From aacfd87b4914814bc891a939084ca540cf2c6e67 Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 13:11:55 -0500 Subject: [PATCH 1/6] feat: add non-root user to backend Dockerfile --- backend/Dockerfile | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/backend/Dockerfile b/backend/Dockerfile index 8abb51a69b4..af55b702972 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -116,6 +116,16 @@ COPY ./assets /app/assets ENV PYTHONPATH=/app +# Create non-root user for security best practices +RUN groupadd -g 1001 onyx && \ + useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ + chown -R onyx:onyx /app && \ + chmod 775 /var/log && \ + chown onyx:onyx /var/log + +# Switch to non-root user +USER onyx + # Default command which does nothing # This container is used by api server and background which specify their own CMD CMD ["tail", "-f", "/dev/null"] From 7898faf0afc5dd750bb498d03954537e9dfc7ef8 Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 14:46:14 -0500 Subject: [PATCH 2/6] feat: add non-root user to model_server Dockerfile --- backend/Dockerfile.model_server | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/backend/Dockerfile.model_server b/backend/Dockerfile.model_server index 0670bae69f8..d4d8c78ad2a 100644 --- a/backend/Dockerfile.model_server +++ b/backend/Dockerfile.model_server @@ -59,4 +59,14 @@ COPY ./model_server /app/model_server ENV PYTHONPATH=/app +# Create non-root user for security best practices +RUN groupadd -g 1001 onyx && \ + useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ + chown -R onyx:onyx /app && \ + chmod 775 /var/log && \ + chown onyx:onyx /var/log + +# Switch to non-root user +USER onyx + CMD ["uvicorn", "model_server.main:app", "--host", "0.0.0.0", "--port", "9000"] From ccddea40b6f2057fefcc56fdd0f34d706ab16336 Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 15:08:00 -0500 Subject: [PATCH 3/6] feat: update values and templates for celery workers to use non-root user by default --- .../charts/onyx/templates/celery-beat.yaml | 4 +- .../templates/celery-worker-docfetching.yaml | 4 +- .../celery-worker-docprocessing.yaml | 4 +- .../onyx/templates/celery-worker-heavy.yaml | 4 +- .../onyx/templates/celery-worker-light.yaml | 4 +- .../templates/celery-worker-monitoring.yaml | 4 +- .../onyx/templates/celery-worker-primary.yaml | 4 +- .../celery-worker-user-files-indexing.yaml | 4 +- deployment/helm/charts/onyx/values.yaml | 45 +++---------------- 9 files changed, 21 insertions(+), 56 deletions(-) diff --git a/deployment/helm/charts/onyx/templates/celery-beat.yaml b/deployment/helm/charts/onyx/templates/celery-beat.yaml index efe7251988a..e9480229064 100644 --- a/deployment/helm/charts/onyx/templates/celery-beat.yaml +++ b/deployment/helm/charts/onyx/templates/celery-beat.yaml @@ -30,11 +30,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_beat.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_beat.podSecurityContext) | nindent 8 }} containers: - name: celery-beat securityContext: - {{- toYaml .Values.celery_beat.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_beat.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-docfetching.yaml b/deployment/helm/charts/onyx/templates/celery-worker-docfetching.yaml index 39dd88c7b39..fdd887555c8 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-docfetching.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-docfetching.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_docfetching.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_docfetching.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-docfetching securityContext: - {{- toYaml .Values.celery_worker_docfetching.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_docfetching.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-docprocessing.yaml b/deployment/helm/charts/onyx/templates/celery-worker-docprocessing.yaml index 8ace69777d9..f25016fa53f 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-docprocessing.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-docprocessing.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_docprocessing.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_docprocessing.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-docprocessing securityContext: - {{- toYaml .Values.celery_worker_docprocessing.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_docprocessing.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml b/deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml index d53bc68af3e..8352d1c8cfc 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-heavy.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_heavy.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_heavy.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-heavy securityContext: - {{- toYaml .Values.celery_worker_heavy.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_heavy.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-light.yaml b/deployment/helm/charts/onyx/templates/celery-worker-light.yaml index 09b7f26e403..0c0148fe26d 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-light.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-light.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_light.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_light.