From a4ee9c867c99c7d59d01ca4497c527fb46dbc389 Mon Sep 17 00:00:00 2001 From: chrislu Date: Fri, 7 Nov 2025 23:13:49 -0800 Subject: [PATCH] docker: fix /data ownership and permission --- docker/Dockerfile.go_build | 6 ++---- docker/Dockerfile.local | 6 ++---- docker/Dockerfile.rocksdb_large | 6 ++---- docker/Dockerfile.rocksdb_large_local | 6 ++---- docker/entrypoint.sh | 12 ++++++++++++ 5 files changed, 20 insertions(+), 16 deletions(-) diff --git a/docker/Dockerfile.go_build b/docker/Dockerfile.go_build index a803eb925..681c76cb5 100644 --- a/docker/Dockerfile.go_build +++ b/docker/Dockerfile.go_build @@ -17,7 +17,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /et COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh # Install dependencies and create non-root user -RUN apk add --no-cache fuse && \ +RUN apk add --no-cache fuse su-exec && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed @@ -47,7 +47,5 @@ RUN mkdir -p /data/filerldb2 && \ VOLUME /data WORKDIR /data -# Switch to non-root user -USER seaweed - +# Entrypoint will handle permission fixes and user switching ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.local b/docker/Dockerfile.local index a77db0645..062db4d84 100644 --- a/docker/Dockerfile.local +++ b/docker/Dockerfile.local @@ -8,7 +8,7 @@ COPY ./filer.toml /etc/seaweedfs/filer.toml COPY ./entrypoint.sh /entrypoint.sh # Install dependencies and create non-root user -RUN apk add --no-cache fuse curl && \ +RUN apk add --no-cache fuse curl su-exec && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed @@ -38,7 +38,5 @@ RUN mkdir -p /data/filerldb2 && \ VOLUME /data WORKDIR /data -# Switch to non-root user -USER seaweed - +# Entrypoint will handle permission fixes and user switching ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large b/docker/Dockerfile.rocksdb_large index 32b5db6b4..1a86b3368 100644 --- a/docker/Dockerfile.rocksdb_large +++ b/docker/Dockerfile.rocksdb_large @@ -34,7 +34,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb. COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh # Install dependencies and create non-root user -RUN apk add --no-cache fuse snappy gflags && \ +RUN apk add --no-cache fuse snappy gflags su-exec && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed @@ -65,7 +65,5 @@ VOLUME /data WORKDIR /data -# Switch to non-root user -USER seaweed - +# Entrypoint will handle permission fixes and user switching ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/Dockerfile.rocksdb_large_local b/docker/Dockerfile.rocksdb_large_local index b68946383..482cfe18e 100644 --- a/docker/Dockerfile.rocksdb_large_local +++ b/docker/Dockerfile.rocksdb_large_local @@ -17,7 +17,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb. COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh # Install dependencies and create non-root user -RUN apk add --no-cache fuse snappy gflags tmux && \ +RUN apk add --no-cache fuse snappy gflags tmux su-exec && \ addgroup -g 1000 seaweed && \ adduser -D -u 1000 -G seaweed seaweed @@ -48,7 +48,5 @@ VOLUME /data WORKDIR /data -# Switch to non-root user -USER seaweed - +# Entrypoint will handle permission fixes and user switching ENTRYPOINT ["/entrypoint.sh"] diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 80a7fe586..712230fd4 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,5 +1,17 @@ #!/bin/sh +# Fix permissions for mounted volumes +# If /data is mounted from host, it might have different ownership +# Fix this by ensuring seaweed user owns the directory +if [ "$(id -u)" = "0" ]; then + # Running as root, fix permissions and switch to seaweed user + echo "Fixing /data ownership for seaweed user (uid=$(id -u seaweed), gid=$(id -g seaweed))" + chown -R seaweed:seaweed /data 2>/dev/null || true + # Use su-exec to drop privileges and run as seaweed user + export SEAWEED_USER=1 + exec su-exec seaweed "$0" "$@" +fi + isArgPassed() { arg="$1" argWithEqualSign="$1="