Skip to content

feat: make the studio image rootless #2211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
+9 −6
Closed

feat: make the studio image rootless #2211

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
5391251
make the studio image rootless
InsidersByte Sep 13, 2025
12e00aa
Merge branch 'main' into rootless-studio
InsidersByte Sep 16, 2025
e2bd2d1
Merge branch 'main' into rootless-studio
miklosbarabas Sep 23, 2025
55f3bb6
Merge branch 'main' into rootless-studio
miklosbarabas Sep 24, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 9 additions & 6 deletions studio/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,19 +47,22 @@ RUN pnpm run --filter=./connect --filter=./shared --filter=./studio --filter=./c

FROM --platform=${BUILDPLATFORM} node:lts-alpine

Comment on lines 48 to 49
Copy link

@coderabbitai coderabbitai bot Sep 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix platform selection for the final image stage.

Using BUILDPLATFORM for the final stage will produce images for the builder arch in multi-arch builds. Use TARGETPLATFORM or drop the override.

-FROM --platform=${BUILDPLATFORM} node:lts-alpine
+FROM --platform=${TARGETPLATFORM} node:lts-alpine
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
FROM --platform=${BUILDPLATFORM} node:lts-alpine
FROM --platform=${TARGETPLATFORM} node:lts-alpine
🤖 Prompt for AI Agents 
In studio/Dockerfile around lines 48-49, the final image stage uses
--platform=${BUILDPLATFORM}, which forces the builder architecture into the
produced image; change the platform specifier to --platform=${TARGETPLATFORM} or
remove the --platform override entirely so the final image is built for the
intended target platform in multi-arch builds.

RUN apk add --no-cache --upgrade bash

USER node

WORKDIR /app

ENV NODE_ENV=production
ENV NEXT_TELEMETRY_DISABLED=1

# Fetch built artifacts
COPY --from=builder /app/studio/.next/standalone ./
COPY --from=builder /app/studio/public/ ./studio/public
COPY --from=builder /app/studio/.next/static ./studio/.next/static
COPY --from=builder /app/studio/entrypoint.sh .
COPY --from=builder /app/studio/.env.production .
COPY --from=builder --chown=node:node /app/studio/.next/standalone ./
COPY --from=builder --chown=node:node /app/studio/public/ ./studio/public
COPY --from=builder --chown=node:node /app/studio/.next/static ./studio/.next/static
COPY --from=builder --chown=node:node /app/studio/entrypoint.sh .
COPY --from=builder --chown=node:node /app/studio/.env.production .
Comment on lines +60 to +64
Copy link

@coderabbitai coderabbitai bot Sep 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Ensure .next root (and BUILD_ID) are present and writable for non-root sed operations.

The original failure referenced sed temp files in ./studio/.next/BUILD_IDXXXXXX. You chown static/ but not the file itself if it’s used. Copy it (and ensure parent exists) so entrypoint edits won’t fail.

 COPY --from=builder --chown=node:node /app/studio/.next/standalone ./
 COPY --from=builder --chown=node:node /app/studio/public/ ./studio/public
 COPY --from=builder --chown=node:node /app/studio/.next/static ./studio/.next/static
+COPY --from=builder --chown=node:node /app/studio/.next/BUILD_ID ./studio/.next/BUILD_ID
 COPY --from=builder --chown=node:node /app/studio/entrypoint.sh .
 COPY --from=builder --chown=node:node /app/studio/.env.production .

Quick check:

🏁 Script executed:

#!/bin/bash
# Does entrypoint mutate BUILD_ID or anything under .next?
rg -n 'sed.*\.next/BUILD_ID|\.next/.* -i' studio/entrypoint.sh

Length of output: 0

🏁 Script executed:

#!/bin/bash
set -euo pipefail
echo "PWD: $(pwd)"
echo "---- studio dir listing ----"
ls -la studio || true

echo
echo "---- studio/Dockerfile (first 240 lines) ----"
if [ -f studio/Dockerfile ]; then
  sed -n '1,240p' studio/Dockerfile
else
  echo "NO studio/Dockerfile"
fi

echo
echo "---- studio/entrypoint.sh (first 240 lines) ----"
if [ -f studio/entrypoint.sh ]; then
  sed -n '1,240p' studio/entrypoint.sh
else
  echo "NO studio/entrypoint.sh"
fi

echo
echo "---- Search repo for BUILD_ID references ----"
rg -n --hidden -S 'BUILD_ID|\\.next/BUILD_ID' || true

echo
echo "---- Search repo for sed editing files under .next or using -i ----"
rg -n --hidden -S 'sed.*\\.next|sed\\s+-i' || true

echo
echo "---- Search Dockerfiles for copying .next artifacts ----"
rg -n --hidden -S 'COPY .*\\.next' || true

Length of output: 5091

Copy .next/BUILD_ID into the image and ensure .next is writable

entrypoint.sh runs sed -i across ./studio/.next files; Dockerfile copies .next/static but not .next/BUILD_ID — add BUILD_ID so sed/temp-file creation won't fail at runtime.

 COPY --from=builder --chown=node:node /app/studio/.next/standalone ./
 COPY --from=builder --chown=node:node /app/studio/public/ ./studio/public
 COPY --from=builder --chown=node:node /app/studio/.next/static ./studio/.next/static
+COPY --from=builder --chown=node:node /app/studio/.next/BUILD_ID ./studio/.next/BUILD_ID
 COPY --from=builder --chown=node:node /app/studio/entrypoint.sh .
 COPY --from=builder --chown=node:node /app/studio/.env.production .
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
COPY --from=builder --chown=node:node /app/studio/.next/standalone ./
COPY --from=builder --chown=node:node /app/studio/public/ ./studio/public
COPY --from=builder --chown=node:node /app/studio/.next/static ./studio/.next/static
COPY --from=builder --chown=node:node /app/studio/entrypoint.sh .
COPY --from=builder --chown=node:node /app/studio/.env.production .
COPY --from=builder --chown=node:node /app/studio/.next/standalone ./
COPY --from=builder --chown=node:node /app/studio/public/ ./studio/public
COPY --from=builder --chown=node:node /app/studio/.next/static ./studio/.next/static
COPY --from=builder --chown=node:node /app/studio/.next/BUILD_ID ./studio/.next/BUILD_ID
COPY --from=builder --chown=node:node /app/studio/entrypoint.sh .
COPY --from=builder --chown=node:node /app/studio/.env.production .
🤖 Prompt for AI Agents 
In studio/Dockerfile around lines 60 to 64, the Docker image currently copies
.next/static but omits .next/BUILD_ID and does not ensure the .next tree is
writable, causing sed -i in entrypoint.sh to fail; add a COPY --from=builder
--chown=node:node /app/studio/.next/BUILD_ID ./studio/.next/BUILD_ID (or copy
the entire .next directory) and ensure the directory permissions allow write by
the node user (e.g., run a chmod -R u+w ./studio/.next or set correct ownership)
so sed/temp-file creation succeeds at runtime.


RUN apk add --no-cache --upgrade bash
RUN ["chmod", "+x", "./entrypoint.sh"]
ENTRYPOINT ["./entrypoint.sh"]

Expand Down