[PR #5136] [MERGED] fix: support OpenShift arbitrary UID/GID-0 in Docker image #5317

Closed
opened 2026-06-05 15:20:57 -04:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/5136
Author: @petre
Created: 3/4/2026
Status: Merged
Merged: 4/28/2026
Merged by: @timothycarambat

Base: masterHead: fix/docker-openshift-arbitrary-uid


📝 Commits (3)

  • 085785d fix: support OpenShift arbitrary UID/GID-0 in Docker image
  • 4ce38c9 Merge branch 'master' into fix/docker-openshift-arbitrary-uid
  • e286585 move to community

📊 Changes

3 files changed (+410 additions, -0 deletions)

View changed files

cloud-deployments/openshift/Dockerfile (+225 -0)
cloud-deployments/openshift/README.md (+146 -0)
cloud-deployments/openshift/docker-entrypoint.sh (+39 -0)

📄 Description

Pull Request Type

  • feat (New feature)
  • 🐛 fix (Bug fix)
  • ♻️ refactor (Code refactoring without changing behavior)
  • 💄 style (UI style changes)
  • 🔨 chore (Build, CI, maintenance)
  • 📝 docs (Documentation updates)

Relevant Issues

Description

The Docker image currently fails to run on OpenShift (and similar platforms that use the restricted SCC) because OpenShift assigns an arbitrary UID at runtime while forcing GID 0 (root group). The existing Dockerfile assumes the container will always run as the anythingllm user with a matching UID/GID, which causes permission errors on startup.

This PR makes the Docker image compatible with OpenShift's security model while preserving full backward compatibility with standard Docker and Docker Compose deployments.

Dockerfile changes:

  • Add anythingllm user to the root group (GID 0) as a supplementary group, so files are accessible via group ownership under OpenShift's arbitrary-UID model
  • Handle the ARG_GID=0 case explicitly to avoid conflicting with the existing root group
  • Set all /app files to anythingllm:0 ownership with group-writable (g+w) permissions
  • Set chmod g=u /etc/passwd so the entrypoint can inject a passwd entry for arbitrary UIDs
  • Create additional directories (/app/.cache, /app/.yarn, /app/server/storage) upfront to avoid runtime permission failures
  • Set ENV HOME=/app so tools like npm/yarn write to a writable location
  • Run a final chown -R + chmod -R g+w after all COPY and yarn install steps to cover node_modules and build artifacts
  • Apply changes to both the amd64 and arm64 build stages

Entrypoint changes (docker-entrypoint.sh):

  • Detect when the running UID has no /etc/passwd entry (OpenShift arbitrary UID scenario) and dynamically inject one, so that tools like npm, Prisma, and git work correctly
  • Export HOME=/app to ensure consistent behavior regardless of passwd state

Compatibility matrix:

Platform How access works
Docker / Docker Compose Via user ownership (UID match) — unchanged behavior
OpenShift (restricted SCC) Via group ownership (GID 0 + g+w)
Generic Kubernetes (with fsGroup) Via user ownership or fsGroup — unchanged behavior

Visuals (if applicable)

N/A — infrastructure-only change, no UI impact.

Additional Information

  • No changes to application code; only docker/Dockerfile and docker/docker-entrypoint.sh are modified.
  • Tested with ARG_UID=1000 / ARG_GID=1000 (default Docker), ARG_GID=0 (explicit root group), and OpenShift-style arbitrary UID with GID 0.

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated (if applicable)
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/5136 **Author:** [@petre](https://github.com/petre) **Created:** 3/4/2026 **Status:** ✅ Merged **Merged:** 4/28/2026 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `fix/docker-openshift-arbitrary-uid` --- ### 📝 Commits (3) - [`085785d`](https://github.com/Mintplex-Labs/anything-llm/commit/085785dba8974453a7503902059fa3b84b2ab267) fix: support OpenShift arbitrary UID/GID-0 in Docker image - [`4ce38c9`](https://github.com/Mintplex-Labs/anything-llm/commit/4ce38c99287eb18d92438c16726de77a9aab6dce) Merge branch 'master' into fix/docker-openshift-arbitrary-uid - [`e286585`](https://github.com/Mintplex-Labs/anything-llm/commit/e286585e9fadf37216016127c6a148b8e77bdb15) move to community ### 📊 Changes **3 files changed** (+410 additions, -0 deletions) <details> <summary>View changed files</summary> ➕ `cloud-deployments/openshift/Dockerfile` (+225 -0) ➕ `cloud-deployments/openshift/README.md` (+146 -0) ➕ `cloud-deployments/openshift/docker-entrypoint.sh` (+39 -0) </details> ### 📄 Description ### Pull Request Type - [ ] ✨ feat (New feature) - [x] 🐛 fix (Bug fix) - [ ] ♻️ refactor (Code refactoring without changing behavior) - [ ] 💄 style (UI style changes) - [ ] 🔨 chore (Build, CI, maintenance) - [ ] 📝 docs (Documentation updates) ### Relevant Issues ### Description The Docker image currently fails to run on OpenShift (and similar platforms that use the restricted SCC) because OpenShift assigns an **arbitrary UID at runtime** while forcing **GID 0** (root group). The existing Dockerfile assumes the container will always run as the `anythingllm` user with a matching UID/GID, which causes permission errors on startup. This PR makes the Docker image compatible with OpenShift's security model while preserving full backward compatibility with standard Docker and Docker Compose deployments. **Dockerfile changes:** - Add `anythingllm` user to the root group (GID 0) as a supplementary group, so files are accessible via group ownership under OpenShift's arbitrary-UID model - Handle the `ARG_GID=0` case explicitly to avoid conflicting with the existing root group - Set all `/app` files to `anythingllm:0` ownership with group-writable (`g+w`) permissions - Set `chmod g=u /etc/passwd` so the entrypoint can inject a passwd entry for arbitrary UIDs - Create additional directories (`/app/.cache`, `/app/.yarn`, `/app/server/storage`) upfront to avoid runtime permission failures - Set `ENV HOME=/app` so tools like npm/yarn write to a writable location - Run a final `chown -R` + `chmod -R g+w` after all `COPY` and `yarn install` steps to cover `node_modules` and build artifacts - Apply changes to both the `amd64` and `arm64` build stages **Entrypoint changes (`docker-entrypoint.sh`):** - Detect when the running UID has no `/etc/passwd` entry (OpenShift arbitrary UID scenario) and dynamically inject one, so that tools like npm, Prisma, and git work correctly - Export `HOME=/app` to ensure consistent behavior regardless of passwd state **Compatibility matrix:** | Platform | How access works | |---|---| | Docker / Docker Compose | Via user ownership (UID match) — unchanged behavior | | OpenShift (restricted SCC) | Via group ownership (GID 0 + `g+w`) | | Generic Kubernetes (with `fsGroup`) | Via user ownership or `fsGroup` — unchanged behavior | ### Visuals (if applicable) N/A — infrastructure-only change, no UI impact. ### Additional Information - No changes to application code; only `docker/Dockerfile` and `docker/docker-entrypoint.sh` are modified. - Tested with `ARG_UID=1000 / ARG_GID=1000` (default Docker), `ARG_GID=0` (explicit root group), and OpenShift-style arbitrary UID with GID 0. ### Developer Validations - [ ] I ran `yarn lint` from the root of the repo & committed changes - [ ] Relevant documentation has been updated (if applicable) - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-06-05 15:20:57 -04:00
yindo closed this issue 2026-06-05 15:20:57 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#5317