fix(docker): run container as non-root user#516
fix(docker): run container as non-root user#516vincent067 wants to merge 3 commits intorobusta-dev:mainfrom
Conversation
- Added a new 'Quick Start Guide' section after 'About The Project' - Provides simple 3-step instructions for new users to get started - Helps users get up and running in under 5 minutes This improves the onboarding experience for new users.
- Added a new 'Quick Start Guide' section after 'About The Project' - Provides simple 3-step instructions for new users to get started - Helps users get up and running in under 5 minutes This improves the onboarding experience for new users.
Add a dedicated non-root user (uid 1000) to the Docker image to improve security posture. This addresses environments where running containers as root is restricted. Changes: - Create 'krr' user with uid 1000 - Set proper ownership of /app directory - Switch to non-root user before running application Fixes robusta-dev#510
|
Alex Chen seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account. You have signed the CLA already but the status is still pending? Let us recheck it. |
WalkthroughThis PR addresses a security requirement by enabling non-root container execution in the Dockerfile and adds quick-start guidance sections to the README for improved onboarding. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@Dockerfile`:
- Line 4: The Dockerfile contains a misspelled environment variable ENV
PYTHONDONTWRYTEBYTECODE=1 which prevents Python from suppressing .pyc
generation; change the ENV entry to use the correct variable name
PYTHONDONTWRITEBYTECODE with the same value (i.e., replace
PYTHONDONTWRYTEBYTECODE with PYTHONDONTWRITEBYTECODE) so Python recognizes and
applies the bytecode suppression.
In `@README.md`:
- Around line 106-149: Remove the duplicate "## Quick Start Guide" block and
merge both installs into one concise section that presents pip and Homebrew as
Option A/Option B (keep "pip install robusta-krr" and "brew tap
robusta-dev/homebrew-krr" / "brew install krr"), use a single verify step (e.g.,
"krr --help" or "krr version") and a single first-scan command "krr simple"
(with a sentence noting to use "--prometheus-url" only if Prometheus is not
auto-discovered); update or remove the extra lines suggested in the diff so the
file contains one Quick Start section that references the existing Installation
and Usage anchors.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: b023c64e-f7f6-4fc3-88c5-30041dd0dacd
📒 Files selected for processing (2)
DockerfileREADME.md
| FROM python:3.12-slim AS builder | ||
| ENV LANG=C.UTF-8 | ||
| ENV PYTHONDONTWRITEBYTECODE=1 | ||
| ENV PYTHONDONTWRYTEBYTECODE=1 |
There was a problem hiding this comment.
🧩 Analysis chain
🌐 Web query:
Official Python documentation PYTHONDONTWRITEBYTECODE environment variable
💡 Result:
The official Python documentation for the PYTHONDONTWRITEBYTECODE environment variable is found in the "Command line and environment" section of the Python documentation (e.g., for Python 3.14 at https://docs.python.org/3/using/cmdline.html). It states: If this is set to a non-empty string, Python won't try to write .pyc files on the import of source modules. This is equivalent to specifying the -B option. Note: As of late 2025, there is an open issue (python/cpython#143134) claiming the documentation is incorrect because the variable is parsed as a flag using _Py_get_env_flag, which treats any non-empty value (including non-numeric strings or "0") as true (1), enabling the no-write-bytecode behavior. Numeric "0" is false. A PR to update the docs is linked but status unclear as of 2026-04-18. Usage examples from sources confirm setting it to 1 or any non-empty value disables .pyc generation.
Citations:
- 1: https://docs.python.org/3/using/cmdline.html?highlight=pythondontwritebytecode
- 2: PYTHONDONTWRITEBYTECODE documentation is incorrect python/cpython#143134
- 3: https://docs.python.org/3/using/cmdline.html
- 4: https://docs.python.org/3.10/using/cmdline.html
- 5: https://github.com/python/cpython/blob/master/Python/initconfig.c
- 6: https://docs.python.org/3.14/using/cmdline.html
Fix the Python bytecode environment variable typo.
PYTHONDONTWRYTEBYTECODE is not recognized by Python due to the misspelling ("WRYTE" instead of "WRITE"), so bytecode suppression will not be applied. The correct variable name is PYTHONDONTWRITEBYTECODE.
