fix(docker): resolve /app/data permission denied on volume mounts

Docker named volumes and host bind-mounts may be owned by root, causing "open data/model_pricing.sha256: permission denied" when the container runs as the non-root sub2api user. Add an entrypoint script that fixes /app/data ownership before dropping to sub2api via su-exec. Replace USER directive with the entrypoint approach across all three Dockerfiles and update both GoReleaser configs to include the script in Docker build contexts.
2026-04-02 22:42:14 +08:00 · 2026-03-16 19:52:14 +08:00
parent 594a0ade38
commit aa5846b282
6 changed files with 53 additions and 10 deletions
--- a/deploy/Dockerfile
+++ b/deploy/Dockerfile
@@ -82,6 +82,7 @@ RUN apk add --no-cache \
    ca-certificates \
    tzdata \
    curl \
+    su-exec \
    && rm -rf /var/cache/apk/*

 # Create non-root user
@@ -97,8 +98,9 @@ COPY --from=backend-builder /app/sub2api /app/sub2api
 # Create data directory
 RUN mkdir -p /app/data && chown -R sub2api:sub2api /app

-# Switch to non-root user
-USER sub2api
+# Copy entrypoint script (fixes volume permissions then drops to sub2api)
+COPY deploy/docker-entrypoint.sh /app/docker-entrypoint.sh
+RUN chmod +x /app/docker-entrypoint.sh

 # Expose port (can be overridden by SERVER_PORT env var)
 EXPOSE 8080
@@ -107,5 +109,6 @@ EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
    CMD wget -q -T 5 -O /dev/null http://localhost:${SERVER_PORT:-8080}/health || exit 1

-# Run the application
-ENTRYPOINT ["/app/sub2api"]
+# Run the application (entrypoint fixes /app/data ownership then execs as sub2api)
+ENTRYPOINT ["/app/docker-entrypoint.sh"]
+CMD ["/app/sub2api"]
--- a/deploy/docker-entrypoint.sh
+++ b/deploy/docker-entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+# Fix data directory permissions when running as root.
+# Docker named volumes / host bind-mounts may be owned by root,
+# preventing the non-root sub2api user from writing files.
+if [ "$(id -u)" = "0" ]; then
+    mkdir -p /app/data
+    chown -R sub2api:sub2api /app/data
+    # Re-invoke this script as sub2api so the flag-detection below
+    # also runs under the correct user.
+    exec su-exec sub2api "$0" "$@"
+fi
+
+# Compatibility: if the first arg looks like a flag (e.g. --help),
+# prepend the default binary so it behaves the same as the old
+# ENTRYPOINT ["/app/sub2api"] style.
+if [ "${1#-}" != "$1" ]; then
+    set -- /app/sub2api "$@"
+fi
+
+exec "$@"