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-light securityContext: - {{- toYaml .Values.celery_worker_light.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_light.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-monitoring.yaml b/deployment/helm/charts/onyx/templates/celery-worker-monitoring.yaml index 8adc55ca1c9..c3a5f6f314f 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-monitoring.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-monitoring.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_monitoring.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_monitoring.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-monitoring securityContext: - {{- toYaml .Values.celery_worker_monitoring.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_monitoring.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-primary.yaml b/deployment/helm/charts/onyx/templates/celery-worker-primary.yaml index c83ab827c8f..f06fbbf26ff 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-primary.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-primary.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_primary.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_primary.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-primary securityContext: - {{- toYaml .Values.celery_worker_primary.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_primary.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/templates/celery-worker-user-files-indexing.yaml b/deployment/helm/charts/onyx/templates/celery-worker-user-files-indexing.yaml index 92b0b5ade4c..3b74cff068d 100644 --- a/deployment/helm/charts/onyx/templates/celery-worker-user-files-indexing.yaml +++ b/deployment/helm/charts/onyx/templates/celery-worker-user-files-indexing.yaml @@ -32,11 +32,11 @@ spec: {{- end }} serviceAccountName: {{ include "onyx-stack.serviceAccountName" . }} securityContext: - {{- toYaml .Values.celery_worker_user_files_indexing.podSecurityContext | nindent 8 }} + {{- toYaml (default .Values.celery_shared.podSecurityContext .Values.celery_worker_user_files_indexing.podSecurityContext) | nindent 8 }} containers: - name: celery-worker-user-files-indexing securityContext: - {{- toYaml .Values.celery_worker_user_files_indexing.securityContext | nindent 12 }} + {{- toYaml (default .Values.celery_shared.securityContext .Values.celery_worker_user_files_indexing.securityContext) | nindent 12 }} image: "{{ .Values.celery_shared.image.repository }}:{{ .Values.celery_shared.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: diff --git a/deployment/helm/charts/onyx/values.yaml b/deployment/helm/charts/onyx/values.yaml index 428c902ae93..fbbdc6e9843 100644 --- a/deployment/helm/charts/onyx/values.yaml +++ b/deployment/helm/charts/onyx/values.yaml @@ -318,6 +318,11 @@ celery_shared: periodSeconds: 60 failureThreshold: 5 timeoutSeconds: 3 + podSecurityContext: + {} + securityContext: + privileged: false + runAsUser: 1001 celery_beat: replicaCount: 1 @@ -327,11 +332,6 @@ celery_beat: app: celery-beat deploymentLabels: app: celery-beat - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 1000m @@ -355,11 +355,6 @@ celery_worker_heavy: app: celery-worker-heavy deploymentLabels: app: celery-worker-heavy - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 1000m @@ -383,11 +378,6 @@ celery_worker_docprocessing: app: celery-worker-docprocessing deploymentLabels: app: celery-worker-docprocessing - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 500m @@ -411,11 +401,6 @@ celery_worker_light: app: celery-worker-light deploymentLabels: app: celery-worker-light - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 1000m @@ -439,11 +424,6 @@ celery_worker_monitoring: app: celery-worker-monitoring deploymentLabels: app: celery-worker-monitoring - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 500m @@ -467,11 +447,6 @@ celery_worker_primary: app: celery-worker-primary deploymentLabels: app: celery-worker-primary - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 1000m @@ -495,11 +470,6 @@ celery_worker_user_files_indexing: app: celery-worker-user-files-indexing deploymentLabels: app: celery-worker-user-files-indexing - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 2000m @@ -546,11 +516,6 @@ celery_worker_docfetching: app: celery-worker-docfetching deploymentLabels: app: celery-worker-docfetching - podSecurityContext: - {} - securityContext: - privileged: true - runAsUser: 0 resources: requests: cpu: 500m From 7aeb77ba0f42301863ee5927158395e8c804d2cf Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 15:15:38 -0500 Subject: [PATCH 4/6] feat: update values and templates for index, inference, and web server to use non-root by default --- .../onyx/templates/indexing-model-deployment.yaml | 4 ++++ .../onyx/templates/inference-model-deployment.yaml | 4 ++++ deployment/helm/charts/onyx/values.yaml | 14 ++++++++++++-- 3 files changed, 20 insertions(+), 2 deletions(-) diff --git a/deployment/helm/charts/onyx/templates/indexing-model-deployment.yaml b/deployment/helm/charts/onyx/templates/indexing-model-deployment.yaml index e1f82a8ea8d..cd5511fd8b2 100644 --- a/deployment/helm/charts/onyx/templates/indexing-model-deployment.yaml +++ b/deployment/helm/charts/onyx/templates/indexing-model-deployment.yaml @@ -24,8 +24,12 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + securityContext: + {{- toYaml .Values.indexCapability.podSecurityContext | nindent 8 }} containers: - name: {{ .Values.indexCapability.name }} + securityContext: + {{- toYaml .Values.indexCapability.securityContext | nindent 10 }} image: "{{ .Values.indexCapability.image.repository }}:{{ .Values.indexCapability.