Skip to content

Commit bbc46d3

Browse files
committed
refactor(docker): tighten binary perms via --chown + 0550
Replace `COPY --chmod=755` with `COPY --chown=<user> --chmod=0550` in the gateway and supervisor Dockerfiles. The binary is no longer world-readable or world-executable; ownership is pinned to the runtime user. - Gateway uses `--chown=nvs:nvs` + `USER nvs:nvs`, matching the only non-root user defined in `nvcr.io/nvidia/distroless/cc` (UID 1000) and the Helm chart's `securityContext.runAsUser: 1000`, which overrides the Dockerfile USER at runtime. - Supervisor uses numeric `--chown=65534:65534` because the scratch base has no `/etc/passwd` for name resolution. The supervisor image is only consumed by the init-container copy-self path; the destination pod's runAsUser governs execute access. Validated by deploying to a local k3d cluster via `helm:skaffold:run` and confirming the gateway StatefulSet reaches 1/1 Running.
1 parent 4941fa9 commit bbc46d3

2 files changed

Lines changed: 16 additions & 8 deletions

File tree

deploy/docker/Dockerfile.gateway

Lines changed: 9 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,11 +26,15 @@ ARG TARGETARCH
2626

2727
WORKDIR /app
2828

29-
# --chmod=755 preserves the executable bit through actions/upload-artifact +
30-
# download-artifact, which strip exec perms during the roundtrip.
31-
COPY --chmod=755 deploy/docker/.build/prebuilt-binaries/${TARGETARCH}/openshell-gateway /usr/local/bin/openshell-gateway
32-
33-
USER 65532:65532
29+
# --chmod=0550 preserves the executable bit through actions/upload-artifact +
30+
# download-artifact (which strip exec perms during the roundtrip) without
31+
# granting world-execute. --chown=nvs:nvs matches the image's only defined
32+
# non-root user (`nvs:1000`, the NVIDIA distroless convention) and aligns
33+
# with the Helm chart's `securityContext.runAsUser: 1000`, which overrides
34+
# the Dockerfile's USER at runtime.
35+
COPY --chown=nvs:nvs --chmod=0550 deploy/docker/.build/prebuilt-binaries/${TARGETARCH}/openshell-gateway /usr/local/bin/openshell-gateway
36+
37+
USER nvs:nvs
3438
EXPOSE 8080
3539

3640
ENTRYPOINT ["/usr/local/bin/openshell-gateway"]

deploy/docker/Dockerfile.supervisor

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -23,8 +23,12 @@ FROM scratch AS supervisor
2323

2424
ARG TARGETARCH
2525

26-
# --chmod=755 preserves the executable bit through actions/upload-artifact +
27-
# download-artifact, which strip exec perms during the roundtrip.
28-
COPY --chmod=755 deploy/docker/.build/prebuilt-binaries/${TARGETARCH}/openshell-sandbox /openshell-sandbox
26+
# --chmod=0550 preserves the executable bit through actions/upload-artifact +
27+
# download-artifact (which strip exec perms during the roundtrip) without
28+
# granting world-execute. --chown uses numeric 65534:65534 (nobody:nobody)
29+
# because scratch has no /etc/passwd to resolve a named user against. This
30+
# scratch image is only consumed by the init-container copy-self path, so
31+
# the destination pod's USER governs what can execute the binary.
32+
COPY --chown=65534:65534 --chmod=0550 deploy/docker/.build/prebuilt-binaries/${TARGETARCH}/openshell-sandbox /openshell-sandbox
2933

3034
ENTRYPOINT ["/openshell-sandbox"]

0 commit comments

Comments
 (0)