Skip to content

Update Dockerfile #6550

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update Dockerfile #6550

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 40 additions & 19 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,57 +1,79 @@
FROM node:18-alpine AS base

# Install dependencies only when needed
FROM base AS deps

RUN apk add --no-cache libc6-compat

WORKDIR /app

COPY package.json yarn.lock ./
# Copy package files
COPY package.json yarn.lock* ./

RUN yarn config set registry 'https://registry.npmmirror.com/'
RUN yarn install
# Configure yarn and install dependencies
RUN yarn config set registry 'https://registry.npmmirror.com/' && \
yarn install --frozen-lockfile

# Rebuild the source code only when needed
FROM base AS builder

RUN apk update && apk add --no-cache git

ENV OPENAI_API_KEY=""
ENV GOOGLE_API_KEY=""
ENV CODE=""

WORKDIR /app

# Copy node_modules from deps stage
COPY --from=deps /app/node_modules ./node_modules
COPY . .

# Set build-time environment variables
ENV NEXT_TELEMETRY_DISABLED 1
ENV NODE_ENV production

# Build the application
RUN yarn build

# Production image, copy all the files and run next
FROM base AS runner
WORKDIR /app

RUN apk add proxychains-ng
# Install proxychains for proxy support
RUN apk add --no-cache proxychains-ng

# Set runtime environment
ENV NODE_ENV production
ENV NEXT_TELEMETRY_DISABLED 1

# Environment variables (will be overridden at runtime)
ENV PROXY_URL=""
ENV OPENAI_API_KEY=""
ENV GOOGLE_API_KEY=""
ENV CODE=""
ENV ENABLE_MCP=""

# Create a non-root user
RUN addgroup --system --gid 1001 nodejs && \
adduser --system --uid 1001 nextjs

# Copy built application
COPY --from=builder /app/public ./public
COPY --from=builder /app/.next/standalone ./
COPY --from=builder /app/.next/static ./.next/static
COPY --from=builder /app/.next/server ./.next/server
COPY --from=builder --chown=nextjs:nodejs /app/.next/standalone ./
COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static
Comment on lines 54 to +56
Copy link
Contributor

@coderabbitai coderabbitai bot Jul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

πŸ› οΈ Refactor suggestion

Mixed ownership: /app/public remains root-owned

The .next artifacts are correctly --chowned, but public/ is copied without ownership override. Running as the nextjs user may fail if the app needs to write (e.g. logs, uploads) inside public.

-COPY --from=builder /app/public ./public
+COPY --from=builder --chown=nextjs:nodejs /app/public ./public
πŸ€– Prompt for AI Agents 
In Dockerfile lines 54 to 56, the COPY command for /app/public does not specify
ownership, leaving it root-owned, while the .next artifacts are copied with
--chown=nextjs:nodejs. To fix this, add --chown=nextjs:nodejs to the COPY
command for /app/public to ensure consistent ownership and prevent permission
issues when the app runs as the nextjs user.


RUN mkdir -p /app/app/mcp && chmod 777 /app/app/mcp
# Create and set up MCP directory
RUN mkdir -p /app/app/mcp && \
chmod 777 /app/app/mcp
Comment on lines +59 to +60
Copy link
Contributor

@coderabbitai coderabbitai bot Jul 1, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

chmod 777 opens a security hole

World-writable permissions on /app/app/mcp allow any process (including a breakout) full control. Limit access to the application user.

-RUN mkdir -p /app/app/mcp && \
-    chmod 777 /app/app/mcp
+RUN install -d -o nextjs -g nodejs -m 775 /app/app/mcp
πŸ€– Prompt for AI Agents 
In Dockerfile lines 59 to 60, the directory /app/app/mcp is given world-writable
permissions with chmod 777, which is a security risk. Change the permissions to
restrict access only to the application user by setting more restrictive
permissions such as 755 or 700, depending on the needed access, and ensure the
directory ownership is assigned to the application user instead of allowing all
users full control.

COPY --from=builder /app/app/mcp/mcp_config.default.json /app/app/mcp/mcp_config.json

# Switch to non-root user
USER nextjs

EXPOSE 3000

ENV PORT 3000
ENV HOSTNAME "0.0.0.0"

# Start the application
CMD if [ -n "$PROXY_URL" ]; then \
export HOSTNAME="0.0.0.0"; \
protocol=$(echo $PROXY_URL | cut -d: -f1); \
host=$(echo $PROXY_URL | cut -d/ -f3 | cut -d: -f1); \
port=$(echo $PROXY_URL | cut -d: -f3); \
conf=/etc/proxychains.conf; \
conf=/tmp/proxychains.conf; \
echo "strict_chain" > $conf; \
echo "proxy_dns" >> $conf; \
echo "remote_dns_subnet 224" >> $conf; \
Expand All @@ -61,7 +83,6 @@ CMD if [ -n "$PROXY_URL" ]; then \
echo "localnet ::1/128" >> $conf; \
echo "[ProxyList]" >> $conf; \
echo "$protocol $host $port" >> $conf; \
cat /etc/proxychains.conf; \
proxychains -f $conf node server.js; \
else \
node server.js; \
Expand Down