Skip to content

fix(docker): install uv system-wide so runtime works under non-root #981

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(docker): install uv system-wide so runtime works under non-root #981

wants to merge 1 commit into from

Conversation

clsferguson
Copy link

Install uv to /usr/local/bin in both builder and runtime stages (via UV_INSTALL_DIR=/usr/local/bin, UV_NO_MODIFY_PATH=1) so the final image’s USER app can execute uv without relying on /root/.local/bin. This removes the permission/path mismatch that caused “exec: 'uv': not found” at startup, while preserving BuildKit cache mounts for fast uv build/uv sync. The image still installs the graphiti-core wheel first, sets PATH to include /app/.venv/bin, and runs uv run uvicorn on port 8000 for a clean, reproducible launch in Compose/Portainer.

Summary

Install uv system-wide in both stages and keep a non-root runtime so uv is resolvable at container start, eliminating the /root traversal issue while retaining BuildKit caching and the existing multi-stage layout.

Type of Change

  • Bug fix
  • New feature
  • Performance improvement
  • Documentation/Tests

Objective

Make the runtime image consistent with a non-root user by placing uv in a world-accessible system path, ensuring the final CMD [uv run uvicorn ...] succeeds without altering runtime user or app startup behavior.

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • All existing tests pass

Manual verification steps:

  1. Build: DOCKER_BUILDKIT=1 docker build -t graphiti:latest .
  2. Validate uv under non-root:
    docker run --rm graphiti:latest sh -lc 'id; command -v uv; uv --version'
  3. Smoke test app:
    docker run --rm -p 8001:8000 graphiti:latest and curl http://localhost:8001/healthcheck
  4. Deploy via Portainer stack and confirm container is running and healthy.

Breaking Changes

  • This PR contains breaking changes

If this is a breaking change, describe:

  • What functionality is affected
  • Migration path for existing users

Checklist

  • Code follows project style guidelines (make lint passes)
  • Self-review completed
  • Documentation updated where necessary (Dockerfile comments/README snippet)
  • No secrets or sensitive information committed

Related Issues

Closes #[issue number]

@clsferguson
fix(docker): install uv system-wide so runtime works under non-root
db1e1b1 
Install uv to /usr/local/bin in both builder and runtime stages (via UV_INSTALL_DIR=/usr/local/bin, UV_NO_MODIFY_PATH=1) so the final image’s USER app can execute `uv` without relying on /root/.local/bin. This removes the permission/path mismatch that caused “exec: 'uv': not found” at startup, while preserving BuildKit cache mounts for fast `uv build`/`uv sync`. The image still installs the graphiti-core wheel first, sets PATH to include /app/.venv/bin, and runs `uv run uvicorn` on port 8000 for a clean, reproducible launch in Compose/Portainer.
@danielchalef
Copy link
Member

danielchalef commented Oct 5, 2025
edited
Loading

All contributors have signed the CLA ✍️ ✅
Posted by the CLA Assistant Lite bot.

@clsferguson
Copy link
Author

I have read the CLA Document and I hereby sign the CLA

danielchalef added a commit that referenced this pull request Oct 5, 2025
@danielchalef
@clsferguson has signed the CLA in #981
6789767
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@clsferguson @danielchalef