give option to run container as non-root windmill user (#4959)

* main docker file * fix docker image build test tag * don't remove tag * make root user default * chown tmp folder * create search and logs folder in order to inherite windmill user permissions * Dockerfile * lsp non root * improving lsp image to get rid of critical vulnerabilities * formatting * support /root/.cache mount * make the cache mount backwards compatible
windmill-labs · Jan 3, 2025 · 0a72687 · 0a72687
1 parent f5c85d7
commit 0a72687
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -196,6 +196,21 @@ COPY ./frontend/src/lib/hubPaths.json ${APP}/hubPaths.json
 
 RUN windmill cache ${APP}/hubPaths.json && rm ${APP}/hubPaths.json && chmod -R 777 /tmp/windmill
 
+# Create a non-root user 'windmill' with UID and GID 1000
+RUN addgroup --gid 1000 windmill && \
+    adduser --disabled-password --gecos "" --uid 1000 --gid 1000 windmill
+
+RUN cp -r /root/.cache /home/windmill/.cache
+
+RUN mkdir -p /tmp/windmill/logs && \
+    mkdir -p /tmp/windmill/search
+
+RUN chown -R windmill:windmill ${APP} && \
+     chown -R windmill:windmill /tmp/windmill && \
+     chown -R windmill:windmill /home/windmill/.cache
+
+USER root
+
 EXPOSE 8000
 
 CMD ["windmill"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -143,7 +143,7 @@ services:
     expose:
       - 3001
     volumes:
-      - lsp_cache:/root/.cache
+      - lsp_cache:/pyls/.cache
 
   multiplayer:
     image: ghcr.io/windmill-labs/windmill-multiplayer:latest

diff --git a/examples/deploy/aws-ecs-terraform/windmill_lsp.tf b/examples/deploy/aws-ecs-terraform/windmill_lsp.tf
@@ -47,7 +47,7 @@ resource "aws_ecs_task_definition" "windmill_cluster_windmill_lsp_td" {
 
   volume {
     name      = "lsp_cache"
-    host_path = "/root/.cache"
+    host_path = "/pyls/.cache"
   }
 }
 

diff --git a/lsp/Dockerfile b/lsp/Dockerfile
@@ -5,6 +5,8 @@ FROM python-base
 COPY --from=node-base /usr/local /usr/local
 
 ENV PATH="/usr/local/bin:${PATH}"
+ENV PIPENV_VENV_IN_PROJECT=1
+ENV XDG_CACHE_HOME=/pyls/.cache
 
 RUN apt-get update \
     && apt-get install -y shellcheck wget \
@@ -39,19 +41,22 @@ RUN pip3 install tornado python-lsp-jsonrpc ruff-lsp
 
 COPY --from=denoland/deno:2.1.2 --chmod=755 /usr/bin/deno /usr/bin/deno
 
-COPY Pipfile .
+RUN mkdir -p /pyls/.cache
 
+WORKDIR /pyls
+COPY Pipfile .
 RUN cat Pipfile
-
 RUN pip install Cython
-
 RUN pipenv install
 
 COPY pyls_launcher.py .
 
 RUN mkdir -p /tmp/monaco && chmod -R 777 /tmp/monaco
 RUN cd /tmp/monaco && npm install --save-dev windmill-client
 
+RUN chmod -R a+rX /usr/local && \
+    chmod -R a+rX /pyls
+
 EXPOSE 3001
 
-CMD ["python3", "pyls_launcher.py"]
+CMD ["sh", "-c", "if [ -d /root/.cache ]; then export XDG_CACHE_HOME=/root/.cache && cp -r /pyls/.cache /root/.cache; fi && python3 pyls_launcher.py"]