Skip to content

[UI] UI container should NOT run with root privilege #517

New issue
New issue
Open
Feature
Open
[UI] UI container should NOT run with root privilege#517
Feature
Assignees
jaswanth8888chensuyuesgurunatWenjiaoYue
Labels
A1high prorityDevfeatureNew feature or request
Milestone
v1.5
@Ruoyu-y

Description

@Ruoyu-y
Ruoyu-y
opened on Aug 2, 2024

Security guidelines would suggest running the containers without root privilege. However, both opea/chatqna-ui and opea/chatqna-conversation-ui requires root privilege to run. It brings potential risk to the system when the UI is running as a pod within Kubernetes such as privilege escalation, container escape, etc.

When running as non-root user of opea/chatqna-ui image,it fails with the following logs:

failed to load config from /home/user/svelte/vite.config.ts
error when starting preview server:
Error: EACCES: permission denied, open '/home/user/svelte/vite.config.ts.timestamp-1741934587046-d9551c9aabbc1.mjs'

When running as non-root user of opea/chatqna-conversation-ui, it fails with the following logs:

/docker-entrypoint.sh: /docker-entrypoint.d/ is not empty, will attempt to perform configuration
/docker-entrypoint.sh: Looking for shell scripts in /docker-entrypoint.d/
/docker-entrypoint.sh: Launching /docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
10-listen-on-ipv6-by-default.sh: info: Getting the checksum of /etc/nginx/conf.d/default.conf
10-listen-on-ipv6-by-default.sh: info: /etc/nginx/conf.d/default.conf differs from the packaged version
/docker-entrypoint.sh: Sourcing /docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh: Launching /docker-entrypoint.d/env.sh
APP_DATA_PREP_GET_FILE_URL=/v1/dataprep/get
sed: can't create temp file '/usr/share/nginx/html/assets/index-CMyKwVIa.cssXXXXXX': Permission denied
APP_DATA_PREP_SERVICE_URL=/v1/dataprep/ingest
sed: can't create temp file '/usr/share/nginx/html/assets/index-CMyKwVIa.cssXXXXXX': Permission denied
APP_BACKEND_SERVICE_ENDPOINT=/v1/chatqna
sed: can't create temp file '/usr/share/nginx/html/assets/index-CMyKwVIa.cssXXXXXX': Permission denied
APP_DATA_PREP_DELETE_FILE_URL=/v1/dataprep/delete
sed: can't create temp file '/usr/share/nginx/html/assets/index-CMyKwVIa.cssXXXXXX': Permission denied

This is not limited to chatqna-ui only, but is common for most of the svelte and react UI in GenAIExamples.

Metadata

Metadata

Assignees

Labels

A1high prorityDevfeatureNew feature or request

Type

Feature

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions