Rootless affine container

[dr3st]

Hi all,

first of all, I would like to thank you for this application. I installed it on my server and noticed that the Affine container (and Node application) is running as root:root.

So I tried to reduce permissions and change the user to node:node, which is already defined in the Node images that you use as a base image (FROM node:22-bookworm-slim).

The main issue I ran into was that /app/src/schema.gql is owned by root:root, so the Node application is unable to update the file when running as the node user.

I would like to suggest making the image more secure by altering the Dockerfile as follows:

RUN apt-get update && \
  apt-get install -y --no-install-recommends openssl && \
  rm -rf /var/lib/apt/lists/* && \
  chown node:node /app/src/schema.gql

USER node

The main problem is that existing installations are owned by root:root, and the storage/config is mounted at /root/.affine/..., which would also need to be manually fixed by users.

If you consider this change too "breaking", I would at least suggest fixing the ownership issue so that users can run the container with a non-root user without encountering startup errors. 😄

Here’s an example of what happens when running the container as the node user without fixing the permissions:

node@4c73764ec9ce:/app$ /usr/local/bin/docker-entrypoint.sh node ./dist/main.js
node:internal/fs/promises:633
  return new FileHandle(await PromisePrototypeThen(
                        ^

Error: EACCES: permission denied, open '/app/src/schema.gql'
    at async open (node:internal/fs/promises:633:25)
    at async Object.writeFile (node:internal/fs/promises:1207:14)
    at async FileSystemHelper.writeFile (/app/node_modules/@nestjs/graphql/dist/schema-builder/helpers/file-system.helper.js:11:13)
    at async GraphQLSchemaBuilder.generateSchema (/app/node_modules/@nestjs/graphql/dist/graphql-schema.builder.js:51:13)
    at async GraphQLSchemaBuilder.build (/app/node_modules/@nestjs/graphql/dist/graphql-schema.builder.js:22:20)
    at async GraphQLFactory.generateSchema (/app/node_modules/@nestjs/graphql/dist/graphql.factory.js:31:41)
    at async GraphQLModule.onModuleInit (/app/node_modules/@nestjs/graphql/dist/graphql.module.js:112:27)
    at async callModuleInitHook (/app/node_modules/@nestjs/core/hooks/on-module-init.hook.js:51:9)
    at async NestApplication.callInitHook (/app/node_modules/@nestjs/core/nest-application-context.js:242:13)
    at async NestApplication.init (/app/node_modules/@nestjs/core/nest-application.js:100:9) {
  errno: -13,
  code: 'EACCES',
  syscall: 'open',
  path: '/app/src/schema.gql'
}

Any suggestions here? I’d be happy to open a PR if you think this change would be helpful.

[ton-An]

I would also find this helpful! Just ran into it.