fix: make Docker images backward compatible with runAsUser: 1000#8103
fix: make Docker images backward compatible with runAsUser: 1000#8103buger wants to merge 1 commit intorelease-5.12from
Conversation
- Remove --chown=65532:65532 from COPY for non-FIPS builds - Add chmod -R a+rX so files are world-readable regardless of uid - FIPS/DHI builds pass NONROOT_CHOWN=true for proper nonroot ownership Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
🚨 Jira Linter FailedCommit: The Jira linter failed to validate your PR. Please check the error details below: 🔍 Click to view error detailsNext Steps
This comment will be automatically deleted once the linter passes. |
|
This pull request adjusts the Docker image build process to restore backward compatibility for deployments using Files Changed Analysis
Architecture & Impact Assessment
graph TD
subgraph Docker Build Process
A[Start Build] --> B{Is it a FIPS build?};
B -- Yes --> C[Set NONROOT_CHOWN=true];
B -- No --> D[Use default NONROOT_CHOWN=false];
C & D --> E[Build Stage 1: Install .deb];
E --> F["Make files world-readable (chmod a+rX)"];
F --> G{NONROOT_CHOWN is true?};
G -- Yes --> H["Change ownership to 65532 (chown)"];
G -- No --> I["Keep default (root) ownership"];
H & I --> J[Build Stage 2: Final Image];
J --> K[COPY files from Stage 1];
end
subgraph Runtime
K --> L[Standard Image: Compatible with runAsUser 1000 & 65532];
K --> M[FIPS Image: Enforces runAsUser 65532];
end
Scope Discovery & Context ExpansionThe changes are narrowly focused on the Docker build configuration and the CI workflow that triggers it. The impact, however, is external, affecting users' deployment configurations. This PR addresses a regression where a previous security enhancement (enforcing a non-root user) inadvertently broke compatibility for existing users. By making the user enforcement conditional, it provides a path for both security and backward compatibility. No other parts of the application code are affected. Metadata
Powered by Visor from Probelabs Last updated: 2026-04-20T16:51:59.715Z | Triggered by: pr_opened | Commit: b696949 💡 TIP: You can chat with Visor using |
✅ Architecture Check PassedNo architecture issues found – changes LGTM. \n\n✅ Architecture Check PassedNo architecture issues found – changes LGTM. \n\nPerformance Issues (1)
✅ Quality Check PassedNo quality issues found – changes LGTM. Powered by Visor from Probelabs Last updated: 2026-04-20T16:51:26.360Z | Triggered by: pr_opened | Commit: b696949 💡 TIP: You can chat with Visor using |
|
API Changes no api changes detected |
Summary
--chown=65532:65532from non-FIPS Dockerfile builds to restore backward compatibility with helm charts usingrunAsUser: 1000chmod -R a+rXNONROOT_CHOWNbuild argTest plan
runAsUser: 1000(old helm default)runAsUser: 65532🤖 Generated with Claude Code