Skip to content

sec: non-root + healthchecks for stateless sidecars (control-plane, worker, panel)#25

Merged
valvesss merged 1 commit into
mainfrom
sec/dockerfiles-nonroot-stateless
Jul 4, 2026
Merged

sec: non-root + healthchecks for stateless sidecars (control-plane, worker, panel)#25
valvesss merged 1 commit into
mainfrom
sec/dockerfiles-nonroot-stateless

Conversation

@valvesss

@valvesss valvesss commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

trivy DS-0002 (root) nos 3 serviços stateless + DS-0026 (healthcheck) nos 2 com endpoint.

  • USER node (uid 1000) + chown -R node:node /app no control-plane, worker, panel. Cada um é cliente de rede puro (control-plane provisiona via Coolify HTTP API, não docker.sock; worker = pg-boss + GitHub API + HTTP; panel = Next standalone read-only).
  • HEALTHCHECK no control-plane (/health) e panel (/).

Verificado na surtr antes do merge: as 3 imagens buildam, sobem como uid=1000(node), e o pnpm bootstrap do control-plane rodou como node contra o DB real (migrations/project-zero/orgs/jobs OK).

Escopo proposital: postgres + garage ficam de fora (non-root = risco de UID/volume; garage sem shell p/ healthcheck; worker sem endpoint) → vão no runbook stateful.

Deploy: rebuild do app hauldr na janela (blip do DB pg16 aceito). DS-0002 ×3 + DS-0026 ×2.

🤖 Generated with Claude Code

…e, worker, panel)

trivy DS-0002 (image runs as root) on the three stateless services. Each is a
pure network client — no root, no docker socket, no local writes:
- control-plane provisions via the Coolify HTTP API (not a mounted docker.sock),
  connects to Postgres, and runs pg_dump/pg_restore for cutover.
- worker is a pg-boss consumer + GitHub API + HMAC HTTP callbacks.
- panel is a Next standalone server that only reads its own bundle.

Add `USER node` (uid 1000, ships in node:22-alpine) after chowning the app tree
so pnpm/tsx can read deps and write their transpile cache. Also add HEALTHCHECK
to the two with an HTTP endpoint (control-plane /health, panel /) — DS-0026.

Scoped to the stateless three on purpose: postgres + garage (non-root has a
data-volume UID risk; garage image has no shell for a healthcheck; worker has no
HTTP endpoint) are deferred to the stateful-services runbook so this batch never
recreates the shared DB. Deploy = targeted recreate of these 3 containers only.

Findings: trivy DS-0002 (control-plane/worker/panel), DS-0026 (control-plane/panel).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@valvesss valvesss merged commit ab72350 into main Jul 4, 2026
@valvesss valvesss deleted the sec/dockerfiles-nonroot-stateless branch July 4, 2026 02:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant