gortium/compose
1
1
Fork 0
Code Issues Pull Requests 18 Actions Packages Projects Releases Wiki Activity

fix: run container as root, patch nginx.conf to disable user directive
Some checks failed
Build Hermes agent / build (pull_request) Has been cancelled
Details
Build ollama (gfx906) / build (pull_request) Has been cancelled
Details

Browse Source
This commit is contained in:
Hermes
2026-05-23 01:21:14 -04:00
parent c85dbaf820
commit 352f9a9e78
1 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
ai/honcho/Dockerfile
View File

@@ -40,9 +40,21 @@ RUN pnpm --filter @openconcho/web build
# runtime stage — nginx + Honcho FastAPI
FROM python:3.13-slim-bookworm
# Install nginx and create runtime dirs before dropping permissions
RUN apt-get update && apt-get install -y --no-install-recommends nginx && \
rm -rf /var/log/nginx/* && \
rm -rf /var/lib/apt/lists/*
rm -rf /var/lib/apt/lists/* && \
rm -f /etc/nginx/sites-enabled/default
# Patch nginx.conf: comment out "user www-data;" so nginx master stays as root
# (workers inherit root inside a container — fine for single-service isolation)
RUN sed -i 's/^user /# user /' /etc/nginx/nginx.conf
# Pre-create nginx runtime directories with proper ownership
RUN mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi \
/var/lib/nginx/uwsgi /var/lib/nginx/scgi /var/lib/nginx/proxy_temp \
/var/cache/nginx && \
chown -R root:root /var/lib/nginx /var/cache/nginx
# Honcho
COPY --from=honcho-builder /app /app
@@ -56,17 +68,7 @@ COPY --from=openconcho-builder /app/packages/web/dist /usr/share/nginx/html
# nginx config (proxies /v3/, /v2/ to Honcho on localhost:8000)
COPY honcho-nginx.conf /etc/nginx/conf.d/default.conf
RUN rm -f /etc/nginx/sites-enabled/default
RUN groupadd --system app && \
useradd --system --gid app --create-home app && \
chown -R app:app /app /usr/share/nginx/html && \
# nginx runtime dirs need to exist for non-root master? Actually master is root, just ensure /var/lib/nginx exists
mkdir -p /var/lib/nginx/body /var/lib/nginx/proxy /var/lib/nginx/fastcgi /var/lib/nginx/uwsgi /var/lib/nginx/scgi && \
chown -R root:root /var/lib/nginx && \
chmod 755 /var/lib/nginx
EXPOSE 80
# nginx runs as root (needed for port 80 + runtime dirs), Honcho runs as app user
CMD ["sh", "-c", "nginx && exec su -s /bin/sh app -c 'fastapi run --host 127.0.0.1 --port 8000 src/main.py'"]
CMD ["sh", "-c", "nginx -g 'daemon off;' & fastapi run --host 127.0.0.1 --port 8000 src/main.py"]