Patrick/medassist-ng
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(docker): enhance entrypoint script with gosu for privilege handling and improve healthcheck command

Browse Source
This commit is contained in:
Daniel Volz
2025-12-27 12:48:19 +01:00
parent bedf90d316
commit f7bad32d68
3 changed files with 38 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/Dockerfile
+4 -1
View File
@@ -36,7 +36,10 @@ FROM node:22-slim AS runner
WORKDIR /app
# node:22-slim already has user 'node' with UID 1000 - we'll use that
# Install gosu for reliable privilege dropping
RUN apt-get update && apt-get install -y --no-install-recommends gosu \
&& rm -rf /var/lib/apt/lists/* \
&& gosu nobody true
# Copy built application
COPY --from=builder /app/node_modules ./node_modules
backend/docker-entrypoint.sh
+32 -1
View File
@@ -5,9 +5,40 @@ set -e
PUID=${PUID:-1000}
PGID=${PGID:-1000}
echo "[entrypoint] Starting with PUID=$PUID, PGID=$PGID"
# Ensure data directory exists and has correct ownership
mkdir -p /app/data
echo "[entrypoint] Created /app/data"
chown -R "$PUID:$PGID" /app/data
echo "[entrypoint] Set ownership of /app/data to $PUID:$PGID"
# Check if we can write to data directory
if touch /app/data/.write-test 2>/dev/null; then
rm -f /app/data/.write-test
echo "[entrypoint] Write test passed"
else
echo "[entrypoint] ERROR: Cannot write to /app/data"
ls -la /app/
exit 1
fi
# Execute the main command as the specified user
exec runuser -u "#$PUID" -- "$@"
# Try different methods for dropping privileges
if command -v gosu >/dev/null 2>&1; then
echo "[entrypoint] Using gosu"
exec gosu "$PUID:$PGID" "$@"
elif command -v su-exec >/dev/null 2>&1; then
echo "[entrypoint] Using su-exec"
exec su-exec "$PUID:$PGID" "$@"
else
echo "[entrypoint] Using su"
# Create a temporary user with the specified UID if it doesn't exist
if ! id -u "$PUID" >/dev/null 2>&1; then
echo "[entrypoint] UID $PUID doesn't exist, running as node user"
exec su -s /bin/sh node -c "exec $*"
else
exec su -s /bin/sh "#$PUID" -c "exec $*"
fi
fi
docker-compose.yml
+2 -2
View File
@@ -20,13 +20,13 @@ services:
# Security options
security_opt:
- no-new-privileges:true
read_only: true
# Note: read_only removed - entrypoint needs to fix permissions at startup
tmpfs:
- /tmp:noexec,nosuid,size=64m
cap_drop:
- ALL
healthcheck:
test: ["CMD", "/nodejs/bin/node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
test: ["CMD", "node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
interval: 30s
timeout: 10s
retries: 3