diff --git a/api/Dockerfile b/api/Dockerfile index 5bfc2f4463..02df91bfc1 100644 --- a/api/Dockerfile +++ b/api/Dockerfile @@ -48,6 +48,12 @@ ENV PYTHONIOENCODING=utf-8 WORKDIR /app/api +# Create non-root user +ARG dify_uid=1001 +RUN groupadd -r -g ${dify_uid} dify && \ + useradd -r -u ${dify_uid} -g ${dify_uid} -s /bin/bash dify && \ + chown -R dify:dify /app + RUN \ apt-get update \ # Install dependencies @@ -69,7 +75,7 @@ RUN \ # Copy Python environment and packages ENV VIRTUAL_ENV=/app/api/.venv -COPY --from=packages ${VIRTUAL_ENV} ${VIRTUAL_ENV} +COPY --from=packages --chown=dify:dify ${VIRTUAL_ENV} ${VIRTUAL_ENV} ENV PATH="${VIRTUAL_ENV}/bin:${PATH}" # Download nltk data @@ -78,24 +84,20 @@ RUN mkdir -p /usr/local/share/nltk_data && NLTK_DATA=/usr/local/share/nltk_data ENV TIKTOKEN_CACHE_DIR=/app/api/.tiktoken_cache -RUN python -c "import tiktoken; tiktoken.encoding_for_model('gpt2')" +RUN python -c "import tiktoken; tiktoken.encoding_for_model('gpt2')" \ + && chown -R dify:dify ${TIKTOKEN_CACHE_DIR} # Copy source code -COPY . /app/api/ +COPY --chown=dify:dify . /app/api/ -# Copy entrypoint -COPY docker/entrypoint.sh /entrypoint.sh -RUN chmod +x /entrypoint.sh +# Prepare entrypoint script +COPY --chown=dify:dify --chmod=755 docker/entrypoint.sh /entrypoint.sh -# Create non-root user and set permissions -RUN groupadd -r -g 1001 dify && \ - useradd -r -u 1001 -g 1001 -s /bin/bash dify && \ - mkdir -p /home/dify && \ - chown -R 1001:1001 /app /home/dify ${TIKTOKEN_CACHE_DIR} /entrypoint.sh ARG COMMIT_SHA ENV COMMIT_SHA=${COMMIT_SHA} ENV NLTK_DATA=/usr/local/share/nltk_data -USER 1001 + +USER dify ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] diff --git a/web/Dockerfile b/web/Dockerfile index 317a7f9c5b..f24e9f2fc3 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -12,7 +12,7 @@ RUN apk add --no-cache tzdata RUN corepack enable ENV PNPM_HOME="/pnpm" ENV PATH="$PNPM_HOME:$PATH" -ENV NEXT_PUBLIC_BASE_PATH= +ENV NEXT_PUBLIC_BASE_PATH="" # install packages @@ -20,8 +20,7 @@ FROM base AS packages WORKDIR /app/web -COPY package.json . -COPY pnpm-lock.yaml . +COPY package.json pnpm-lock.yaml /app/web/ # Use packageManager from package.json RUN corepack install @@ -57,24 +56,30 @@ ENV TZ=UTC RUN ln -s /usr/share/zoneinfo/${TZ} /etc/localtime \ && echo ${TZ} > /etc/timezone +# global runtime packages +RUN pnpm add -g pm2 + + +# Create non-root user +ARG dify_uid=1001 +RUN addgroup -S -g ${dify_uid} dify && \ + adduser -S -u ${dify_uid} -G dify -s /bin/ash -h /home/dify dify && \ + mkdir /app && \ + mkdir /.pm2 && \ + chown -R dify:dify /app /.pm2 + WORKDIR /app/web -COPY --from=builder /app/web/public ./public -COPY --from=builder /app/web/.next/standalone ./ -COPY --from=builder /app/web/.next/static ./.next/static -COPY docker/entrypoint.sh ./entrypoint.sh +COPY --from=builder --chown=dify:dify /app/web/public ./public +COPY --from=builder --chown=dify:dify /app/web/.next/standalone ./ +COPY --from=builder --chown=dify:dify /app/web/.next/static ./.next/static - -# global runtime packages -RUN pnpm add -g pm2 \ - && mkdir /.pm2 \ - && chown -R 1001:0 /.pm2 /app/web \ - && chmod -R g=u /.pm2 /app/web +COPY --chown=dify:dify --chmod=755 docker/entrypoint.sh ./entrypoint.sh ARG COMMIT_SHA ENV COMMIT_SHA=${COMMIT_SHA} -USER 1001 +USER dify EXPOSE 3000 ENTRYPOINT ["/bin/sh", "./entrypoint.sh"]