docker: fix /data ownership and permission

4 weeks ago · a4ee9c867c
5 changed files with 20 additions and 16 deletions
--- a/docker/Dockerfile.go_build
+++ b/docker/Dockerfile.go_build
@ -17,7 +17,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer.toml /et
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh

 # Install dependencies and create non-root user
-RUN apk add --no-cache fuse && \
+RUN apk add --no-cache fuse su-exec && \
    addgroup -g 1000 seaweed && \
    adduser -D -u 1000 -G seaweed seaweed

@ -47,7 +47,5 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data

-# Switch to non-root user
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.local
+++ b/docker/Dockerfile.local
@ -8,7 +8,7 @@ COPY ./filer.toml /etc/seaweedfs/filer.toml
 COPY ./entrypoint.sh /entrypoint.sh

 # Install dependencies and create non-root user
-RUN apk add --no-cache fuse curl && \
+RUN apk add --no-cache fuse curl su-exec && \
    addgroup -g 1000 seaweed && \
    adduser -D -u 1000 -G seaweed seaweed

@ -38,7 +38,5 @@ RUN mkdir -p /data/filerldb2 && \
 VOLUME /data
 WORKDIR /data

-# Switch to non-root user
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.rocksdb_large
+++ b/docker/Dockerfile.rocksdb_large
@ -34,7 +34,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh

 # Install dependencies and create non-root user
-RUN apk add --no-cache fuse snappy gflags && \
+RUN apk add --no-cache fuse snappy gflags su-exec && \
    addgroup -g 1000 seaweed && \
    adduser -D -u 1000 -G seaweed seaweed

@ -65,7 +65,5 @@ VOLUME /data

 WORKDIR /data

-# Switch to non-root user
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/Dockerfile.rocksdb_large_local
+++ b/docker/Dockerfile.rocksdb_large_local
@ -17,7 +17,7 @@ COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh

 # Install dependencies and create non-root user
-RUN apk add --no-cache fuse snappy gflags tmux && \
+RUN apk add --no-cache fuse snappy gflags tmux su-exec && \
    addgroup -g 1000 seaweed && \
    adduser -D -u 1000 -G seaweed seaweed

@ -48,7 +48,5 @@ VOLUME /data

 WORKDIR /data

-# Switch to non-root user
-USER seaweed
-
+# Entrypoint will handle permission fixes and user switching
 ENTRYPOINT ["/entrypoint.sh"]
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@ -1,5 +1,17 @@
 #!/bin/sh

+# Fix permissions for mounted volumes
+# If /data is mounted from host, it might have different ownership
+# Fix this by ensuring seaweed user owns the directory
+if [ "$(id -u)" = "0" ]; then
+  # Running as root, fix permissions and switch to seaweed user
+  echo "Fixing /data ownership for seaweed user (uid=$(id -u seaweed), gid=$(id -g seaweed))"
+  chown -R seaweed:seaweed /data 2>/dev/null || true
+  # Use su-exec to drop privileges and run as seaweed user
+  export SEAWEED_USER=1
+  exec su-exec seaweed "$0" "$@"
+fi
+
 isArgPassed() {
  arg="$1"
  argWithEqualSign="$1="