Tested manually, follows nextjs best practice docs
Checklist