This is an automated email from the ASF dual-hosted git repository.
Yicong-Huang pushed a commit to branch release/v1.1.0-incubating
in repository https://gitbox.apache.org/repos/asf/texera.git
The following commit(s) were added to refs/heads/release/v1.1.0-incubating by
this push:
new 7349698c55 feat(docker): run service containers as non-root user
(#4941)
7349698c55 is described below
commit 7349698c55002f7da77992bcdc770cb4d6f49356
Author: Jiadong Bai <[email protected]>
AuthorDate: Tue May 5 22:14:01 2026 +0000
feat(docker): run service containers as non-root user (#4941)
### What changes were proposed in this PR?
Add a system user (UID/GID `1001`, name `texera`) and a `USER 1001:1001`
directive at the end of every service runtime stage in
`bin/*.dockerfile`. Aligns with Docker Hub's recommendation *"Ensures
the image specifies a non-root username (or UID) for the final stage."*
- **7 Debian-derived runtimes** (`eclipse-temurin:*-jammy`):
`groupadd`/`useradd --system`, `chown -R texera:texera /texera`, `USER
1001:1001`.
- **`texera-web-application`** also chowns `/frontend` (frontend dist).
- **`agent-service`** uses Alpine syntax (`addgroup -S` / `adduser -S`),
chowns `/app`.
### Any related issues, documentation, discussions?
Closes #4940.
### How was this PR tested?
Tested locally by building the images
### Was this PR authored or co-authored using generative AI tooling?
(backported from commit b9c899f32f65eef94a2c39d5c5cfc1c5df09825f)
Generated-by: Claude Code (Opus 4.7)
---
bin/access-control-service.dockerfile | 6 ++++++
bin/agent-service.dockerfile | 5 +++++
bin/computing-unit-master.dockerfile | 6 ++++++
bin/computing-unit-worker.dockerfile | 6 ++++++
bin/config-service.dockerfile | 6 ++++++
bin/file-service.dockerfile | 6 ++++++
bin/texera-web-application.dockerfile | 6 ++++++
bin/workflow-compiling-service.dockerfile | 6 ++++++
bin/workflow-computing-unit-managing-service.dockerfile | 6 ++++++
9 files changed, 53 insertions(+)
diff --git a/bin/access-control-service.dockerfile
b/bin/access-control-service.dockerfile
index fac67fb08b..1429171a5a 100644
--- a/bin/access-control-service.dockerfile
+++ b/bin/access-control-service.dockerfile
@@ -69,6 +69,12 @@ COPY --from=build
/texera/access-control-service/LICENSE-binary /texera/LICENSE
COPY --from=build /texera/access-control-service/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/access-control-service"]
EXPOSE 9096
\ No newline at end of file
diff --git a/bin/agent-service.dockerfile b/bin/agent-service.dockerfile
index b2fcdea570..7edf38287a 100644
--- a/bin/agent-service.dockerfile
+++ b/bin/agent-service.dockerfile
@@ -40,6 +40,11 @@ COPY NOTICE ./NOTICE
COPY DISCLAIMER ./DISCLAIMER
COPY licenses ./licenses
+RUN addgroup -S -g 1001 texera \
+ && adduser -S -u 1001 -G texera -h /app texera \
+ && chown -R texera:texera /app
+USER texera
+
EXPOSE 3001
CMD ["bun", "run", "src/server.ts"]
diff --git a/bin/computing-unit-master.dockerfile
b/bin/computing-unit-master.dockerfile
index 8f2fa2b999..5fcb54968d 100644
--- a/bin/computing-unit-master.dockerfile
+++ b/bin/computing-unit-master.dockerfile
@@ -99,6 +99,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined
/texera/LICENSE
COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/computing-unit-master"]
EXPOSE 8085
diff --git a/bin/computing-unit-worker.dockerfile
b/bin/computing-unit-worker.dockerfile
index c36a5a2698..f600a9c05f 100644
--- a/bin/computing-unit-worker.dockerfile
+++ b/bin/computing-unit-worker.dockerfile
@@ -97,6 +97,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined
/texera/LICENSE
COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/computing-unit-worker"]
EXPOSE 8085
\ No newline at end of file
diff --git a/bin/config-service.dockerfile b/bin/config-service.dockerfile
index 251d5fdb8a..17c3d57de1 100644
--- a/bin/config-service.dockerfile
+++ b/bin/config-service.dockerfile
@@ -70,6 +70,12 @@ COPY --from=build /texera/config-service/LICENSE-binary
/texera/LICENSE
COPY --from=build /texera/config-service/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/config-service"]
EXPOSE 9094
\ No newline at end of file
diff --git a/bin/file-service.dockerfile b/bin/file-service.dockerfile
index 4decf69612..3966b5122b 100644
--- a/bin/file-service.dockerfile
+++ b/bin/file-service.dockerfile
@@ -69,6 +69,12 @@ COPY --from=build /texera/file-service/LICENSE-binary
/texera/LICENSE
COPY --from=build /texera/file-service/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/file-service"]
EXPOSE 9092
\ No newline at end of file
diff --git a/bin/texera-web-application.dockerfile
b/bin/texera-web-application.dockerfile
index c13fef29c0..3dcd12c10f 100644
--- a/bin/texera-web-application.dockerfile
+++ b/bin/texera-web-application.dockerfile
@@ -101,6 +101,12 @@ COPY --from=build /texera/amber/LICENSE-binary-combined
/texera/LICENSE
COPY --from=build /texera/amber/NOTICE-binary /texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera /frontend
+USER texera
+
CMD ["bin/texera-web-application"]
EXPOSE 8080
\ No newline at end of file
diff --git a/bin/workflow-compiling-service.dockerfile
b/bin/workflow-compiling-service.dockerfile
index a2617d7a4b..b8f7f6c392 100644
--- a/bin/workflow-compiling-service.dockerfile
+++ b/bin/workflow-compiling-service.dockerfile
@@ -70,6 +70,12 @@ COPY --from=build
/texera/workflow-compiling-service/LICENSE-binary /texera/LICE
COPY --from=build /texera/workflow-compiling-service/NOTICE-binary
/texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/workflow-compiling-service"]
EXPOSE 9090
\ No newline at end of file
diff --git a/bin/workflow-computing-unit-managing-service.dockerfile
b/bin/workflow-computing-unit-managing-service.dockerfile
index 1edb94019a..78d0ba89db 100644
--- a/bin/workflow-computing-unit-managing-service.dockerfile
+++ b/bin/workflow-computing-unit-managing-service.dockerfile
@@ -70,6 +70,12 @@ COPY --from=build
/texera/computing-unit-managing-service/LICENSE-binary /texera
COPY --from=build /texera/computing-unit-managing-service/NOTICE-binary
/texera/NOTICE
COPY --from=build /texera/licenses /texera/licenses
COPY --from=build /texera/DISCLAIMER /texera/
+
+RUN groupadd --system --gid 1001 texera \
+ && useradd --system --uid 1001 --gid texera --home-dir /texera
--no-create-home texera \
+ && chown -R texera:texera /texera
+USER texera
+
CMD ["bin/computing-unit-managing-service"]
EXPOSE 8888
\ No newline at end of file
