Fix SIGILL crash on CPUs without AVX2 support (#70) (#71)

Copy Bun binary from official oven/bun:1-slim image instead of using
the install script. The official images use baseline builds for x64,
which only require SSE4.2 and work on older/low-power CPUs like the
Intel Atom C3558R that lack AVX2 instructions.

Also fixes compatibility with updated presidio-analyzer base image:
- Use USER root for build, then switch to non-root (UID 1001) for runtime
- Fix Presidio config paths (/app/presidio_analyzer/conf/)
- Move PasteGuard to /pasteguard to avoid overwriting Presidio's /app
- Update supervisord to run without root privileges
- Update volume mount paths in docker-compose.yml and docs

diff --git a/docker-compose.yml b/docker-compose.yml
index 7462c2b995988e707bb4d7659ca6b768760326f7..f3c4f75df673356b7d648c5f609939d5d8884e26 100644 (file)
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,8 +28,8 @@ services:
       - path: .env
         required: false
     volumes:
-      - ./config.yaml:/app/config.yaml:ro
-      - ./data:/app/data
+      - ./config.yaml:/pasteguard/config.yaml:ro
+      - ./data:/pasteguard/data
     restart: unless-stopped
 
   # Development: Only Presidio (for local Bun with hot-reload)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 16aaa363fa141282ca1ed0e2422a687ca5656e29..31b5b60b005081e47ae888cc2d87e33c8567090a 100644 (file)
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -2,7 +2,7 @@
 # Single container with Proxy + PII Detection
 #
 # Build: docker build -f docker/Dockerfile --build-arg LANGUAGES=en -t pasteguard:en .
-# Run:   docker run -p 3000:3000 -v ./config.yaml:/app/config.yaml -v ./data:/app/data pasteguard:en
+# Run:   docker run -p 3000:3000 -v ./config.yaml:/pasteguard/config.yaml -v ./data:/pasteguard/data pasteguard:en
 
 ARG LANGUAGES="en"
 
@@ -42,13 +42,14 @@ COPY tsconfig.json ./
 # =============================================================================
 FROM mcr.microsoft.com/presidio-analyzer:latest
 
+USER root
+
 ARG LANGUAGES
 
 # Install supervisor for process management
 RUN apt-get update && apt-get install -y --no-install-recommends \
     supervisor \
     curl \
-    unzip \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
@@ -61,33 +62,39 @@ RUN if echo "${LANGUAGES}" | grep -q "ja"; then \
     fi
 ENV PATH="/root/.cargo/bin:${PATH}"
 
-# Install Bun
-RUN curl -fsSL https://bun.sh/install | bash
-ENV PATH="/root/.bun/bin:${PATH}"
+# Copy Bun binary from official image (uses baseline build for x64 compatibility)
+# The official oven/bun images use baseline builds which only require SSE4.2,
+# supporting older/low-power x86_64 CPUs (e.g., Intel Atom C3558R) that lack AVX2.
+# See: https://github.com/sgasser/pasteguard/issues/70
+COPY --from=bun-builder /usr/local/bin/bun /usr/local/bin/bun
+ENV PATH="/usr/local/bin:${PATH}"
 
 # Copy Presidio configuration
-COPY --from=generator /output/nlp-config.yaml /usr/bin/presidio_analyzer/conf/default.yaml
-COPY --from=generator /output/recognizers-config.yaml /usr/bin/presidio_analyzer/conf/default_recognizers.yaml
-COPY --from=generator /output/analyzer-config.yaml /usr/bin/presidio_analyzer/conf/default_analyzer.yaml
+COPY --from=generator /output/nlp-config.yaml /app/presidio_analyzer/conf/default.yaml
+COPY --from=generator /output/recognizers-config.yaml /app/presidio_analyzer/conf/default_recognizers.yaml
+COPY --from=generator /output/analyzer-config.yaml /app/presidio_analyzer/conf/default_analyzer.yaml
 
 # Install spaCy models
 COPY --from=generator /output/install-models.sh /tmp/
 RUN chmod +x /tmp/install-models.sh && /tmp/install-models.sh && rm /tmp/install-models.sh
 
-# Copy Bun application
-WORKDIR /app
+# Copy Bun application to /pasteguard (separate from Presidio's /app)
+WORKDIR /pasteguard
 COPY --from=bun-builder /app/node_modules ./node_modules
 COPY --from=bun-builder /app/src ./src
 COPY --from=bun-builder /app/package.json ./
 COPY --from=bun-builder /app/tsconfig.json ./
 COPY config.example.yaml ./
 
-# Create data directory
-RUN mkdir -p /app/data
+# Create data directory and set permissions for non-root user
+RUN mkdir -p /pasteguard/data && chown -R 1001:1001 /pasteguard
 
 # Copy supervisor configuration
 COPY docker/supervisord.conf /etc/supervisor/conf.d/pasteguard.conf
 
+# Switch back to non-root user for runtime
+USER 1001
+
 # Environment defaults
 ENV PRESIDIO_URL=http://localhost:5002
 ENV PORT=5002

diff --git a/docker/supervisord.conf b/docker/supervisord.conf
index d3d0f89b19efe41a7f9feea8692c189c5ec1835e..466f73a63dc575b49e36c03be985c8b2c6ae7428 100644 (file)
--- a/docker/supervisord.conf
+++ b/docker/supervisord.conf
@@ -1,13 +1,13 @@
 [supervisord]
 nodaemon=true
-user=root
-logfile=/var/log/supervisor/supervisord.log
-pidfile=/var/run/supervisord.pid
+logfile=/dev/stdout
+logfile_maxbytes=0
+pidfile=/tmp/supervisord.pid
 loglevel=info
 
 [program:presidio]
 command=poetry run gunicorn -w %(ENV_WORKERS)s -b 0.0.0.0:%(ENV_PORT)s --timeout 300 --preload "app:create_app()"
-directory=/usr/bin
+directory=/app
 autostart=true
 autorestart=true
 startsecs=10
@@ -19,8 +19,8 @@ stderr_logfile_maxbytes=0
 priority=10
 
 [program:pasteguard]
-command=/root/.bun/bin/bun run src/index.ts
-directory=/app
+command=/usr/local/bin/bun run src/index.ts
+directory=/pasteguard
 autostart=%(ENV_START_APP)s
 autorestart=true
 startsecs=5

diff --git a/docs/configuration/logging.mdx b/docs/configuration/logging.mdx
index c349140c62fa8f0a4276b1574b366f41207ca5f8..b2da33f55f860c67a8d221ca54dee65a88f6576b 100644 (file)
--- a/docs/configuration/logging.mdx
+++ b/docs/configuration/logging.mdx
@@ -33,7 +33,7 @@ In Docker, this is persisted via volume:
 
 ```yaml
 volumes:
-  - ./data:/app/data
+  - ./data:/pasteguard/data
 ```
 
 ## Retention

diff --git a/docs/installation.mdx b/docs/installation.mdx
index a7b9eeb81e68d24a49fd7678a0cc7d6462913023..339892efa8c14ca92b96f4a6f965e3afb2d32b68 100644 (file)
--- a/docs/installation.mdx
+++ b/docs/installation.mdx
@@ -50,8 +50,8 @@ mkdir -p data
 
 # Run with persistence
 docker run -d --name pasteguard --restart unless-stopped -p 3000:3000 \
-  -v ./config.yaml:/app/config.yaml:ro \
-  -v ./data:/app/data \
+  -v ./config.yaml:/pasteguard/config.yaml:ro \
+  -v ./data:/pasteguard/data \
   ghcr.io/sgasser/pasteguard:en
 ```