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: [ "uvicorn", "model_server.main:app", "--host", "0.0.0.0", "--port", "{{ .Values.indexCapability.containerPorts.server }}", "--limit-concurrency", "{{ .Values.indexCapability.limitConcurrency }}" ] diff --git a/deployment/helm/charts/onyx/templates/inference-model-deployment.yaml b/deployment/helm/charts/onyx/templates/inference-model-deployment.yaml index 88c10b5e9f6..2b8f1f2be95 100644 --- a/deployment/helm/charts/onyx/templates/inference-model-deployment.yaml +++ b/deployment/helm/charts/onyx/templates/inference-model-deployment.yaml @@ -20,8 +20,12 @@ spec: {{ .key }}: {{ .value }} {{- end }} spec: + securityContext: + {{- toYaml .Values.inferenceCapability.podSecurityContext | nindent 8 }} containers: - name: model-server-inference + securityContext: + {{- toYaml .Values.inferenceCapability.securityContext | nindent 10 }} image: "{{ .Values.inferenceCapability.image.repository }}:{{ .Values.inferenceCapability.image.tag | default .Values.global.version }}" imagePullPolicy: {{ .Values.global.pullPolicy }} command: [ "uvicorn", "model_server.main:app", "--host", "0.0.0.0", "--port", "{{ .Values.inferenceCapability.containerPorts.server }}" ] diff --git a/deployment/helm/charts/onyx/values.yaml b/deployment/helm/charts/onyx/values.yaml index fbbdc6e9843..8261abf8122 100644 --- a/deployment/helm/charts/onyx/values.yaml +++ b/deployment/helm/charts/onyx/values.yaml @@ -89,6 +89,11 @@ inferenceCapability: podLabels: - key: app value: inference-model-server + podSecurityContext: + {} + securityContext: + privileged: false + runAsUser: 1001 resources: requests: cpu: 2000m @@ -118,6 +123,11 @@ indexCapability: # Overrides the image tag whose default is the chart appVersion. tag: "" limitConcurrency: 10 + podSecurityContext: + {} + securityContext: + privileged: false + runAsUser: 1001 resources: requests: cpu: 2000m @@ -173,13 +183,13 @@ webserver: # fsGroup: 2000 securityContext: - {} + privileged: false + runAsUser: 1001 # capabilities: # drop: # - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true - # runAsUser: 1000 containerPorts: server: 3000 From 5701fb60ed6f4c61aee5f9ad12b54bd9202b7a84 Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 16:07:03 -0500 Subject: [PATCH 5/6] fix: address comments around cache access and overly permissive settings --- backend/Dockerfile | 2 +- backend/Dockerfile.model_server | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index af55b702972..1533e79b143 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -120,7 +120,7 @@ ENV PYTHONPATH=/app RUN groupadd -g 1001 onyx && \ useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ chown -R onyx:onyx /app && \ - chmod 775 /var/log && \ + chmod 755 /var/log && \ chown onyx:onyx /var/log # Switch to non-root user diff --git a/backend/Dockerfile.model_server b/backend/Dockerfile.model_server index d4d8c78ad2a..e342ff205c7 100644 --- a/backend/Dockerfile.model_server +++ b/backend/Dockerfile.model_server @@ -40,7 +40,10 @@ SentenceTransformer(model_name_or_path='nomic-ai/nomic-embed-text-v1', trust_rem # In case the user has volumes mounted to /root/.cache/huggingface that they've downloaded while # running Onyx, don't overwrite it with the built in cache folder -RUN mv /root/.cache/huggingface /root/.cache/temp_huggingface +# Move cache to location accessible by non-root user +RUN mkdir -p /home/onyx/.cache && \ + mv /root/.cache/huggingface /home/onyx/.cache/huggingface && \ + mv /root/.cache/temp_huggingface /home/onyx/.cache/temp_huggingface WORKDIR /app @@ -63,7 +66,8 @@ ENV PYTHONPATH=/app RUN groupadd -g 1001 onyx && \ useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ chown -R onyx:onyx /app && \ - chmod 775 /var/log && \ + chown -R onyx:onyx /home/onyx/.cache && \ + chmod 755 /var/log && \ chown onyx:onyx /var/log # Switch to non-root user From e1d82cfee101a9b9f743853175916abc46608a7f Mon Sep 17 00:00:00 2001 From: shwaddell28 Date: Mon, 28 Jul 2025 16:13:20 -0500 Subject: [PATCH 6/6] fix: applications require write to create files --- backend/Dockerfile | 2 +- backend/Dockerfile.model_server | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index 1533e79b143..af55b702972 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -120,7 +120,7 @@ ENV PYTHONPATH=/app RUN groupadd -g 1001 onyx && \ useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ chown -R onyx:onyx /app && \ - chmod 755 /var/log && \ + chmod 775 /var/log && \ chown onyx:onyx /var/log # Switch to non-root user diff --git a/backend/Dockerfile.model_server b/backend/Dockerfile.model_server index e342ff205c7..1db82f1a930 100644 --- a/backend/Dockerfile.model_server +++ b/backend/Dockerfile.model_server @@ -67,7 +67,7 @@ RUN groupadd -g 1001 onyx && \ useradd -u 1001 -g onyx -m -s /bin/bash onyx && \ chown -R onyx:onyx /app && \ chown -R onyx:onyx /home/onyx/.cache && \ - chmod 755 /var/log && \ + chmod 775 /var/log && \ chown onyx:onyx /var/log # Switch to non-root user