Spaces:
Running
Running
chore: create non-root user and update directory permissions in Dockerfile and start script
Browse files- Dockerfile +6 -3
- start.sh +9 -3
Dockerfile
CHANGED
|
@@ -77,9 +77,12 @@ COPY setup-uptimerobot.sh /app/
|
|
| 77 |
|
| 78 |
RUN chmod +x /app/start.sh /app/setup-uptimerobot.sh
|
| 79 |
|
| 80 |
-
#
|
| 81 |
-
|
| 82 |
-
|
|
|
|
|
|
|
|
|
|
| 83 |
|
| 84 |
EXPOSE 7861
|
| 85 |
|
|
|
|
| 77 |
|
| 78 |
RUN chmod +x /app/start.sh /app/setup-uptimerobot.sh
|
| 79 |
|
| 80 |
+
# Create non-root user for running Paperclip + agent CLIs
|
| 81 |
+
# Claude Code refuses --dangerously-skip-permissions when running as root
|
| 82 |
+
RUN useradd -m -u 1000 -s /bin/bash paperclip && \
|
| 83 |
+
mkdir -p /paperclip /var/lib/postgresql/data && \
|
| 84 |
+
chown -R postgres:postgres /var/lib/postgresql/data && \
|
| 85 |
+
chown -R paperclip:paperclip /paperclip /app
|
| 86 |
|
| 87 |
EXPOSE 7861
|
| 88 |
|
start.sh
CHANGED
|
@@ -277,9 +277,15 @@ cleanup() {
|
|
| 277 |
}
|
| 278 |
trap cleanup SIGTERM SIGINT
|
| 279 |
|
| 280 |
-
# ββ
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 281 |
echo "Starting Paperclip..."
|
| 282 |
-
NODE_OPTIONS="${_CF_NODE_OPTS}"
|
|
|
|
| 283 |
PAPERCLIP_PID=$!
|
| 284 |
|
| 285 |
# Wait for API ready (max 90s)
|
|
@@ -294,7 +300,7 @@ for i in $(seq 1 45); do
|
|
| 294 |
done
|
| 295 |
|
| 296 |
if [ "$PAPERCLIP_READY" = true ]; then
|
| 297 |
-
BOOTSTRAP_OUTPUT=$(pnpm paperclipai auth bootstrap-ceo 2>&1 || true)
|
| 298 |
INVITE_URL=$(echo "$BOOTSTRAP_OUTPUT" | grep "Invite URL:" 2>/dev/null | sed 's/\x1B\[[0-9;]*[a-zA-Z]//g' | grep -o 'https\?://[^ ]*' | head -1 || true)
|
| 299 |
if [ -n "$INVITE_URL" ]; then
|
| 300 |
echo "$INVITE_URL" > /tmp/invite-url.txt
|
|
|
|
| 277 |
}
|
| 278 |
trap cleanup SIGTERM SIGINT
|
| 279 |
|
| 280 |
+
# ββ Ensure paperclip user owns runtime dirs ββββββββββββββββββββββββββββββββββ
|
| 281 |
+
chown -R paperclip:paperclip /app /paperclip 2>/dev/null || true
|
| 282 |
+
|
| 283 |
+
# ββ Launch Paperclip as non-root ββββββββββββββββββββββββββββββββββββββββββββββ
|
| 284 |
+
# Agent CLIs (claude, gemini, codex) refuse --dangerously-skip-permissions as root.
|
| 285 |
+
# Run Paperclip as 'paperclip' user so all spawned subprocesses are non-root.
|
| 286 |
echo "Starting Paperclip..."
|
| 287 |
+
HOME=/home/paperclip NODE_OPTIONS="${_CF_NODE_OPTS}" runuser -u paperclip -- \
|
| 288 |
+
node --import ./server/node_modules/tsx/dist/loader.mjs server/dist/index.js &
|
| 289 |
PAPERCLIP_PID=$!
|
| 290 |
|
| 291 |
# Wait for API ready (max 90s)
|
|
|
|
| 300 |
done
|
| 301 |
|
| 302 |
if [ "$PAPERCLIP_READY" = true ]; then
|
| 303 |
+
BOOTSTRAP_OUTPUT=$(HOME=/home/paperclip runuser -u paperclip -- pnpm paperclipai auth bootstrap-ceo 2>&1 || true)
|
| 304 |
INVITE_URL=$(echo "$BOOTSTRAP_OUTPUT" | grep "Invite URL:" 2>/dev/null | sed 's/\x1B\[[0-9;]*[a-zA-Z]//g' | grep -o 'https\?://[^ ]*' | head -1 || true)
|
| 305 |
if [ -n "$INVITE_URL" ]; then
|
| 306 |
echo "$INVITE_URL" > /tmp/invite-url.txt
|