Run containers as non-root with host UID/GID mapping (#3127)

Co-authored-by: Tao Sun <168447269+fengju0213@users.noreply.github.com>

Author: aravindan888

.container/Dockerfile

@@ -1,9 +1,11 @@
 FROM python:3.10-bookworm
 
 RUN pip install uv
+RUN groupadd -r appuser && useradd -r -g appuser appuser
 
 WORKDIR /app/camel
 COPY . .
+RUN chown -R appuser:appuser /app/camel
 
 RUN uv venv .venv --python=3.10 && \
     . .venv/bin/activate && \
@@ -14,4 +16,6 @@ RUN uv venv .venv --python=3.10 && \
 ENV VIRTUAL_ENV=/app/camel/.venv
 ENV PATH="$VIRTUAL_ENV/bin:$PATH"
 
+USER appuser
+
 CMD ["bash"]

.container/docker-compose.yaml

@@ -9,4 +9,7 @@ services:
       - ../:/app/camel
     env_file:
       - .env
+    user: "${UID:-1000}:${GID:-1000}"
     command: ["tail", "-f", "/dev/null"]
+
+

.container/minimal_build/Dockerfile

@@ -1,16 +1,17 @@
 FROM python:3.10-bookworm
 
-# Install uv
 RUN pip install uv
+RUN groupadd -r appuser && useradd -r -g appuser appuser
 
 COPY . /app/camel
-
 WORKDIR /app/camel
+RUN chown -R appuser:appuser /app/camel
 
-# Setup virtual environment and install dependencies
 RUN uv venv .venv --python=3.10 && \
     . .venv/bin/activate && \
     uv pip install -e ".[all, dev, docs]" && \
     pip install pre-commit mypy
 
-CMD ["tail", "-f", "/dev/null"]
+USER appuser
+
+CMD ["tail", "-f", "/dev/null"]

camel/interpreters/docker/Dockerfile

@@ -1,11 +1,8 @@
 # syntax=docker/dockerfile:1
-
 FROM ubuntu:22.04
 
-# Set environment variable to avoid interactive prompts
 ENV DEBIAN_FRONTEND=noninteractive
 
-# Update and install base utilities
 RUN apt-get update && apt-get install -y \
     build-essential \
     software-properties-common \
@@ -20,7 +17,6 @@ RUN apt-get update && apt-get install -y \
     && apt-get clean \
     && apt-get autoremove -y
 
-# Install Python 3.10 and its dependencies
 RUN add-apt-repository ppa:deadsnakes/ppa && \
     apt-get update && \
     apt-get install -y \
@@ -34,32 +30,27 @@ RUN add-apt-repository ppa:deadsnakes/ppa && \
     && apt-get clean \
     && apt-get autoremove -y
 
-# Install R
 RUN apt-get update && \
     apt-get install -y r-base && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean && \
     apt-get autoremove -y
 
-# Install NodeJS 22.x
 RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - && \
     apt-get install -y nodejs && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean && \
     apt-get autoremove -y
 
-# Install Poetry
 RUN curl -fsSL https://install.python-poetry.org | python3.10 - && \
     ln -s ~/.local/bin/poetry /usr/local/bin/poetry
 
-# Upgrade pip and install base Python packages
 RUN python3.10 -m pip install --upgrade pip setuptools wheel
-
-# Install uv using pip instead of the shell script
 RUN pip install uv
 
-# Setup working directory
+RUN groupadd -r devuser && useradd -r -m -g devuser devuser
 WORKDIR /workspace
+RUN chown -R devuser:devuser /workspace
+USER devuser
 
-# Set default shell
 CMD ["/bin/bash"]