RyderTech/nlcc-itinerary
1
0
Fork 0
Code Issues Pull Requests Packages Activity

fix: Resolve Docker volume permissions for SQLite database

Browse Source 
Fixed SQLITE_READONLY errors by implementing proper volume permission
handling in Docker container. The issue occurred because Docker volumes
are mounted with root ownership, preventing the non-root nuxt user from
writing to the database.

Solution:
- Added docker-entrypoint.sh script to handle permission fixes
- Container starts as root to fix /app/data permissions
- Uses su-exec to drop privileges to nuxt user after fixing permissions
- Maintains security by running application as non-root user

This allows the SQLite database to be properly created and modified
while keeping the container secure with non-root execution.

Fixes:
- "attempt to write a readonly database" errors
- Session cleanup failures
- Rate limit cleanup failures
- Password reset cleanup failures
- Admin credential generation on first launch

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Joshua Ryder
2025-11-06 08:16:41 -05:00
parent 648731f347
commit 514c72a4fa
2 changed files with 27 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
Dockerfile
View File

@@ -54,8 +54,8 @@ FROM node:20-alpine AS runtime
WORKDIR /app WORKDIR /app
# Install dumb-init for proper signal handling # Install dumb-init and su-exec for proper signal handling and user switching
RUN apk add --no-cache dumb-init RUN apk add --no-cache dumb-init su-exec
# Create non-root user for security # Create non-root user for security
RUN addgroup -g 1001 -S nodejs && \ RUN addgroup -g 1001 -S nodejs && \
@@ -66,11 +66,15 @@ COPY --from=builder --chown=nuxt:nodejs /app/.output ./.output
COPY --from=builder --chown=nuxt:nodejs /app/node_modules ./node_modules COPY --from=builder --chown=nuxt:nodejs /app/node_modules ./node_modules
COPY --from=builder --chown=nuxt:nodejs /app/package.json ./package.json COPY --from=builder --chown=nuxt:nodejs /app/package.json ./package.json
# Copy entrypoint script
COPY docker-entrypoint.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/docker-entrypoint.sh
# Create data directory for SQLite database with proper permissions # Create data directory for SQLite database with proper permissions
RUN mkdir -p /app/data && chown -R nuxt:nodejs /app/data RUN mkdir -p /app/data && chown -R nuxt:nodejs /app/data
# Switch to non-root user # Don't switch to non-root user yet - entrypoint will handle it
USER nuxt # This allows the entrypoint to fix volume permissions first
# Expose port # Expose port
EXPOSE 3000 EXPOSE 3000
@@ -88,6 +92,6 @@ ENV NUXT_PORT=3000
HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \ HEALTHCHECK --interval=30s --timeout=3s --start-period=40s --retries=3 \
CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})" || exit 1 CMD node -e "require('http').get('http://localhost:3000/api/health', (r) => {process.exit(r.statusCode === 200 ? 0 : 1)})" || exit 1
# Use dumb-init to properly handle signals # Use custom entrypoint to handle permissions and user switching
ENTRYPOINT ["dumb-init", "--"] ENTRYPOINT ["dumb-init", "--", "docker-entrypoint.sh"]
CMD ["node", ".output/server/index.mjs"] CMD ["node", ".output/server/index.mjs"]

17
docker-entrypoint.sh Normal file
View File

@@ -0,0 +1,17 @@
#!/bin/sh
set -e
# Ensure data directory exists and has correct permissions
# This is needed because Docker volumes may be mounted with root ownership
if [ ! -d /app/data ]; then
mkdir -p /app/data
fi
# If running as root, fix permissions and switch to nuxt user
if [ "$(id -u)" = "0" ]; then
chown -R nuxt:nodejs /app/data
exec su-exec nuxt "$@"
else
# Already running as nuxt user
exec "$@"
fi