Skip to content

docs(self-host): document HOPP_ALTERNATE_PORT and non-root containers#361

Open
mirarifhasan wants to merge 2 commits into
mainfrom
docs/non-root-container-support
Open

docs(self-host): document HOPP_ALTERNATE_PORT and non-root containers#361
mirarifhasan wants to merge 2 commits into
mainfrom
docs/non-root-container-support

Conversation

@mirarifhasan

@mirarifhasan mirarifhasan commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Closes BE-786

Documents the non-root / arbitrary-UID container support landed in hoppscotch/hoppscotch#6481 and hoppscotch/selfhost-enterprise#248.

The docs only knew HOPP_AIO_ALTERNATE_PORT, described as an AIO-only way to move the subpath endpoint off port 80. That's now stale twice over: the variable is HOPP_ALTERNATE_PORT and applies to the frontend, backend and admin images as well, and its real purpose is making the images runnable under a non-root UID rather than just dodging a port clash.

What's changed

  • Renamed the variable in the sample .env blocks and the variable lists on both install-and-build pages, and in the self-hosting guide article. The legacy HOPP_AIO_ALTERNATE_PORT still works as an AIO fallback but is no longer advertised.
  • New "Running under a non-root user" section on both install-and-build pages: the docker run --user 1000:0 example, the OpenShift Service/Route note, the per-image reserved-port table, and the writable-root-filesystem + GID 0 requirements.
  • Subpath warnings now point at HOPP_ALTERNATE_PORT and link to the new section.
  • Enterprise only: port 9159 (the local proxy server, started when LOCAL_PROXY_SERVER_ENABLE=true) appears in the reserved-port table for the AIO and backend images, and a warning notes that the official ClickHouse image is not arbitrary-UID safe — an OpenShift deployment needs a managed or external ClickHouse.

Notes to reviewers

  • Reserved ports are documented per image rather than as one flat list, because the images genuinely reserve different sets — the flat list in .env.example tells an admin-image operator to avoid ports it never binds. Values are taken from the RESERVED_PORTS arrays in aio_run.mjs and each package's prod_run.mjs.
  • The ClickHouse audit-log export fix from selfhost-enterprise#248 has no configuration surface, so it isn't documented — it just makes exports work under a non-root UID.
  • The AIO multiport case (a value set there is ignored with a warning) is deliberately left out: nothing breaks, so it didn't earn space in a deploy guide.

The self-host images can now run under a non-root / arbitrary UID
(hoppscotch#6481, selfhost-enterprise#248). Caddy's in-container HTTP port
is configurable via HOPP_ALTERNATE_PORT, which replaces the AIO-only
HOPP_AIO_ALTERNATE_PORT and is honoured by the frontend, backend and admin
images too.

- Rename the variable in the sample .env blocks and variable lists
- Add a "Running under a non-root user" section covering the OpenShift /
  rootless Docker / Podman setup, the per-image reserved ports, the port
  mapping update, and the writable-rootfs + GID 0 requirements
- Enterprise: reserve 9159 (local proxy server) and note that the ClickHouse
  image is not arbitrary-UID safe
Copilot AI review requested due to automatic review settings July 14, 2026 11:40
@mirarifhasan mirarifhasan self-assigned this Jul 14, 2026
@mirarifhasan
mirarifhasan requested a review from liyasthomas July 14, 2026 11:40

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates self-hosting documentation to reflect the newer HOPP_ALTERNATE_PORT variable and to document how to run Hoppscotch self-host images under non-root / arbitrary-UID container constraints (rootless Docker/Podman, OpenShift, etc.).

Changes:

  • Replaces references to HOPP_AIO_ALTERNATE_PORT with HOPP_ALTERNATE_PORT and updates subpath warnings accordingly.
  • Adds “Container Runtime Config” guidance in .env examples and introduces “Running under a non-root user” sections (incl. reserved-port tables) on install-and-build pages.
  • Adds an enterprise-only reserved-port note for the local proxy server (9159) and a ClickHouse/OpenShift caution for audit logs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
guides/articles/self-host-hoppscotch-on-your-own-servers.mdx Updates the self-hosting guide’s .env example and subpath warning to reference HOPP_ALTERNATE_PORT and link to the new non-root guidance.
documentation/self-host/enterprise-edition/install-and-build.mdx Renames the variable, adds non-root runtime guidance (incl. reserved ports + enterprise-specific notes), and updates subpath warnings.
documentation/self-host/community-edition/install-and-build.mdx Renames the variable, adds non-root runtime guidance (incl. reserved ports), and updates subpath warnings.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread documentation/self-host/community-edition/install-and-build.mdx Outdated
Comment thread documentation/self-host/community-edition/install-and-build.mdx Outdated
Comment thread documentation/self-host/enterprise-edition/install-and-build.mdx Outdated
Comment thread documentation/self-host/enterprise-edition/install-and-build.mdx Outdated
Comment thread guides/articles/self-host-hoppscotch-on-your-own-servers.mdx Outdated
Address AI review feedback: reword the subpath warnings so they explain
that ports below 1024 are privileged and non-root users can't bind them
(a rootless/OpenShift restriction), rather than implying it's host-specific.
Also clarify that images serve on port 80 inside the container to avoid
ambiguity with the host-published port mappings.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants