From e1a3b77d677bb738fb62240fef120d0a995d2ea8 Mon Sep 17 00:00:00 2001
From: "Paul Gauthier (aider)" <paul@aider.chat>
Date: Thu, 9 Jan 2025 11:26:06 -0800
Subject: [PATCH] feat: add rootless container support with dedicated appuser

---
 docker/Dockerfile | 51 +++++++++++++++++++++++++++++------------------
 1 file changed, 32 insertions(+), 19 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 4cf7ceeb1..030f89d59 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,23 +1,26 @@
 FROM python:3.10-slim AS base
 
+# Install system dependencies
 RUN apt-get update && \
     apt-get install --no-install-recommends -y build-essential git libportaudio2 pandoc && \
     rm -rf /var/lib/apt/lists/*
 
+# Create app user with UID 1000
+RUN useradd -m -u 1000 -s /bin/bash appuser
+
 WORKDIR /app
 
+# Create virtual environment
 RUN python -m venv /venv
 ENV PATH="/venv/bin:$PATH"
 
-# https://playwright.dev/python/docs/browsers
-ENV PLAYWRIGHT_BROWSERS_PATH=/pw-browsers
+# Playwright browser settings
+ENV PLAYWRIGHT_BROWSERS_PATH=/home/appuser/pw-browsers
 ENV PLAYWRIGHT_SKIP_BROWSER_GC=1
 
-# Permission kludges to support `docker run --user xxx`
-RUN chmod a+rwx /venv /venv/bin /venv/include /venv/lib /venv/lib/python3.10/site-packages
-
-RUN mkdir       /.aider /.cache /pw-browsers
-RUN chmod a+rwx /.aider /.cache /pw-browsers
+# Create directories with proper permissions
+RUN mkdir -p /home/appuser/.aider /home/appuser/.cache /home/appuser/pw-browsers && \
+    chown -R appuser:appuser /home/appuser /app /venv
 
 # So git doesn't complain about unusual permissions
 RUN git config --system --add safe.directory /app
@@ -27,14 +30,19 @@ FROM base AS aider-full
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider-full
 
-COPY . /tmp/aider
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip \
-    && /venv/bin/python -m pip install --no-cache-dir /tmp/aider[help,browser,playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu \
-    && rm -rf /tmp/aider
+COPY --chown=appuser:appuser . /tmp/aider
 
+# Install dependencies as root
+RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
+    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[help,browser,playwright] \
+       --extra-index-url https://download.pytorch.org/whl/cpu && \
+    rm -rf /tmp/aider
+
+# Install playwright browsers
 RUN /venv/bin/python -m playwright install --with-deps chromium
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
+
+# Switch to appuser
+USER appuser
 
 ENTRYPOINT ["/venv/bin/aider"]
 
@@ -43,13 +51,18 @@ FROM base AS aider
 
 ENV AIDER_DOCKER_IMAGE=paulgauthier/aider
 
-COPY . /tmp/aider
-RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip \
-    && /venv/bin/python -m pip install --no-cache-dir /tmp/aider[playwright] \
-       --extra-index-url https://download.pytorch.org/whl/cpu \
-    && rm -rf /tmp/aider
+COPY --chown=appuser:appuser . /tmp/aider
 
+# Install dependencies as root
+RUN /venv/bin/python -m pip install --upgrade --no-cache-dir pip && \
+    /venv/bin/python -m pip install --no-cache-dir /tmp/aider[playwright] \
+       --extra-index-url https://download.pytorch.org/whl/cpu && \
+    rm -rf /tmp/aider
+
+# Install playwright browsers
 RUN /venv/bin/python -m playwright install --with-deps chromium
-RUN find /venv/lib/python3.10/site-packages \( -type d -exec chmod a+rwx {} + \) -o \( -type f -exec chmod a+rw {} + \)
+
+# Switch to appuser
+USER appuser
 
 ENTRYPOINT ["/venv/bin/aider"]