Skip to content

Fix Alpine 3.20 user conflict in platform-service Dockerfile#1

Open
railway-app[bot] wants to merge 26 commits into
mainfrom
railway/code-change-98TOah
Open

Fix Alpine 3.20 user conflict in platform-service Dockerfile#1
railway-app[bot] wants to merge 26 commits into
mainfrom
railway/code-change-98TOah

Conversation

@railway-app

@railway-app railway-app Bot commented May 26, 2026

Copy link
Copy Markdown

Problem

Alpine 3.20 ships with a built-in nobody user at UID 65534. The platform-service Dockerfile (introduced in commit 7142bfc) attempts to create a second user also named nobody with UID 1001, causing adduser: user 'nobody' in use and failing every build.

Solution

Replaced both occurrences of nobody in deploy/railway/platform-service.Dockerfile with appuser — the adduser invocation and the USER directive. This avoids the naming collision with Alpine's built-in user while preserving the non-root security hardening at the dedicated UID 1001.

Changes

  • Modified deploy/railway/platform-service.Dockerfile

Generated by Railway

jraya106 and others added 26 commits May 14, 2026 19:53
…im validation, dead-room reconciliation, and full beta reset
…esence, castling fusion

- Fix TS structural errors in App.tsx (orphan </div> from ErrorBoundary/ELO removal)
- Replace PlatformContext createContext<any> with typed PlatformContextShape interface
- Add TLS support to gateway (TLS_CERT_FILE/TLS_KEY_FILE env vars)
- Add disconnect presence on WS close (MarkDisconnected + playerId/playerSecret query params)
- Fix castling to use isAttackedWithFusion instead of isAttacked for fusion-aware checks
- Remove ELO stakes section (hardcoded +16/-16 replaced by proper ELO formula)
- Add resign confirmation (two-click with 3s timeout and red highlight)
- Add draw offer cooldown (15s rate limit on both client and server)
- Add idempotency keys (clientMoveId) to prevent duplicate intent processing
…, queue outbox, security headers, orphaned client removal

CRITICAL:
- HTTP timeouts (ReadHeaderTimeout/ReadTimeout/WriteTimeout/IdleTimeout) on all 4 Go servers
- WebSocket CheckOrigin rejects empty Origin (CORS bypass fixed)
- Hardcoded defaultAllowedOrigins removed from match-service
- Queue TOCTOU race: CreateMatch HTTP call moved outside mutex via goroutine
- USER nobody added to all 5 Dockerfiles (Go + web)
- Security headers in next.config.mjs (CSP, X-Frame-Options, etc.)
- web.Dockerfile CMD uses exec for proper signal handling
- legalMovesWithFusion in applyMove intent validation (castling fusion)
- Rate limiter middleware (IP-based, windowed) applied to all 4 services
- Elo-range matchmaking (max 400 rating diff in findMatchCandidateLocked)
- Orphaned client/ directory removed (duplicate CRA frontend)
- Test ref: collectBroadcasts -> collectAndBroadcast

HIGH:
- In-memory rate limit package (internal/rate_limit) with configurable window/limit
- Default rate limits: 60/min API, 20/10min auth, 10/30s queue
- Elo-range matching for casual and rated queues
- Session token hashing infrastructure (hashSessionToken function)
- Add inBounds checks to fakepiece/clone/teleport/jump card targets (4 crash fixes)
- Deep-copy History and SeenClientMoveIDs in cloneState (2 data race fixes)
- Harden platform-service: status endpoint, account enumeration, sensitive logging, X-Forwarded-For spoofing
- Add history_public.go DTO layer and public API endpoints
- Unify ELO formula across all backends (Postgres, SQLite, in-memory)
- Fix guest-results and account-results tests for new auth-required handler
- Fix lava test (insufficient material draw)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants