fix: run prisma generate as nobody user in non-root container (#20000)

Fixes permission error where prisma generate fails with 'Permission denied' when trying to write schema.prisma in non-root containers. The issue was that prisma generate was running as root before switching to nobody user, causing generated files to be owned by root:root. Moving prisma generate after USER nobody ensures files are owned by nobody:nobody and can be written to during runtime. Fixes #19859
2026-01-30 05:04:59 +02:00 · 2026-01-30 05:04:59 +02:00 · 8fcdf6105f
commit 8fcdf6105f
parent c9658f877e
1 changed files with 4 additions and 2 deletions
--- a/docker/Dockerfile.non_root
+++ b/docker/Dockerfile.non_root
@ -170,12 +170,14 @@ RUN sed -i 's/\r$//' docker/entrypoint.sh && \
    [ -n "$LITELLM_PROXY_EXTRAS_PATH" ] && chmod -R g+w $LITELLM_PROXY_EXTRAS_PATH || true && \
    chmod -R g+rX $PRISMA_PATH && \
    chmod -R g+rX /app/.cache && \
-    mkdir -p /tmp/.npm /nonexistent /.npm && \
-    prisma generate
+    mkdir -p /tmp/.npm /nonexistent /.npm

 # Switch to non-root user for runtime
 USER nobody

+# Generate Prisma client as nobody user to ensure correct file ownership
+RUN prisma generate
+
 # Prisma runtime knobs for offline containers
 ENV PRISMA_SKIP_POSTINSTALL_GENERATE=1 \
    PRISMA_HIDE_UPDATE_MESSAGE=1 \