Skip to content

feat: robust arbitrary UID support for non-root containers#40

Merged
ductiletoaster merged 2 commits intomainfrom
fix/non-root-support
Mar 12, 2026
Merged

feat: robust arbitrary UID support for non-root containers#40
ductiletoaster merged 2 commits intomainfrom
fix/non-root-support

Conversation

@ductiletoaster
Copy link
Copy Markdown
Member

@ductiletoaster ductiletoaster commented Mar 11, 2026

Enable running the image as any UID (e.g., K8s securityContext.runAsUser) without prior configuration:

  • Dynamically inject /etc/passwd entry for unknown UIDs in the entrypoint so getpwuid(), getpass.getuser(), and expanduser("~") work correctly (standard practice per OpenShift arbitrary UID guidelines)
  • Make /etc/passwd group-writable at build time for runtime injection
  • Make /app/.cache world-writable for uv/pip cache operations
  • Document arbitrary UID support in running guide

Code Review

Description

Please include a summary of the changes including relevant motivation and context. List any dependencies that are required for this change.

Please check the option(s) that are most relevant.

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Refactor (non-breaking modification to existing code path)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Testing & Verification

Please describe the tests that you ran to verify your changes.

  • Provide instructions to reproduce with relevant details for your test configuration.
  • Include screenshots and/or videos showing the results of your changes.

ductiletoaster and others added 2 commits March 11, 2026 07:03
@ductiletoaster @claude
feat: robust arbitrary UID support for non-root containers
f2816aa 
Enable running the image as any UID (e.g., K8s securityContext.runAsUser)
without prior configuration:

- Dynamically inject /etc/passwd entry for unknown UIDs in the entrypoint
  so getpwuid(), getpass.getuser(), and expanduser("~") work correctly
  (standard practice per OpenShift arbitrary UID guidelines)
- Make /etc/passwd group-writable at build time for runtime injection
- Make /app/.cache world-writable for uv/pip cache operations
- Document arbitrary UID support in running guide

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@ductiletoaster @claude
fix: create .cache directory before chmod (not copied from builder)
3c0af3b 
The /app/.cache directory was created during the builder stage via
pip cache mount but wasn't included in COPY --from=builder. Use
mkdir -p to ensure it exists before setting permissions.

Co-Authored-By: Claude Opus 4.6 <[email protected]>
@ductiletoaster ductiletoaster merged commit 166b1b1 into main Mar 12, 2026
4 checks passed
@ductiletoaster ductiletoaster deleted the fix/non-root-support branch March 12, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ductiletoaster