mirror of
https://github.com/BetterCorp/BetterFrame.git
synced 2026-05-26 19:06:34 +00:00
fix(nodered): entrypoint runs as root to fix stale /data state, drops to node-red via su-exec
Previous deploy left /data/settings.js as a DIRECTORY (Docker auto-mkdir from a failed bind mount earlier). cp from non-root user then failed 'Permission denied' writing inside it. Entrypoint now: - Detects + rm -rf the stale directory - Seeds /data/settings.js from /usr/src/bf-settings.js - Chowns /data to node-red - exec su-exec node-red:node-red to drop privileges before npm start
This commit is contained in:
Mitchell R
parent
7baa1a07f9
commit
f087fdc056
2 changed files with 26 additions and 9 deletions
|
|
@ -23,7 +23,10 @@ RUN cd /usr/src/betterframe-nodes && \
|
||||||
npm install --omit=dev && \
|
npm install --omit=dev && \
|
||||||
chown -R node-red:root /usr/src/betterframe-nodes /usr/src/bf-settings.js
|
chown -R node-red:root /usr/src/betterframe-nodes /usr/src/bf-settings.js
|
||||||
|
|
||||||
USER node-red
|
# Run entrypoint as root so it can fix stale /data state (e.g. /data/settings.js
|
||||||
|
# left as a directory by a previous broken bind mount). Entrypoint drops to
|
||||||
|
# node-red via su-exec before launching the actual server.
|
||||||
|
USER root
|
||||||
|
|
||||||
ENTRYPOINT ["/usr/local/bin/bf-nodered-entrypoint"]
|
ENTRYPOINT ["/usr/local/bin/bf-nodered-entrypoint"]
|
||||||
CMD []
|
CMD []
|
||||||
|
|
|
||||||
|
|
@ -1,16 +1,30 @@
|
||||||
#!/usr/bin/env sh
|
#!/usr/bin/env sh
|
||||||
# Seed /data/settings.js with our BF defaults on first boot.
|
# Seed /data/settings.js on first boot. The /data named volume overlays
|
||||||
# /data is volume-mounted, so the COPY in the Dockerfile gets hidden
|
# anything we COPY into /data during image build, so the file has to be
|
||||||
# unless we plant a copy after the mount comes up.
|
# planted after the volume mounts.
|
||||||
|
#
|
||||||
|
# Runs as root, fixes /data ownership + any stale directories left by
|
||||||
|
# previous bind-mount attempts, then drops to the node-red user.
|
||||||
set -eu
|
set -eu
|
||||||
|
|
||||||
DATA=/data
|
DATA=/data
|
||||||
TPL=/usr/src/bf-settings.js
|
TPL=/usr/src/bf-settings.js
|
||||||
|
TARGET="$DATA/settings.js"
|
||||||
|
|
||||||
if [ ! -f "$DATA/settings.js" ]; then
|
# Clear stale path if a previous broken bind-mount left a directory where
|
||||||
echo "[bf-nodered] seeding $DATA/settings.js from $TPL"
|
# we expect a file.
|
||||||
cp "$TPL" "$DATA/settings.js"
|
if [ -d "$TARGET" ]; then
|
||||||
|
echo "[bf-nodered] $TARGET is a directory (stale bind mount?). Removing."
|
||||||
|
rm -rf "$TARGET"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Exec the upstream nodered entrypoint args verbatim.
|
if [ ! -f "$TARGET" ]; then
|
||||||
exec npm start --cache /data/.npm -- --userDir /data "$@"
|
echo "[bf-nodered] seeding $TARGET from $TPL"
|
||||||
|
cp "$TPL" "$TARGET"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure the volume + seeded file are owned by node-red.
|
||||||
|
chown -R node-red:root "$DATA" 2>/dev/null || true
|
||||||
|
|
||||||
|
# Drop to the node-red user before launching. The base image ships su-exec.
|
||||||
|
exec su-exec node-red:node-red npm start --cache /data/.npm -- --userDir /data "$@"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue