fix: Run container as root to fix react-router permission denied
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Change Dockerfile to run as root instead of peikarband user - Update Helm values.yaml to use root user (runAsUser: 0, runAsNonRoot: false) - Improve entrypoint.sh permission handling with reusable function - Add reflex init before run if packages not installed - Fix node_modules/.bin permissions for symlinks and targets This resolves the 'react-router: Permission denied' error by running containers with root privileges. TODO: Switch back to non-root user after permission issues are fully resolved.
This commit is contained in:
Ehsan.Asadi
@@ -101,9 +101,10 @@ LABEL org.opencontainers.image.vendor="Peikarband"
|
||||
LABEL org.opencontainers.image.version="${VERSION}"
|
||||
LABEL org.opencontainers.image.created="${BUILD_DATE}"
|
||||
|
||||
# Create non-root user
|
||||
RUN groupadd -r peikarband && \
|
||||
useradd -r -g peikarband -u 1000 -m -s /bin/bash peikarband
|
||||
# Running as root for now to avoid permission issues
|
||||
# TODO: Switch back to non-root user after permission issues are resolved
|
||||
# RUN groupadd -r peikarband && \
|
||||
# useradd -r -g peikarband -u 1000 -m -s /bin/bash peikarband
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
@@ -124,7 +125,8 @@ COPY --from=builder /usr/local/bin /usr/local/bin
|
||||
|
||||
# Copy application code to /app/peikarband/ to create peikarband.peikarband structure
|
||||
# With app_name="peikarband", Reflex expects to find peikarband.peikarband module
|
||||
COPY --from=builder --chown=peikarband:peikarband /build/peikarband /app/peikarband
|
||||
# Running as root, so no need for chown
|
||||
COPY --from=builder /build/peikarband /app/peikarband
|
||||
|
||||
# Copy entrypoint script
|
||||
COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
|
||||
@@ -163,7 +165,7 @@ ENV PYTHONUNBUFFERED=1 \
|
||||
REFLEX_DIR=/app/peikarband \
|
||||
NODE_ENV=production
|
||||
|
||||
# Diagnostic information (before switching to non-root user)
|
||||
# Diagnostic information
|
||||
RUN echo "=== Diagnostic Info ===" && \
|
||||
if [ -f /app/peikarband/.web/node_modules/.bin/react-router ]; then \
|
||||
ls -la /app/peikarband/.web/node_modules/.bin/react-router && \
|
||||
@@ -178,8 +180,8 @@ RUN echo "=== Diagnostic Info ===" && \
|
||||
HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
|
||||
CMD curl -f http://localhost:8000/ping || exit 1
|
||||
|
||||
# Switch to non-root user
|
||||
USER peikarband
|
||||
# Running as root for now to avoid permission issues
|
||||
# USER peikarband
|
||||
|
||||
# Expose port
|
||||
EXPOSE 3000 8000
|
||||
|
||||
@@ -1,8 +1,9 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
# Validate node_modules permissions before starting
|
||||
if [ -d /app/peikarband/.web/node_modules/.bin ]; then
|
||||
# Function to fix node_modules permissions
|
||||
fix_node_modules_permissions() {
|
||||
if [ -d /app/peikarband/.web/node_modules/.bin ]; then
|
||||
echo "Checking node_modules/.bin permissions..."
|
||||
|
||||
REACT_ROUTER_BIN="/app/peikarband/.web/node_modules/.bin/react-router"
|
||||
@@ -43,13 +44,28 @@ if [ -d /app/peikarband/.web/node_modules/.bin ]; then
|
||||
echo "⚠️ WARNING: react-router may still not be executable (running as non-root)"
|
||||
fi
|
||||
else
|
||||
echo "⚠️ WARNING: react-router binary not found"
|
||||
echo "⚠️ WARNING: react-router binary not found (packages may not be installed yet)"
|
||||
fi
|
||||
fi
|
||||
else
|
||||
echo "⚠️ WARNING: .web/node_modules/.bin directory not found (packages may not be installed yet)"
|
||||
fi
|
||||
}
|
||||
|
||||
# Change to the directory containing rxconfig.py
|
||||
cd /app/peikarband
|
||||
|
||||
# If reflex run is being executed, ensure packages are installed first
|
||||
# This handles the case where .web directory doesn't exist from build time
|
||||
if [ "$1" = "run" ] && [ ! -d /app/peikarband/.web/node_modules ]; then
|
||||
echo "Initializing Reflex (installing packages)..."
|
||||
reflex init --loglevel info || true
|
||||
echo "Packages installed, fixing permissions..."
|
||||
fix_node_modules_permissions
|
||||
fi
|
||||
|
||||
# Fix permissions if node_modules already exists (from build time or init)
|
||||
fix_node_modules_permissions
|
||||
|
||||
# Run reflex with all passed arguments
|
||||
exec reflex "$@"
|
||||
|
||||
|
||||
@@ -50,10 +50,12 @@ podAnnotations:
|
||||
prometheus.io/port: "8000"
|
||||
prometheus.io/path: "/metrics"
|
||||
|
||||
# Running as root for now to avoid permission issues
|
||||
# TODO: Switch back to non-root user after permission issues are resolved
|
||||
podSecurityContext:
|
||||
runAsNonRoot: true
|
||||
runAsUser: 1000
|
||||
fsGroup: 1000
|
||||
runAsNonRoot: false
|
||||
runAsUser: 0
|
||||
fsGroup: 0
|
||||
|
||||
securityContext:
|
||||
allowPrivilegeEscalation: false
|
||||
|
||||
Reference in New Issue
Block a user