🐛 Proposed fix
-ENV PYTHONDONTWRYTEBYTECODE=1
+ENV PYTHONDONTWRITEBYTECODE=1📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| ENV PYTHONDONTWRYTEBYTECODE=1 | |
| ENV PYTHONDONTWRITEBYTECODE=1 |
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In `@Dockerfile` at line 4, The Dockerfile contains a misspelled environment
variable ENV PYTHONDONTWRYTEBYTECODE=1 which prevents Python from suppressing
.pyc generation; change the ENV entry to use the correct variable name
PYTHONDONTWRITEBYTECODE with the same value (i.e., replace
PYTHONDONTWRYTEBYTECODE with PYTHONDONTWRITEBYTECODE) so Python recognizes and
applies the bytecode suppression.
| <!-- QUICK START --> | ||
|
|
||
| ## Quick Start Guide | ||
|
|
||
| Get up and running with KRR in under 5 minutes: | ||
|
|
||
| ### 1. Install KRR | ||
|
|
||
| ```bash | ||
| pip install robusta-krr | ||
| ``` | ||
|
|
||
| ### 2. Verify Installation | ||
|
|
||
| ```bash | ||
| krr --help | ||
| ``` | ||
|
|
||
| ### 3. Run Your First Scan | ||
|
|
||
| ```bash | ||
| krr simple --prometheus-url=http://localhost:9090 | ||
| ``` | ||
|
|
||
| That's it! You now have recommendations for optimizing your Kubernetes resources. | ||
|
|
||
| For more details, see the full [Installation](#installation) and [Usage](#usage) sections below. | ||
|
|
||
|
|
||
| ## Quick Start Guide | ||
|
|
||
| Get started with KRR in under 5 minutes: | ||
|
|
||
| ```bash | ||
| # Install with Homebrew | ||
| brew tap robusta-dev/homebrew-krr | ||
| brew install krr | ||
|
|
||
| # Verify installation | ||
| krr version | ||
|
|
||
| # Run your first scan | ||
| krr simple | ||
| ``` |
There was a problem hiding this comment.
Consolidate the duplicate Quick Start sections.
Line 135 duplicates the ## Quick Start Guide heading and triggers MD024. The two sections also give different first-scan commands; prefer one quick start with pip/Homebrew install options and use krr simple unless the user has explicitly port-forwarded Prometheus.
📝 Proposed docs cleanup
<!-- QUICK START -->
## Quick Start Guide
Get up and running with KRR in under 5 minutes:
-### 1. Install KRR
+### Option A: Install with pip
```bash
pip install robusta-krr-### 2. Verify Installation
+### Option B: Install with Homebrew
-krr --help
+brew tap robusta-dev/homebrew-krr
+brew install krr-### 3. Run Your First Scan
+### Verify installation
-krr simple --prometheus-url=http://localhost:9090
+krr --help-That's it! You now have recommendations for optimizing your Kubernetes resources.
-For more details, see the full Installation and Usage sections below.
-## Quick Start Guide
-Get started with KRR in under 5 minutes:
+### Run your first scan
-# Install with Homebrew
-brew tap robusta-dev/homebrew-krr
-brew install krr
-
-# Verify installation
-krr version
-
-# Run your first scan
krr simple+If Prometheus is not auto-discovered, see Giving an Explicit Prometheus URL.
+
+That's it! You now have recommendations for optimizing your Kubernetes resources.
+
+For more details, see the full Installation and Usage sections below.
</details>
<details>
<summary>🧰 Tools</summary>
<details>
<summary>🪛 markdownlint-cli2 (0.22.0)</summary>
[warning] 135-135: Multiple headings with the same content
(MD024, no-duplicate-heading)
</details>
</details>
<details>
<summary>🤖 Prompt for AI Agents</summary>
Verify each finding against the current code and only fix it if needed.
In @README.md around lines 106 - 149, Remove the duplicate "## Quick Start
Guide" block and merge both installs into one concise section that presents pip
and Homebrew as Option A/Option B (keep "pip install robusta-krr" and "brew tap
robusta-dev/homebrew-krr" / "brew install krr"), use a single verify step (e.g.,
"krr --help" or "krr version") and a single first-scan command "krr simple"
(with a sentence noting to use "--prometheus-url" only if Prometheus is not
auto-discovered); update or remove the extra lines suggested in the diff so the
file contains one Quick Start section that references the existing Installation
and Usage anchors.
</details>
<!-- fingerprinting:phantom:poseidon:ibis -->
<!-- This is an auto-generated comment by CodeRabbit -->
2 participants
Hi team! 👋
This PR addresses issue #510 by adding a non-root user to the Docker image for improved security.
Problem
Some environments require containers to run as non-root users for security compliance. The current Dockerfile runs as root by default.
Solution
Security Benefits
✅ Reduces attack surface in case of container escape
✅ Complies with security policies that restrict root containers
✅ Follows Docker security best practices
Testing
I verified the image builds successfully and the application runs correctly with the non-root user.
Please let me know if you'd like any adjustments! Happy to help improve the project's security posture. 🙏
Fixes #510