Security: Run container as non-root user (UID 10001) #100

New Issue

Open

opened 2026-04-05 16:16:31 +02:00 by MrUnknownDE · 0 comments

MrUnknownDE commented 2026-04-05 16:16:31 +02:00

Owner

Copy Link

Originally created by @sbaerlocher on 11/12/2025

Summary

Configure Docker container to run as non-root user app (UID 10001) instead of root.

Changes

• Create non-root user with high UID (10001) in Dockerfile
• Set proper ownership for application files and pnpm cache
• Switch to non-root user before container starts

Benefits

• Prevents host UID collisions
• Reduces attack surface if container is compromised
• Meets Kubernetes runAsNonRoot security policies
• Follows Docker security best practices

Test

$ docker compose exec open-archiver id
uid=10001(app) gid=10001(app)

*Originally created by @sbaerlocher on 11/12/2025* ## Summary Configure Docker container to run as non-root user `app` (UID 10001) instead of root. ## Changes - Create non-root user with high UID (10001) in Dockerfile - Set proper ownership for application files and pnpm cache - Switch to non-root user before container starts ## Benefits - Prevents host UID collisions - Reduces attack surface if container is compromised - Meets Kubernetes runAsNonRoot security policies - Follows Docker security best practices ## Test ```bash $ docker compose exec open-archiver id uid=10001(app) gid=10001(app) ```

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

gh-pages

v0.5.1-dev

v0.4.3-release

ee-legalhold

ee-retention

v0.4.3-dev

wayneshn-patch-1

v0.4.3-pre

v0.4.2-fix

v0.4.2-dev

v0.4.1-dev

mailbox-processing-opt

v0.4.0-fix

ee-init

docs-ocr

v0.3.x-fixes

issue-templates

security-update

create-funding-yml

display-versions

attachment-ocr

docs

user-api-key

demo-mode

v0.3.0

system-settings

wip

CLA-v2

role-based-access

dev

v0.5.0

v0.4.2

v0.4.1

v0.4.0

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.1

v0.2.0

v0.1.2

v0.1.1

v0.1.0

Labels

Clear labels

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

bug

documentation

documentation

duplicate

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

enhancement

good first issue

help wanted

help wanted

help wanted

help wanted

improvement

improvement

question

question

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

MrUnknownDE

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/OpenArchiver#100