docs: update custom agent images section for entrypoint privilege drop

barckcode · claude · barckcode · commit 8701d62876aa · 2026-03-09T22:10:02.000Z
Remove USER directive instructions — containers always start as root
and the entrypoint handles privilege dropping via gosu. Recommend
gosu agentcrew for user-level tool installs during build.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/web/src/pages/docs/configuration.astro b/web/src/pages/docs/configuration.astro
@@ -237,45 +237,34 @@ WEBHOOK_MAX_CONCURRENT=20</code></pre>
 
     <pre><code class="language-dockerfile">FROM ghcr.io/helmcode/agent_crew_agent:latest
 
-# Switch to root to install system packages
-USER root
-
-# Install system-level dependencies
-RUN mkdir -p /var/lib/apt/lists/partial \
-    && apt-get update && apt-get install -y --no-install-recommends \
-    your-system-packages-here \
+# Add your custom dependencies here
+# Example: Install Python packages
+RUN pip install pandas numpy
+
+# Example: Install system tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    postgresql-client \
+    redis-tools \
     && rm -rf /var/lib/apt/lists/*
 
-# Install user-level tools as agentcrew user (NOT as root)
-# RUN su agentcrew -c "npx playwright install chromium"
-
-# IMPORTANT: Switch back to agentcrew user
-USER agentcrew</code></pre>
+# Example: Install user-level tools (use gosu to run as agentcrew)
+# RUN gosu agentcrew npx playwright install chromium</code></pre>
 
     <h3>Base Dockerfile for OpenCode Agent</h3>
 
     <pre><code class="language-dockerfile">FROM ghcr.io/helmcode/agent_crew_opencode_agent:latest
 
-USER root
-
-# Install system-level dependencies
-RUN mkdir -p /var/lib/apt/lists/partial \
-    && apt-get update && apt-get install -y --no-install-recommends \
-    your-system-packages-here \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install user-level tools as agentcrew user (NOT as root)
-# RUN su agentcrew -c "command-here"
-
-# IMPORTANT: Switch back to agentcrew user
-USER agentcrew</code></pre>
+# Add your custom dependencies here
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    your-tools-here \
+    && rm -rf /var/lib/apt/lists/*</code></pre>
 
     <blockquote>
-      <strong>Important:</strong> Always end your Dockerfile with
-      <code>USER agentcrew</code>. The base image runs as the <code>agentcrew</code>
-      user, and leaving <code>USER root</code> will cause Claude Code to reject the
-      <code>--dangerously-skip-permissions</code> flag. Use <code>USER root</code>
-      only for system package installations, then switch back.
+      <strong>Note:</strong> You do not need to manage <code>USER</code> directives
+      in your Dockerfile. AgentCrew containers always start as root and the
+      entrypoint script automatically drops privileges to match the workspace
+      owner. Use <code>gosu agentcrew</code> when you need to install user-level
+      tools (e.g., browser binaries) during the build.
     </blockquote>
 
     <h3>How to Build and Use</h3>
diff --git a/web/src/pages/es/docs/configuration.astro b/web/src/pages/es/docs/configuration.astro
@@ -237,46 +237,35 @@ WEBHOOK_MAX_CONCURRENT=20</code></pre>
 
     <pre><code class="language-dockerfile">FROM ghcr.io/helmcode/agent_crew_agent:latest
 
-# Switch to root to install system packages
-USER root
-
-# Install system-level dependencies
-RUN mkdir -p /var/lib/apt/lists/partial \
-    && apt-get update && apt-get install -y --no-install-recommends \
-    your-system-packages-here \
+# Add your custom dependencies here
+# Example: Install Python packages
+RUN pip install pandas numpy
+
+# Example: Install system tools
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    postgresql-client \
+    redis-tools \
     && rm -rf /var/lib/apt/lists/*
 
-# Install user-level tools as agentcrew user (NOT as root)
-# RUN su agentcrew -c "npx playwright install chromium"
-
-# IMPORTANT: Switch back to agentcrew user
-USER agentcrew</code></pre>
+# Example: Install user-level tools (use gosu to run as agentcrew)
+# RUN gosu agentcrew npx playwright install chromium</code></pre>
 
     <h3>Dockerfile Base para Agente OpenCode</h3>
 
     <pre><code class="language-dockerfile">FROM ghcr.io/helmcode/agent_crew_opencode_agent:latest
 
-USER root
-
-# Install system-level dependencies
-RUN mkdir -p /var/lib/apt/lists/partial \
-    && apt-get update && apt-get install -y --no-install-recommends \
-    your-system-packages-here \
-    && rm -rf /var/lib/apt/lists/*
-
-# Install user-level tools as agentcrew user (NOT as root)
-# RUN su agentcrew -c "command-here"
-
-# IMPORTANT: Switch back to agentcrew user
-USER agentcrew</code></pre>
+# Add your custom dependencies here
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    your-tools-here \
+    && rm -rf /var/lib/apt/lists/*</code></pre>
 
     <blockquote>
-      <strong>Importante:</strong> Siempre termina tu Dockerfile con
-      <code>USER agentcrew</code>. La imagen base se ejecuta como el usuario
-      <code>agentcrew</code>, y dejar <code>USER root</code> hará que Claude Code
-      rechace el flag <code>--dangerously-skip-permissions</code>. Usa
-      <code>USER root</code> solo para instalaciones de paquetes del sistema,
-      luego cambia de vuelta.
+      <strong>Nota:</strong> No necesitas gestionar directivas <code>USER</code>
+      en tu Dockerfile. Los contenedores de AgentCrew siempre arrancan como root
+      y el script de entrypoint reduce los privilegios automaticamente para
+      coincidir con el propietario del workspace. Usa <code>gosu agentcrew</code>
+      cuando necesites instalar herramientas a nivel de usuario (por ejemplo,
+      binarios de navegador) durante el build.
     </blockquote>
 
     <h3>Cómo Construir y Usar</h3>
