Fix media directory permission denied on bind mounts

claude · claude · commit e89d26008e78 · 2026-03-10T02:40:56.000Z
The container runs as the non-root "chronicle" user, but when /app/data is a bind mount the host directory ownership (root:root) takes precedence over the Dockerfile's chown. Add a docker-entrypoint.sh that runs as root to fix ownership of /app/data, then drops to the chronicle user via su-exec before starting the server. https://claude.ai/code/session_0153nX7vQSjEFPpZTgZdDmu5
diff --git a/Dockerfile b/Dockerfile
@@ -42,8 +42,9 @@ RUN CGO_ENABLED=0 GOOS=linux go build -o /chronicle ./cmd/server
 # --- Stage 3: Runtime ---
 FROM alpine:3.20
 
-# Install CA certificates for HTTPS calls (if needed) and timezone data.
-RUN apk add --no-cache ca-certificates tzdata
+# Install CA certificates for HTTPS calls (if needed), timezone data, and
+# su-exec for dropping privileges in the entrypoint.
+RUN apk add --no-cache ca-certificates tzdata su-exec
 
 # Create non-root user for runtime security.
 RUN adduser -D -H -s /sbin/nologin chronicle
@@ -62,10 +63,16 @@ COPY --from=builder /src/db/migrations /app/db/migrations
 # Mount a volume at /app/data to persist media across container rebuilds.
 RUN mkdir -p /app/data/media && chown -R chronicle:chronicle /app/data
 
+# Copy entrypoint script that fixes bind-mount permissions before dropping to
+# the non-root chronicle user.
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
 WORKDIR /app
 
-# Run as non-root user.
-USER chronicle
+# Container starts as root so the entrypoint can fix bind-mount ownership,
+# then drops to the chronicle user via su-exec.
+ENTRYPOINT ["docker-entrypoint.sh"]
 
 # The Go binary serves HTTP directly on this port.
 EXPOSE 8080
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+# docker-entrypoint.sh -- fix bind-mount permissions, then drop to non-root.
+#
+# When /app/data is a bind mount, the host directory's ownership may not match
+# the container's "chronicle" user. This script runs as root to ensure the data
+# directory is writable, then exec's the server as the unprivileged user.
+
+set -e
+
+# Ensure the media subdirectory exists and is owned by chronicle.
+mkdir -p /app/data/media
+chown -R chronicle:chronicle /app/data
+
+# Drop privileges and exec the main process.
+exec su-exec chronicle "$@"
