Skip to content

chore(docker): drop root, run containers as willow user#434

Merged
intendednull merged 1 commit into
claude/adoring-euler-DvNnkfrom
auto-fix/issue-314-docker-user
Apr 27, 2026
Merged

chore(docker): drop root, run containers as willow user#434
intendednull merged 1 commit into
claude/adoring-euler-DvNnkfrom
auto-fix/issue-314-docker-user

Conversation

@intendednull
Copy link
Copy Markdown
Owner

@intendednull intendednull commented Apr 27, 2026

what

container ran as root. bad. now run as willow.

how

  • relay/replay/storage Dockerfiles: useradd -r -u 10001 willow, mkdir + chown /etc/willow, /shared (relay), /var/lib/willow (storage), USER willow before ENTRYPOINT.
  • web Dockerfile: swap nginx:alpine -> nginxinc/nginx-unprivileged:alpine (uid 101, listens 8080 by default). docker-compose maps host:container 8080:8080.
  • entrypoint scripts already mkdir writable dirs at runtime; willow owns them, no permission errors.
  • ports stay non-privileged: relay 9090/9091, web 8080.

verify

$ grep -L '^USER ' docker/*.Dockerfile
(empty)

docker daemon not reachable in this sandbox so live docker build skipped. relying on master PR CI for full image build smoke. no Rust code changed so just check unaffected.

tradeoff

picked nginxinc/nginx-unprivileged over patching nginx config to listen on 8080 + chown html dir. one-line image swap, upstream-maintained, no custom config drift. runner-up rejected: more files to maintain for same outcome.

Refs #314

https://claude.ai/code/session_016cmtqT7yEQUgjcLgz4pARP

Generated by Claude Code

@claude
chore(docker): drop root in containers
537b8cb 
Add willow uid 10001 + USER directive in runtime stage of relay,
replay, storage Dockerfiles. chown writable dirs (/etc/willow,
/shared, /var/lib/willow) before USER switch.

Web: switch nginx:alpine to nginxinc/nginx-unprivileged:alpine
(uid 101, listens 8080). Compose maps host 8080 to container 8080.

Refs #314

https://claude.ai/code/session_016cmtqT7yEQUgjcLgz4pARP
@intendednull intendednull merged commit 09c8d15 into claude/adoring-euler-DvNnk Apr 27, 2026
This was referenced Apr 27, 2026
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@intendednull @claude