From 6a27787209a7d0372bf943cb2a46dff758f966b4 Mon Sep 17 00:00:00 2001 From: Shadow Date: Fri, 20 Feb 2026 21:46:30 -0600 Subject: [PATCH] Docker: restore pre-change ownership steps --- Dockerfile | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1b40c2da353..b174f9c8d15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,6 +7,7 @@ ENV PATH="/root/.bun/bin:${PATH}" RUN corepack enable WORKDIR /app +RUN chown node:node /app ARG OPENCLAW_DOCKER_APT_PACKAGES="" RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \ @@ -16,17 +17,19 @@ RUN if [ -n "$OPENCLAW_DOCKER_APT_PACKAGES" ]; then \ rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \ fi -COPY package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./ -COPY ui/package.json ./ui/package.json -COPY patches ./patches -COPY scripts ./scripts +COPY --chown=node:node package.json pnpm-lock.yaml pnpm-workspace.yaml .npmrc ./ +COPY --chown=node:node ui/package.json ./ui/package.json +COPY --chown=node:node patches ./patches +COPY --chown=node:node scripts ./scripts +USER node RUN pnpm install --frozen-lockfile # Optionally install Chromium and Xvfb for browser automation. # Build with: docker build --build-arg OPENCLAW_INSTALL_BROWSER=1 ... # Adds ~300MB but eliminates the 60-90s Playwright install on every container start. # Must run after pnpm install so playwright-core is available in node_modules. +USER root ARG OPENCLAW_INSTALL_BROWSER="" RUN if [ -n "$OPENCLAW_INSTALL_BROWSER" ]; then \ apt-get update && \ @@ -36,7 +39,8 @@ RUN if [ -n "$OPENCLAW_INSTALL_BROWSER" ]; then \ rm -rf /var/lib/apt/lists/* /var/cache/apt/archives/*; \ fi -COPY . . +USER node +COPY --chown=node:node . . RUN pnpm build # Force pnpm for UI build (Bun may fail on ARM/Synology architectures) ENV OPENCLAW_PREFER_PNPM=1 @@ -44,9 +48,6 @@ RUN pnpm ui:build ENV NODE_ENV=production -# Allow non-root user to write temp files during runtime/tests. -RUN chown -R node:node /app - # Security hardening: Run as non-root user # The node:22-bookworm image includes a 'node' user (uid 1000) # This reduces the attack surface by preventing container escape via root privileges