Auto-create and chown data dirs on first start
Entrypoint runs as root, ensures /data/{db,uploads,logo} and
/webdav-config exist with UID 1000 ownership, then drops privileges
via gosu. Removes the manual sudo chown step from the README and
makes a fresh docker compose up succeed without prep.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Stefan Hacker
parent
d476784c06
commit
20e61aa61c
|
|
@ -3,7 +3,7 @@ FROM node:20-bookworm-slim
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
|
|
||||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||||
python3 make g++ \
|
python3 make g++ gosu \
|
||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
COPY package.json ./
|
COPY package.json ./
|
||||||
|
|
@ -22,6 +22,10 @@ ENV NODE_ENV=production \
|
||||||
DB_PATH=/data/db/app.db \
|
DB_PATH=/data/db/app.db \
|
||||||
WEBDAV_CONFIG_DIR=/webdav-config
|
WEBDAV_CONFIG_DIR=/webdav-config
|
||||||
|
|
||||||
|
COPY entrypoint.sh /entrypoint.sh
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
EXPOSE 3000
|
EXPOSE 3000
|
||||||
|
|
||||||
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
CMD ["node", "src/server.js"]
|
CMD ["node", "src/server.js"]
|
||||||
|
|
|
||||||
|
|
@ -41,11 +41,10 @@ docker compose up -d --build
|
||||||
- `./data/uploads/` → ein Unterordner pro Kunde (Slug)
|
- `./data/uploads/` → ein Unterordner pro Kunde (Slug)
|
||||||
- Named Volume `webdav-config` → dynamisch generierte Apache-Config
|
- Named Volume `webdav-config` → dynamisch generierte Apache-Config
|
||||||
|
|
||||||
Beide Container laufen als UID `1000:1000`. Falls vorhandene Daten root gehören:
|
Beide Container laufen als UID `1000:1000`. Der App-Container startet kurz
|
||||||
|
als root, korrigiert die Eigentümer der `./data/`-Mountpunkte auf `1000:1000`
|
||||||
```bash
|
und droppt dann via `gosu` die Privilegien — fresh deploys laufen also ohne
|
||||||
sudo chown -R 1000:1000 data/
|
manuellen `chown` durch.
|
||||||
```
|
|
||||||
|
|
||||||
## Wie die WebDAV-ACLs funktionieren
|
## Wie die WebDAV-ACLs funktionieren
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,8 @@ services:
|
||||||
build: .
|
build: .
|
||||||
container_name: simple-file-upload
|
container_name: simple-file-upload
|
||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
user: "1000:1000"
|
# No `user:` here — entrypoint.sh starts as root, chowns the bind mounts
|
||||||
|
# to UID 1000, then drops privileges via gosu before running node.
|
||||||
ports:
|
ports:
|
||||||
- "${APP_PORT:-3500}:3000" # Web (Upload + Admin)
|
- "${APP_PORT:-3500}:3000" # Web (Upload + Admin)
|
||||||
environment:
|
environment:
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,11 @@
|
||||||
|
#!/bin/sh
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Wenn die Bind-Mounts (data/db, data/uploads, data/logo) auf dem Host noch
|
||||||
|
# nicht existieren, legt Docker sie als root an — der App-Prozess (UID 1000)
|
||||||
|
# könnte dann nicht reinschreiben ("readonly database"). Das fangen wir hier ab.
|
||||||
|
mkdir -p /data/db /data/uploads /data/logo /webdav-config
|
||||||
|
chown -R 1000:1000 /data /webdav-config 2>/dev/null || true
|
||||||
|
|
||||||
|
# Privilegien fallen lassen und das eigentliche Kommando als UID 1000 ausführen.
|
||||||
|
exec gosu 1000:1000 "$@"
|
||||||
Loading…
Reference in New Issue