refactor(docker): migrate both images to Alpine

Replace node:20-slim/ubuntu:22.04 with node:20-alpine/alpine:3.21. Switch package management from apt to apk (--no-cache, no cleanup layer). Use Alpine addgroup/adduser in claude/Dockerfile. Update proxy to use squid user (Alpine convention) and /var/cache/squid cache path. Fix proxy/Dockerfile COPY path now that context is proxy/. Move webui-entrypoint.sh into claude/ to match its build context. Fix docker-compose.yml webui context to claude/, update proxy tmpfs path.
2026-04-14 22:40:57 +02:00 · 2026-04-14 22:40:57 +02:00 · 88805a3c24
commit 88805a3c24
parent 782370e014
9 changed files with 53 additions and 57 deletions
--- a/README.md
+++ b/README.md
@ -30,9 +30,9 @@ Runs [Claude Code](https://claude.ai/code) inside an isolated Docker environment
 └──────────────────────────────────────────────────────────┘
 ```

- **`claude`** — Claude Code CLI, UID 1000, on `claude-internal` only
- **`webui`** — Claude Code in a browser terminal (ttyd), UID 1000, on `claude-internal` only, port 7681
- **`proxy`** — Squid forward proxy, UID 13, bridges `claude-internal` ↔ internet with egress allowlist
+- **`claude`** — Claude Code CLI (`node:20-alpine`), UID 1000, on `claude-internal` only
+- **`webui`** — Claude Code in a browser terminal via ttyd (`node:20-alpine`), UID 1000, on `claude-internal` only, port 7681
+- **`proxy`** — Squid forward proxy (`alpine:3.21`), bridges `claude-internal` ↔ internet with egress allowlist
 - **`claude-internal`** — `internal: true`; no default gateway, containers cannot reach the internet directly
 - **`proxy-external`** — Standard bridge; proxy sidecar only

@ -129,7 +129,7 @@ Rebuild after changes:

 | Control | claude / webui | proxy |
 |---|---|---|
-| Non-root user | UID 1000 (`claude`) | UID 13 (`proxy`) |
+| Non-root user | UID 1000 (`claude`) | `squid` user |
 | `no-new-privileges` | yes | yes |
 | All capabilities dropped | yes | yes |
 | Direct internet access | no (`internal` network only) | allowlisted only |