fix: Factory reset results in a Backend start-up error: "Permission denied"#1097
Merged
mpawlow merged 3 commits intoMar 14, 2026
Merged
Conversation
lucaseduoli
approved these changes
Mar 13, 2026
lucaseduoli
left a comment
Collaborator
There was a problem hiding this comment.
LGTM! Needed for some E2E tests, so let's merge it when possible!
cde9cfd to
0a2625c
Compare
f7d0cba to
e91b81b
Compare
…enied" Issue - 915 Summary - Hardened Docker containers to run as non-root users Security: Non-Root User Configuration - Created a dedicated openrag group (GID 103000) and user (UID 103000) in Dockerfile.backend to replace the default root runtime user - Switched the backend runtime stage to USER openrag before exposing the port and launching the application - Used COPY --chown=openrag:openrag to set file ownership at copy time, avoiding a costly chown -R layer Security: Frontend Container Hardening - Switched Dockerfile.frontend to use the Node image's built-in non-root node user before creating the working directory - Applied --chown=node:node to all COPY instructions to ensure the node user owns the application files Security: Langflow Dev Container Hardening - Created a dedicated langflow group (GID 103000) and user (UID 103000) in Dockerfile.langflow.dev - Consolidated uv installation into the existing apt-get RUN layer to reduce image layers - Moved USER langflow and WORKDIR /app to after the user creation step so the working directory is owned by the non-root user
…enied" Issue - #915 Summary - Eliminated per-target RSA key logic and ran backend as host user to fix permission errors Makefile Refactoring - Extracted the RSA key generation and permission-fixing logic into a dedicated ensure-rsa-keys target, eliminating duplication across test-ci and test-ci-local. - Added ensure-rsa-keys as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, dev-local-build-lf-cpu, test-ci, and test-ci-local so keys are always present before any stack or test run. - Exported OPENRAG_UID and OPENRAG_GID (derived from id -u / id -g) so docker-compose can run the backend as the host user, keeping keys/ and config/ ownership consistent. Docker Compose - Added user: "${OPENRAG_UID:-103000}:${OPENRAG_GID:-103000}" to the openrag-backend service so the container process runs as the host user rather than root, preventing "Permission denied" errors on host-mounted files.
…enied" Issue - #915 Summary: - Updated the Makefile to pre-create host-owned directories before Docker starts and to fall back to a containerized rm when host-user permissions block deletion during factory reset. Directory Ownership: Pre-create config and keys Before Docker - Added ensure-config-dir target that creates the config directory if absent, ensuring it is owned by the host user rather than root (which Docker would otherwise assign). - Added directory existence check inside ensure-rsa-keys to create the keys directory if absent for the same reason. - Registered ensure-config-dir as a .PHONY target. - Added ensure-config-dir as a prerequisite to dev-local, dev-local-cpu, dev-local-build-lf, and dev-local-build-lf-cpu. Factory Reset: Handle Root-Owned Files via Container Fallback - Updated factory-reset to fall back to a Docker Alpine container (rm -rf /data/config) when rm -rf config fails due to permission denied on root-owned files. - Updated factory-reset to similarly fall back to a Docker Alpine container for removing root-owned JWT key files (private_key.pem, public_key.pem).
e91b81b to
7d8460a
Compare
2 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue
Summary
Security: Non-Root User Configuration
Security: Frontend Container Hardening
Security: Langflow Dev Container Hardening
Makefile Refactoring
Docker Compose
Directory Ownership: Pre-create config and keys Before Docker
Factory Reset: Handle Root-Owned Files via Container Fallback