[I] [Refactor][Module Name] Refactor title [incubator-devlake]

Tue, 15 Jul 2025 18:39:14 -0700 


costajohnathan opened a new issue, #8504:
URL: https://github.com/apache/incubator-devlake/issues/8504

   <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
   this work for additional information regarding copyright ownership.
   The ASF licenses this file to You under the Apache License, Version 2.0
   (the "License"); you may not use this file except in compliance with
   the License.  You may obtain a copy of the License at
   
       http://www.apache.org/licenses/LICENSE-2.0
   
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
   -->
   
   ## What and why to refactor
   What are you trying to refactor? Why should it be refactored now?
   Updating the base Dockerfiles for:
   - devlake/backend
   - devlake-config-ui
   - devlake/grafana
   
   On OpenShift, pod security constraints forbid containers to switch away from 
arbitrary UIDs unless the group is 
   root (GID 0). Our current images:
   
   ```
   FROM apache/devlake:v1.0.2
   
   USER root
   
   RUN chgrp -R 0 /app && \
       chmod -R g=u /app
   
   USER devlake
   ```
   ```
   FROM apache/devlake-config-ui:v1.0.2
   
   USER root
   
   RUN chgrp -R 0 /etc/nginx /var/log/nginx /usr/share/nginx /run && \
       chmod -R g=u /etc/nginx /var/log/nginx /usr/share/nginx /run
   
   USER 101
   ```
   
   — while functionally correct — will be blocked by “MustRunAsNonRoot” 
policies on clusters that enforce GID 0 ownership for writable volumes. We need 
all processes (running under a random UID) to belong to GID 0 and have group‑rw 
permissions on the directories they must write to.
   
   ## Describe the solution you'd like
   How to refactor?
   1. Switch to a non‑root base user
   Make sure USER devlake is the default at the end of the Dockerfile.
   
   2. Set group ownership to root (0)
   For every directory the app writes to (e.g. /app, /config, /data, etc.), add:
   
   ```
   Copy
   Edit
   USER root
   RUN chgrp -R 0 /app /config /data \
       && chmod -R g=u /app /config /data
   USER devlake
   ```
   This aligns exactly with the [OpenShift Container Platform 
guidelines](https://docs.openshift.com/container-platform/4.5/openshift_images/create-images.html#images-create-guide-openshift_create-images).
   
   3. Update documentation
   Mention that these builds are now fully compatible with OpenShift’s 
restricted SCC.
   
   
   
   ## Related issues
   N/A
   ## Additional context
   N/A


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@devlake.apache.org.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to