From f7bad32d686dce5eb13c1baaaa58535c67f912f0 Mon Sep 17 00:00:00 2001
From: Daniel Volz <mail@danielvolz.org>
Date: Sat, 27 Dec 2025 12:48:19 +0100
Subject: [PATCH] feat(docker): enhance entrypoint script with gosu for
 privilege handling and improve healthcheck command

---
 backend/Dockerfile           |  5 ++++-
 backend/docker-entrypoint.sh | 33 ++++++++++++++++++++++++++++++++-
 docker-compose.yml           |  4 ++--
 3 files changed, 38 insertions(+), 4 deletions(-)

diff --git a/backend/Dockerfile b/backend/Dockerfile
index 6539b9a..6546273 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -36,7 +36,10 @@ FROM node:22-slim AS runner
 
 WORKDIR /app
 
-# node:22-slim already has user 'node' with UID 1000 - we'll use that
+# Install gosu for reliable privilege dropping
+RUN apt-get update && apt-get install -y --no-install-recommends gosu \
+    && rm -rf /var/lib/apt/lists/* \
+    && gosu nobody true
 
 # Copy built application
 COPY --from=builder /app/node_modules ./node_modules
diff --git a/backend/docker-entrypoint.sh b/backend/docker-entrypoint.sh
index fb08577..b6c1b9f 100644
--- a/backend/docker-entrypoint.sh
+++ b/backend/docker-entrypoint.sh
@@ -5,9 +5,40 @@ set -e
 PUID=${PUID:-1000}
 PGID=${PGID:-1000}
 
+echo "[entrypoint] Starting with PUID=$PUID, PGID=$PGID"
+
 # Ensure data directory exists and has correct ownership
 mkdir -p /app/data
+echo "[entrypoint] Created /app/data"
+
 chown -R "$PUID:$PGID" /app/data
+echo "[entrypoint] Set ownership of /app/data to $PUID:$PGID"
+
+# Check if we can write to data directory
+if touch /app/data/.write-test 2>/dev/null; then
+    rm -f /app/data/.write-test
+    echo "[entrypoint] Write test passed"
+else
+    echo "[entrypoint] ERROR: Cannot write to /app/data"
+    ls -la /app/
+    exit 1
+fi
 
 # Execute the main command as the specified user
-exec runuser -u "#$PUID" -- "$@"
+# Try different methods for dropping privileges
+if command -v gosu >/dev/null 2>&1; then
+    echo "[entrypoint] Using gosu"
+    exec gosu "$PUID:$PGID" "$@"
+elif command -v su-exec >/dev/null 2>&1; then
+    echo "[entrypoint] Using su-exec"
+    exec su-exec "$PUID:$PGID" "$@"
+else
+    echo "[entrypoint] Using su"
+    # Create a temporary user with the specified UID if it doesn't exist
+    if ! id -u "$PUID" >/dev/null 2>&1; then
+        echo "[entrypoint] UID $PUID doesn't exist, running as node user"
+        exec su -s /bin/sh node -c "exec $*"
+    else
+        exec su -s /bin/sh "#$PUID" -c "exec $*"
+    fi
+fi
diff --git a/docker-compose.yml b/docker-compose.yml
index 3602f43..061bea2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -20,13 +20,13 @@ services:
     # Security options
     security_opt:
       - no-new-privileges:true
-    read_only: true
+    # Note: read_only removed - entrypoint needs to fix permissions at startup
     tmpfs:
       - /tmp:noexec,nosuid,size=64m
     cap_drop:
       - ALL
     healthcheck:
-      test: ["CMD", "/nodejs/bin/node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
+      test: ["CMD", "node", "-e", "fetch('http://localhost:3000/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"]
       interval: 30s
       timeout: 10s
       retries: 3