Skip to content

[TT-16950] fix: set nonroot ownership on application files#8021

Merged
buger merged 1 commit intorelease-5.12from
hotfix/fix-nonroot-permissions-release-5.12
Apr 15, 2026
Merged

[TT-16950] fix: set nonroot ownership on application files#8021
buger merged 1 commit intorelease-5.12from
hotfix/fix-nonroot-permissions-release-5.12

Conversation

@buger
Copy link
Copy Markdown
Member

@buger buger commented Apr 15, 2026
edited by probelabs Bot
Loading

$(gh pr view 8021 --repo TykTechnologies/tyk --json body -q .body)

Related Tickets

@buger @claude
fix: set nonroot ownership on application files
33d68c0 
Add --chown=65532:65532 to COPY in Dockerfile.distroless.
Fixes permission denied when gateway writes to middleware/bundles.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@buger buger requested a review from a team as a code owner April 15, 2026 10:50
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 15, 2026

🚨 Jira Linter Failed

Commit: 33d68c0
Failed at: 2026-04-15 10:51:36 UTC

The Jira linter failed to validate your PR. Please check the error details below:

🔍 Click to view error details 
failed to validate branch and PR title rules: branch name 'hotfix/fix-nonroot-permissions-release-5.12' must contain a valid Jira ticket ID (e.g., ABC-123)

Next Steps

  • Ensure your branch name contains a valid Jira ticket ID (e.g., ABC-123)
  • Verify your PR title matches the branch's Jira ticket ID
  • Check that the Jira ticket exists and is accessible

This comment will be automatically deleted once the linter passes.

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 15, 2026
edited
Loading

This pull request addresses a file permission issue in the distroless Docker image that occurs when running the container as a non-root user. It fixes a permission denied error that prevented the gateway from creating directories, specifically for middleware bundles.

The fix involves adding the --chown=65532:65532 flag to the COPY instruction in ci/Dockerfile.distroless. This ensures that the /opt/tyk-gateway directory and its contents are owned by the non-root user (UID 65532) defined in the base image, allowing the application to have the necessary write permissions at runtime.

Files Changed Analysis

  • ci/Dockerfile.distroless: A single-line modification to a COPY command to set file ownership.

Architecture & Impact Assessment

  • What this PR accomplishes: Enables the Tyk Gateway distroless Docker container to run securely as a non-root user, which is a critical security best practice, especially in container orchestration platforms like Kubernetes.
  • Key technical changes introduced: The use of the --chown flag in the Dockerfile to set the user and group ownership of the application files during the image build process.
  • Affected system components: The change is isolated to the build process of the distroless Docker image. It positively impacts the runtime environment for users of this image by resolving a critical permission bug without altering any application code.

Scope Discovery & Context Expansion

  • The change is highly localized to the distroless Docker image configuration. Its impact, however, is significant for users deploying Tyk in environments that enforce non-root execution policies.
  • The UID 65532 is a standard convention for the nonroot user in distroless base images, making this a robust fix.
  • No other parts of the application or other Docker build configurations are affected.
Metadata
  • Review Effort: 1 / 5
  • Primary Label: bug

Powered by Visor from Probelabs

Last updated: 2026-04-15T10:52:09.754Z | Triggered by: pr_opened | Commit: 33d68c0

💡 TIP: You can chat with Visor using /visor ask <your question>

@probelabs
Copy link
Copy Markdown
Contributor

probelabs Bot commented Apr 15, 2026
edited
Loading

✅ Performance Check Passed

No performance issues found – changes LGTM.

\n\n \n\n

✅ Performance Check Passed

No performance issues found – changes LGTM.

\n\n

Quality Issues (1)

Severity Location Issue
🟡 Warning ci/Dockerfile.distroless:17
The Dockerfile uses a hardcoded UID/GID `65532:65532`. This is a 'magic number' that reduces readability and maintainability. It is not immediately clear which user this corresponds to without prior knowledge (it's often 'nobody').
💡 SuggestionTo improve clarity and maintainability, define the UID and GID in `ARG` variables at the top of the Dockerfile and use these variables in the `COPY` instruction. This makes the configuration explicit and easier to manage. For example: 
ARG NONROOT_UID=65532
ARG NONROOT_GID=65532

...

COPY --chown=${NONROOT_UID}:${NONROOT_GID} --from=deb /opt/tyk-gateway /opt/tyk-gateway

Powered by Visor from Probelabs

Last updated: 2026-04-15T10:52:08.495Z | Triggered by: pr_opened | Commit: 33d68c0

💡 TIP: You can chat with Visor using /visor ask <your question>

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 15, 2026

API Changes

no api changes detected

@probelabs probelabs Bot changed the title fix: set nonroot ownership on application files [TT-16950] fix: set nonroot ownership on application files Apr 15, 2026
@buger buger merged commit e75e88b into release-5.12 Apr 15, 2026
17 of 21 checks passed
@buger buger deleted the hotfix/fix-nonroot-permissions-release-5.12 branch April 15, 2026 10:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@buger