fix: prepare runs volume before dropping privileges

2026-05-17 05:11:20 +02:00
parent f3c9331718
commit c2d572e6f5
2 changed files with 19 additions and 1 deletions
--- a/5
+++ b/5
@@ -2,6 +2,8 @@ FROM node:22-alpine
 WORKDIR /app
 RUN apk add --no-cache su-exec
 # Copy package files first for better layer caching
 COPY package*.json ./
 RUN npm ci --omit=dev
@@ -9,6 +11,7 @@ RUN npm ci --omit=dev
 # Copy source
 COPY . .
 RUN mkdir -p /app/runs /app/runs/memory /app/runs/memory/cold && chown -R node:node /app
 RUN chmod +x /app/docker-entrypoint.sh
 # Default port (override with -e PORT=xxxx)
 EXPOSE 3117
@@ -20,5 +23,5 @@ ENV PORT=3117 \
 HEALTHCHECK --interval=60s --timeout=10s --start-period=45s --retries=3 \
  CMD node -e "fetch('http://127.0.0.1:'+(process.env.PORT||3117)+'/api/health').then(r=>{if(![200,503].includes(r.status))process.exit(1);return r.json()}).then(j=>{if(['error'].includes(j.status))process.exit(1)}).catch(()=>process.exit(1))"
-USER node
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
 CMD ["node", "server.mjs"]
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -0,0 +1,15 @@
 #!/bin/sh
 set -eu
 mkdir -p /app/runs/memory/cold
 if chown -R node:node /app/runs 2>/dev/null; then
  exec su-exec node "$@"
 fi
 if su-exec node sh -c 'test -w /app/runs && test -w /app/runs/memory'; then
  exec su-exec node "$@"
 fi
 echo "[entrypoint] WARNING: /app/runs is not writable by user node; starting as root for this bind mount." >&2
 exec "$@"