diff --git a/Dockerfile.onboard-smoke b/Dockerfile.onboard-smoke index 2639d834..7b13756b 100644 --- a/Dockerfile.onboard-smoke +++ b/Dockerfile.onboard-smoke @@ -2,17 +2,22 @@ FROM ubuntu:24.04 ARG NODE_MAJOR=20 ARG PAPERCLIPAI_VERSION=latest +ARG HOST_UID=10001 ENV DEBIAN_FRONTEND=noninteractive \ PAPERCLIP_HOME=/paperclip \ PAPERCLIP_OPEN_ON_LISTEN=false \ HOST=0.0.0.0 \ PORT=3100 \ + HOME=/home/paperclip \ + LANG=en_US.UTF-8 \ + LC_ALL=en_US.UTF-8 \ + NPM_CONFIG_UPDATE_NOTIFIER=false \ NODE_MAJOR=${NODE_MAJOR} \ PAPERCLIPAI_VERSION=${PAPERCLIPAI_VERSION} RUN apt-get update \ - && apt-get install -y --no-install-recommends ca-certificates curl gnupg \ + && apt-get install -y --no-install-recommends ca-certificates curl gnupg locales \ && mkdir -p /etc/apt/keyrings \ && curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \ | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg \ @@ -20,10 +25,16 @@ RUN apt-get update \ > /etc/apt/sources.list.d/nodesource.list \ && apt-get update \ && apt-get install -y --no-install-recommends nodejs \ + && locale-gen en_US.UTF-8 \ + && groupadd --gid 10001 paperclip \ + && useradd --create-home --shell /bin/bash --uid "${HOST_UID}" --gid 10001 paperclip \ + && mkdir -p /paperclip /home/paperclip/workspace \ + && chown -R paperclip:paperclip /paperclip /home/paperclip \ && rm -rf /var/lib/apt/lists/* VOLUME ["/paperclip"] -WORKDIR /workspace +WORKDIR /home/paperclip/workspace EXPOSE 3100 +USER paperclip CMD ["bash", "-lc", "set -euo pipefail; mkdir -p \"$PAPERCLIP_HOME\"; npx --yes \"paperclipai@${PAPERCLIPAI_VERSION}\" onboard --yes --data-dir \"$PAPERCLIP_HOME\""] diff --git a/doc/DOCKER.md b/doc/DOCKER.md index 3fc9e037..623adb9e 100644 --- a/doc/DOCKER.md +++ b/doc/DOCKER.md @@ -86,9 +86,12 @@ Useful overrides: ```sh HOST_PORT=3200 PAPERCLIPAI_VERSION=latest ./scripts/docker-onboard-smoke.sh +PAPERCLIP_DEPLOYMENT_MODE=authenticated PAPERCLIP_DEPLOYMENT_EXPOSURE=private ./scripts/docker-onboard-smoke.sh ``` Notes: - Persistent data is mounted at `./data/docker-onboard-smoke` by default. +- Container runtime user id defaults to your local `id -u` so the mounted data dir stays writable while avoiding root runtime. +- Smoke script defaults to `authenticated/private` mode so `HOST=0.0.0.0` can be exposed to the host on port 3100. - The image definition is in `Dockerfile.onboard-smoke`. diff --git a/scripts/docker-onboard-smoke.sh b/scripts/docker-onboard-smoke.sh index afd9d2f5..b64b7123 100755 --- a/scripts/docker-onboard-smoke.sh +++ b/scripts/docker-onboard-smoke.sh @@ -6,12 +6,16 @@ IMAGE_NAME="${IMAGE_NAME:-paperclip-onboard-smoke}" HOST_PORT="${HOST_PORT:-3100}" PAPERCLIPAI_VERSION="${PAPERCLIPAI_VERSION:-latest}" DATA_DIR="${DATA_DIR:-$REPO_ROOT/data/docker-onboard-smoke}" +HOST_UID="${HOST_UID:-$(id -u)}" +PAPERCLIP_DEPLOYMENT_MODE="${PAPERCLIP_DEPLOYMENT_MODE:-authenticated}" +PAPERCLIP_DEPLOYMENT_EXPOSURE="${PAPERCLIP_DEPLOYMENT_EXPOSURE:-private}" mkdir -p "$DATA_DIR" echo "==> Building onboard smoke image" docker build \ --build-arg PAPERCLIPAI_VERSION="$PAPERCLIPAI_VERSION" \ + --build-arg HOST_UID="$HOST_UID" \ -f "$REPO_ROOT/Dockerfile.onboard-smoke" \ -t "$IMAGE_NAME" \ "$REPO_ROOT" @@ -19,10 +23,13 @@ docker build \ echo "==> Running onboard smoke container" echo " UI should be reachable at: http://localhost:$HOST_PORT" echo " Data dir: $DATA_DIR" +echo " Deployment: $PAPERCLIP_DEPLOYMENT_MODE/$PAPERCLIP_DEPLOYMENT_EXPOSURE" docker run --rm \ --name "${IMAGE_NAME//[^a-zA-Z0-9_.-]/-}" \ -p "$HOST_PORT:3100" \ -e HOST=0.0.0.0 \ -e PORT=3100 \ + -e PAPERCLIP_DEPLOYMENT_MODE="$PAPERCLIP_DEPLOYMENT_MODE" \ + -e PAPERCLIP_DEPLOYMENT_EXPOSURE="$PAPERCLIP_DEPLOYMENT_EXPOSURE" \ -v "$DATA_DIR:/paperclip" \ "$IMAGE_NAME"