fix: add docker-entrypoint.sh to image and set as ENTRYPOINT

claude · claude · commit 5749ed280d07 · 2026-03-10T14:26:28.000Z
The entrypoint script was in the repo but not copied into the Docker image, causing "executable file not found" on container start. Now the Dockerfile installs su-exec, copies the entrypoint, and uses it to fix bind-mount permissions as root before dropping to the chronicle user. Removes compose user: directive since the entrypoint handles it. https://claude.ai/code/session_0153nX7vQSjEFPpZTgZdDmu5
diff --git a/Dockerfile b/Dockerfile
@@ -42,8 +42,9 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /chronicle ./cmd/server
 # --- Stage 3: Runtime ---
 FROM alpine:3.20
 
-# Install CA certificates for HTTPS calls (if needed) and timezone data.
-RUN apk add --no-cache ca-certificates tzdata
+# Install CA certificates for HTTPS calls, timezone data, and su-exec for
+# dropping privileges in the entrypoint.
+RUN apk add --no-cache ca-certificates tzdata su-exec
 
 # Create non-root user for runtime security.
 RUN adduser -D -H -s /sbin/nologin chronicle
@@ -64,8 +65,10 @@ RUN mkdir -p /app/data/media && chown -R chronicle:chronicle /app/data
 
 WORKDIR /app
 
-# Run as the unprivileged chronicle user.
-USER chronicle
+# Copy entrypoint script that fixes bind-mount permissions, then drops to
+# the unprivileged chronicle user via su-exec.
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
 
 # The Go binary serves HTTP directly on this port.
 EXPOSE 8080
@@ -74,5 +77,7 @@ EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
     CMD wget -qO- http://localhost:8080/healthz || exit 1
 
-# Run the Chronicle server.
+# Container starts as root; the entrypoint fixes permissions then exec's
+# the server as the chronicle user.
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["chronicle"]
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -20,9 +20,6 @@ services:
       context: .
       dockerfile: Dockerfile
     container_name: chronicle
-    # Match the host directory owner for bind-mount permissions.
-    # Set PUID/PGID as environment variables (default: 1000).
-    user: "${PUID:-1000}:${PGID:-1000}"
     ports:
       - "8080:8080"
     restart: unless-stopped
