bobbai00 opened a new pull request, #4941: URL: https://github.com/apache/texera/pull/4941
### What changes were proposed in this PR? Add a system user (UID/GID `1001`, name `texera`) and a `USER 1001:1001` directive at the end of every service runtime stage in `bin/*.dockerfile`. Aligns with Kubernetes `runAsNonRoot: true` PSS guidance and clears the Docker Hub recommendation *"Ensures the image specifies a non-root username (or UID) for the final stage."* - **7 Debian-derived runtimes** (`eclipse-temurin:*-jammy`): `groupadd`/`useradd --system`, `chown -R texera:texera /texera`, `USER 1001:1001`. - **`texera-web-application`** also chowns `/frontend` (frontend dist). - **`agent-service`** uses Alpine syntax (`addgroup -S` / `adduser -S`), chowns `/app`. Numeric UID is used in the `USER` directive so K8s `runAsNonRoot` doesn't need name lookup. Sidecars under `bin/y-websocket-server/` and `bin/pylsp/` are out of scope here — they have separate base-image issues (`node:latest`, `python:3.10-slim`) tracked separately. Orthogonal to #4938 (Java 17 bump); both can land independently. ### Any related issues, documentation, discussions? Closes #4940. ### How was this PR tested? CI exercises `docker build` for every service via `build-and-push-images.yml`. Beyond build, runtime smoke testing (each container starts, serves traffic, can read its mounted state) is the real signal — to be exercised on the next nightly run / single-node `docker compose up`. If any service writes to a path outside its chowned tree at startup, surfacing that here lets us add a targeted `chown` or `mkdir -p && chown` before merge. ### Was this PR authored or co-authored using generative AI tooling? Generated-by: Claude Code (Opus 4.7) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
