diff --git a/Dockerfile.ui b/Dockerfile.ui index 1b2fad4e8bb1..526561148650 100644 --- a/Dockerfile.ui +++ b/Dockerfile.ui @@ -36,7 +36,7 @@ DISABLE_SOURCE_MAPS="${DISABLE_SOURCE_MAPS}" \ UI_APP_CONFIG="${UI_APP_CONFIG}" \ SOURCE_MAPS_TOKEN="${SOURCE_MAPS_TOKEN}" yarn run build:cvat-ui -FROM nginx:1.28.0-alpine3.21-slim +FROM nginxinc/nginx-unprivileged:1.28.0-alpine3.21-slim # Replace default.conf configuration to remove unnecessary rules COPY cvat-ui/react_nginx.conf /etc/nginx/conf.d/default.conf diff --git a/changelog.d/20250821_192420_roman_non_root.md b/changelog.d/20250821_192420_roman_non_root.md new file mode 100644 index 000000000000..159b152db2ce --- /dev/null +++ b/changelog.d/20250821_192420_roman_non_root.md @@ -0,0 +1,4 @@ +### Changed + +- The frontend container no longer runs as root + () diff --git a/docker-compose.yml b/docker-compose.yml index 4925f12bedf4..4fe20f687832 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -252,7 +252,7 @@ services: - cvat_server labels: traefik.enable: "true" - traefik.http.services.cvat-ui.loadbalancer.server.port: "80" + traefik.http.services.cvat-ui.loadbalancer.server.port: "8000" traefik.http.routers.cvat-ui.rule: Host(`${CVAT_HOST:-localhost}`) traefik.http.routers.cvat-ui.entrypoints: web networks: diff --git a/helm-chart/Chart.yaml b/helm-chart/Chart.yaml index 248d93f9b99e..f1ee0580f71f 100644 --- a/helm-chart/Chart.yaml +++ b/helm-chart/Chart.yaml @@ -16,7 +16,7 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.15.0 +version: 0.15.1 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to diff --git a/helm-chart/templates/cvat_frontend/deployment.yml b/helm-chart/templates/cvat_frontend/deployment.yml index 9cd5f9f5050c..3a3aeff7cd5a 100644 --- a/helm-chart/templates/cvat_frontend/deployment.yml +++ b/helm-chart/templates/cvat_frontend/deployment.yml @@ -39,7 +39,7 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} ports: - - containerPort: 80 + - containerPort: 8000 {{- with .Values.cvat.frontend.additionalEnv }} env: {{- toYaml . | nindent 10 }} @@ -47,19 +47,21 @@ spec: {{- if .Values.cvat.frontend.readinessProbe.enabled }} readinessProbe: tcpSocket: - port: 80 + port: 8000 {{- toYaml (omit .Values.cvat.frontend.readinessProbe "enabled") | nindent 12 }} {{- end }} {{- if .Values.cvat.frontend.livenessProbe.enabled }} livenessProbe: tcpSocket: - port: 80 + port: 8000 {{- toYaml (omit .Values.cvat.frontend.livenessProbe "enabled") | nindent 12 }} {{- end }} {{- with .Values.cvat.frontend.additionalVolumeMounts }} volumeMounts: {{- toYaml . | nindent 10 }} {{- end }} + securityContext: + runAsNonRoot: true {{- with .Values.cvat.frontend.additionalVolumes }} volumes: {{- toYaml . | nindent 8 }} diff --git a/helm-chart/templates/ingress.yaml b/helm-chart/templates/ingress.yaml index 8eddd964da9e..618e81408486 100644 --- a/helm-chart/templates/ingress.yaml +++ b/helm-chart/templates/ingress.yaml @@ -34,7 +34,7 @@ spec: service: name: {{ $.Release.Name }}-backend-service port: - number: 8080 + name: http {{- end }} - path: / pathType: Prefix @@ -42,5 +42,5 @@ spec: service: name: {{ .Release.Name }}-frontend-service port: - number: 80 + name: http {{- end }} diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml index 9ca39aa14bcb..60640183c25d 100644 --- a/helm-chart/values.yaml +++ b/helm-chart/values.yaml @@ -211,8 +211,8 @@ cvat: service: type: ClusterIP ports: - - port: 80 - targetPort: 80 + - port: 8000 + targetPort: 8000 protocol: TCP name: http opa: