From 29e69335050204144d3d7e8b41121967b3ad02a8 Mon Sep 17 00:00:00 2001 From: Josh Wright Date: Sun, 19 Apr 2026 10:21:37 -0400 Subject: [PATCH] Fix EACCES on bind-mounted /app/data Bind mounts override the image's chown, so the container's nextjs user (uid 1001) couldn't write to /app/data when it was mounted from a host dir owned by someone else. Start as root, fix ownership in an entrypoint, then drop to nextjs via su-exec. Co-Authored-By: Claude Opus 4.7 --- Dockerfile | 10 ++++++++-- docker-entrypoint.sh | 10 ++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) create mode 100755 docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 47be24b..8069a37 100644 --- a/Dockerfile +++ b/Dockerfile @@ -24,7 +24,8 @@ ENV NEXT_TELEMETRY_DISABLED=1 ENV PORT=3000 ENV HOSTNAME=0.0.0.0 -RUN addgroup --system --gid 1001 nodejs \ +RUN apk add --no-cache su-exec \ + && addgroup --system --gid 1001 nodejs \ && adduser --system --uid 1001 nextjs COPY --from=builder /app/public ./public @@ -33,7 +34,12 @@ COPY --from=builder --chown=nextjs:nodejs /app/.next/static ./.next/static RUN mkdir -p /app/data && chown nextjs:nodejs /app/data -USER nextjs +COPY docker-entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/docker-entrypoint.sh + +# Stay as root so the entrypoint can fix bind-mount ownership, then drop +# privileges via su-exec before launching the server. EXPOSE 3000 VOLUME ["/app/data"] +ENTRYPOINT ["docker-entrypoint.sh"] CMD ["node", "server.js"] diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh new file mode 100755 index 0000000..8d1428b --- /dev/null +++ b/docker-entrypoint.sh @@ -0,0 +1,10 @@ +#!/bin/sh +set -e + +# /app/data is usually a bind mount from the host, so whatever permissions the +# image set during build don't survive. Fix ownership on boot, then drop root. +if [ -d /app/data ]; then + chown -R nextjs:nodejs /app/data 2>/dev/null || true +fi + +exec su-exec nextjs:nodejs "$@"