fix(docker): resolve /app/data permission denied on volume mounts

Docker named volumes and host bind-mounts may be owned by root, causing "open data/model_pricing.sha256: permission denied" when the container runs as the non-root sub2api user. Add an entrypoint script that fixes /app/data ownership before dropping to sub2api via su-exec. Replace USER directive with the entrypoint approach across all three Dockerfiles and update both GoReleaser configs to include the script in Docker build contexts.
2026-04-12 10:54:45 +08:00 · 2026-03-16 19:52:14 +08:00
parent 594a0ade38
commit aa5846b282
6 changed files with 53 additions and 10 deletions
--- a/deploy/docker-entrypoint.sh
+++ b/deploy/docker-entrypoint.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+# Fix data directory permissions when running as root.
+# Docker named volumes / host bind-mounts may be owned by root,
+# preventing the non-root sub2api user from writing files.
+if [ "$(id -u)" = "0" ]; then
+    mkdir -p /app/data
+    chown -R sub2api:sub2api /app/data
+    # Re-invoke this script as sub2api so the flag-detection below
+    # also runs under the correct user.
+    exec su-exec sub2api "$0" "$@"
+fi
+
+# Compatibility: if the first arg looks like a flag (e.g. --help),
+# prepend the default binary so it behaves the same as the old
+# ENTRYPOINT ["/app/sub2api"] style.
+if [ "${1#-}" != "$1" ]; then
+    set -- /app/sub2api "$@"
+fi
+
+exec "$@"