feat: change back user group to odoo #397
Conversation
There was a problem hiding this comment.
Pull request overview
This pull request changes the user group configuration for the odoo user from using the root group (GID=0) to using a dedicated odoo group (GID=999). This addresses a security concern identified in a previous AI review. The change also adds explicit group ownership settings for the virtual environment to ensure OpenShift compatibility.
Key changes:
- Changed default GID from 0 (root) to 999 (odoo group)
- Added explicit
groupaddcommand to create the odoo group before user creation - Added
chgrp -R root /odoo/.venvto ensure virtual environment is accessible in OpenShift environments
Reviewed changes
Copilot reviewed 6 out of 6 changed files in this pull request and generated 12 comments.
Show a summary per file
| File | Description |
|---|---|
| 19.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
| 18.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
| 17.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
| 16.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
| 15.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
| 14.0/Dockerfile | Updated user/group creation from GID=0 to GID=999 with dedicated odoo group, added chgrp for .venv |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| && python3 -m venv /odoo/.venv --system-site-packages \ | ||
| && /odoo/.venv/bin/pip install -r /odoo/base_requirements.txt \ | ||
| && /odoo/.venv/bin/pip install -r /odoo/extra_requirements.txt" \ | ||
| && chgrp -R root /odoo/.venv \ |
There was a problem hiding this comment.
The install command on line 10 uses -o odoo to set the owner but doesn't explicitly set the group. After the change from GID=0 to GID=999, these directories will be owned by group odoo (GID 999) instead of root (GID 0). However, line 63 only changes the group of /odoo/.venv to root, leaving other directories (like /var/log/odoo, /odoo/src, /odoo/data, etc.) with group odoo. For OpenShift compatibility where containers run with arbitrary UIDs but GID 0, these directories should also have their group set to root to ensure proper access permissions.
There was a problem hiding this comment.
This statement is wrong.
When install command is used without -g, it sets file group to process' current group (see install --help).
In this case build process is run as root with group root.
I've checked the resulting image, and can confirm that file/directory ownerships are correctly set.
Having group
0as primary group forodoouser is not optimal.It was reported by AI review here:
This change reverts to having container user
odooin its own groupodoo. And it takes care to set file group appropriately for use-case involving Openshift,Similar mechanism is in place when
DEV_MODE = 1:https://www.redhat.com/en/blog/a-guide-to-openshift-and-uids