Skip to content

fix: Factory reset results in a Backend start-up error: "Permission denied"#1097

Merged
mpawlow merged 3 commits into
mainfrom
mp/fix/GH-915-factory-reset-backend-permission-denied
Mar 14, 2026
Merged

fix: Factory reset results in a Backend start-up error: "Permission denied"#1097
mpawlow merged 3 commits into
mainfrom
mp/fix/GH-915-factory-reset-backend-permission-denied

Conversation

@mpawlow

@mpawlow mpawlow commented Mar 11, 2026

Copy link
Copy Markdown
Collaborator

Issue

Summary

  • Hardened Docker containers to run as non-root users
  • Eliminated per-target RSA key logic and ran backend as host user to fix permission errors
  • Updated the Makefile to pre-create host-owned directories before Docker starts and to fall back to a containerized rm when host-user permissions block deletion during factory reset.

Security: Non-Root User Configuration

  • Created a dedicated openrag group (GID 103000) and user (UID 103000) in Dockerfile.backend to replace the default root runtime user
  • Switched the backend runtime stage to USER openrag before exposing the port and launching the application
  • Used COPY --chown=openrag:openrag to set file ownership at copy time, avoiding a costly chown -R layer

Security: Frontend Container Hardening

  • Switched Dockerfile.frontend to use the Node image's built-in non-root node user before creating the working directory
  • Applied --chown=node:node to all COPY instructions to ensure the node user owns the application files

Security: Langflow Dev Container Hardening

  • Created a dedicated langflow group (GID 103000) and user (UID 103000) in Dockerfile.langflow.dev
  • Consolidated uv installation into the existing apt-get RUN layer to reduce image layers
  • Moved USER langflow and WORKDIR /app to after the user creation step so the working directory is owned by the non-root user

Makefile Refactoring

  • Extracted the RSA key generation and permission-fixing logic into a dedicated ensure-rsa-keys target, eliminating duplication across test-ci and test-ci-local.
  • Added ensure-rsa-keys as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, dev-local-build-lf-cpu, test-ci, and test-ci-local so keys are always present before any stack or test run.
  • Exported OPENRAG_UID and OPENRAG_GID (derived from id -u / id -g) so docker-compose can run the backend as the host user, keeping keys/ and config/ ownership consistent.

Docker Compose

  • Added user: "${OPENRAG_UID:-103000}:${OPENRAG_GID:-103000}" to the openrag-backend service so the container process runs as the host user rather than root, preventing "Permission denied" errors on host-mounted files.

Directory Ownership: Pre-create config and keys Before Docker

  • Added ensure-config-dir target that creates the config directory if absent, ensuring it is owned by the host user rather than root (which Docker would otherwise assign).
  • Added directory existence check inside ensure-rsa-keys to create the keys directory if absent for the same reason.
  • Registered ensure-config-dir as a .PHONY target.
  • Added ensure-config-dir as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, and dev-local-build-lf-cpu.

Factory Reset: Handle Root-Owned Files via Container Fallback

  • Updated factory-reset to fall back to a Docker Alpine container (rm -rf /data/config) when rm -rf config fails due to permission denied on root-owned files.
  • Updated factory-reset to similarly fall back to a Docker Alpine container for removing root-owned JWT key files (private_key.pem, public_key.pem).

@mpawlow mpawlow self-assigned this Mar 11, 2026
@github-actions github-actions Bot added docker bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 11, 2026

@lucaseduoli lucaseduoli left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Needed for some E2E tests, so let's merge it when possible!

@github-actions github-actions Bot added the lgtm label Mar 13, 2026
@mpawlow mpawlow force-pushed the mp/fix/GH-915-factory-reset-backend-permission-denied branch from cde9cfd to 0a2625c Compare March 13, 2026 20:41
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 13, 2026
@mpawlow mpawlow force-pushed the mp/fix/GH-915-factory-reset-backend-permission-denied branch from f7d0cba to e91b81b Compare March 13, 2026 23:40
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 13, 2026
mpawlow added 3 commits March 13, 2026 17:06
…enied"

Issue

- 915

Summary

- Hardened Docker containers to run as non-root users

Security: Non-Root User Configuration

- Created a dedicated openrag group (GID 103000) and user (UID 103000) in Dockerfile.backend to replace the default root runtime user
- Switched the backend runtime stage to USER openrag before exposing the port and launching the application
- Used COPY --chown=openrag:openrag to set file ownership at copy time, avoiding a costly chown -R layer

Security: Frontend Container Hardening

- Switched Dockerfile.frontend to use the Node image's built-in non-root node user before creating the working directory
- Applied --chown=node:node to all COPY instructions to ensure the node user owns the application files

Security: Langflow Dev Container Hardening

- Created a dedicated langflow group (GID 103000) and user (UID 103000) in Dockerfile.langflow.dev
- Consolidated uv installation into the existing apt-get RUN layer to reduce image layers
- Moved USER langflow and WORKDIR /app to after the user creation step so the working directory is owned by the non-root user
…enied"

Issue

- #915

Summary

- Eliminated per-target RSA key logic and ran backend as host user to fix permission errors

Makefile Refactoring

- Extracted the RSA key generation and permission-fixing logic into a dedicated ensure-rsa-keys target, eliminating duplication across test-ci and test-ci-local.
- Added ensure-rsa-keys as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, dev-local-build-lf-cpu, test-ci, and test-ci-local so keys are always present before any stack or test run.
- Exported OPENRAG_UID and OPENRAG_GID (derived from id -u / id -g) so docker-compose can run the backend as the host user, keeping keys/ and config/ ownership consistent.

Docker Compose

- Added user: "${OPENRAG_UID:-103000}:${OPENRAG_GID:-103000}" to the openrag-backend service so the container process runs as the host user rather than root, preventing "Permission denied" errors on host-mounted files.
…enied"

Issue

- #915

Summary:

- Updated the Makefile to pre-create host-owned directories before Docker starts and to fall back to a containerized rm when host-user permissions block deletion during factory reset.

Directory Ownership: Pre-create config and keys Before Docker

- Added ensure-config-dir target that creates the config directory if absent, ensuring it is owned by the host user rather than root (which Docker would otherwise assign).
- Added directory existence check inside ensure-rsa-keys to create the keys directory if absent for the same reason.
- Registered ensure-config-dir as a .PHONY target.
- Added ensure-config-dir as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, and dev-local-build-lf-cpu.

Factory Reset: Handle Root-Owned Files via Container Fallback

- Updated factory-reset to fall back to a Docker Alpine container (rm -rf /data/config) when rm -rf config fails due to permission denied on root-owned files.
- Updated factory-reset to similarly fall back to a Docker Alpine container for removing root-owned JWT key files (private_key.pem, public_key.pem).
@mpawlow mpawlow force-pushed the mp/fix/GH-915-factory-reset-backend-permission-denied branch from e91b81b to 7d8460a Compare March 14, 2026 00:07
@github-actions github-actions Bot added bug 🔴 Something isn't working. and removed bug 🔴 Something isn't working. labels Mar 14, 2026
@mpawlow mpawlow merged commit 75525b2 into main Mar 14, 2026
8 checks passed
@github-actions github-actions Bot deleted the mp/fix/GH-915-factory-reset-backend-permission-denied branch March 14, 2026 00:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug 🔴 Something isn't working. docker lgtm

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Bug]: Factory reset results in a Backend start-up error: "Permission denied: 'keys/private_key.pem'" and OpenRAG in a broken state

2 participants