feat(docker): run service containers as non-root user#4941
Merged
bobbai00 merged 4 commits intoapache:mainfrom May 5, 2026
Merged
feat(docker): run service containers as non-root user#4941bobbai00 merged 4 commits intoapache:mainfrom
bobbai00 merged 4 commits intoapache:mainfrom
Conversation
Add a system user (UID/GID 1001 "texera") and a USER directive at the
end of every service runtime stage so containers don't run as root.
Aligns with Kubernetes runAsNonRoot PSS guidance and clears the
Docker Hub "non-root user for the final stage" finding.
- 7 Debian-derived runtimes (eclipse-temurin:*-jammy):
groupadd/useradd with --system, chown -R /texera, USER 1001:1001
- texera-web-application also chowns /frontend (frontend dist)
- agent-service uses Alpine syntax (addgroup -S / adduser -S),
chown -R /app
Sidecars under bin/y-websocket-server/ and bin/pylsp/ are out of
scope; they have separate base-image issues tracked elsewhere.
Closes apache#4940
bobbai00
added
the
release/v1.1.0-incubating
aglinxinyuan
approved these changes
May 5, 2026
Yicong-Huang
pushed a commit
that referenced
this pull request
May 5, 2026
### What changes were proposed in this PR? Add a system user (UID/GID `1001`, name `texera`) and a `USER 1001:1001` directive at the end of every service runtime stage in `bin/*.dockerfile`. Aligns with Docker Hub's recommendation *"Ensures the image specifies a non-root username (or UID) for the final stage."* - **7 Debian-derived runtimes** (`eclipse-temurin:*-jammy`): `groupadd`/`useradd --system`, `chown -R texera:texera /texera`, `USER 1001:1001`. - **`texera-web-application`** also chowns `/frontend` (frontend dist). - **`agent-service`** uses Alpine syntax (`addgroup -S` / `adduser -S`), chowns `/app`. ### Any related issues, documentation, discussions? Closes #4940. ### How was this PR tested? Tested locally by building the images ### Was this PR authored or co-authored using generative AI tooling? (backported from commit b9c899f) Generated-by: Claude Code (Opus 4.7)
Contributor
|
Backport to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this PR?
Add a system user (UID/GID
1001, nametexera) and aUSER 1001:1001directive at the end of every service runtime stage inbin/*.dockerfile. Aligns with Docker Hub's recommendation "Ensures the image specifies a non-root username (or UID) for the final stage."eclipse-temurin:*-jammy):groupadd/useradd --system,chown -R texera:texera /texera,USER 1001:1001.texera-web-applicationalso chowns/frontend(frontend dist).agent-serviceuses Alpine syntax (addgroup -S/adduser -S), chowns/app.Any related issues, documentation, discussions?
Closes #4940.
How was this PR tested?
Tested locally by building the images
Was this PR authored or co-authored using generative AI tooling?
Generated-by: Claude Code (Opus 4.7)