From ba002ea9e6d2394b68b501c2011a4afd7470655d Mon Sep 17 00:00:00 2001 From: DavidHerran Date: Mon, 4 May 2026 18:17:39 -0500 Subject: [PATCH] fix: auto-chown mounted volumes + metadataBase warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit THREE FIXES IN ONE SHOT. 1. UPLOAD EACCES (the crashing one) The /app/public/branding upload was failing with EACCES because the folder on the host was created by `debian` (uid 1000) but the container runs as nextjs (uid 1001). Docker bind mounts preserve host ownership, so the container couldn't write into branding/. Fix: introduce a docker-entrypoint.sh that runs the container briefly as root, chowns every public/* mount to uid 1001, runs Prisma migrate deploy, then drops to nextjs via `su-exec`. From now on every deploy self-heals permissions across all asset folders (branding, footage, applications, cases, news, parts, operations-inbox) — even if a future volume gets added with the wrong owner. Dockerfile changes: - Adds `su-exec` package (lightweight gosu equivalent for Alpine) - Removes the static USER directive (entrypoint manages user transitions) - Replaces CMD with an ENTRYPOINT pointing at the new script 2. metadataBase WARNING Server logs were emitting: ⚠ metadataBase property in metadata export is not set ... using "http://localhost:3000" That's the layout's generateMetadata not declaring metadataBase, so Next.js couldn't resolve relative OG/Twitter image URLs to absolute ones. Reading NEXT_PUBLIC_APP_URL (already set in docker-compose env) and feeding it as `metadataBase: new URL(...)` silences the warning and produces correct absolute URLs in social previews. 3. PERMISSIONS DOCS The entrypoint chown is idempotent and silent on non-existent folders, so future volumes added to docker-compose just work. No more "did you sudo chown the new folder" gotchas. DEPLOY (David) cd /opt/flux-srl # one-time fix for the existing branding folder so the next deploy # doesn't have to chown 65MB of data — but the entrypoint now handles # this automatically anyway: sudo chown -R 1001:1001 /opt/flux-srl/public/branding git pull docker compose up -d --build app --- Dockerfile | 18 ++++++++++-------- scripts/docker-entrypoint.sh | 35 +++++++++++++++++++++++++++++++++++ src/app/[locale]/layout.tsx | 6 ++++++ 3 files changed, 51 insertions(+), 8 deletions(-) create mode 100644 scripts/docker-entrypoint.sh diff --git a/Dockerfile b/Dockerfile index 34c42f1..c8a9199 100644 --- a/Dockerfile +++ b/Dockerfile @@ -56,9 +56,10 @@ ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 # vips runtime — required for sharp at runtime, not just build -RUN apk add --no-cache vips +# su-exec — drops privileges from root to nextjs in the entrypoint +RUN apk add --no-cache vips su-exec -# Security: run as non-root user +# Security: run as non-root user (entrypoint chowns volumes as root, then drops) RUN addgroup --system --gid 1001 nodejs RUN adduser --system --uid 1001 nextjs @@ -82,14 +83,15 @@ COPY --from=builder /app/node_modules/.prisma ./node_modules/.prisma # i18n message files (required by next-intl at runtime) COPY --from=builder /app/messages ./messages -USER nextjs - EXPOSE 3000 ENV PORT=3000 ENV HOSTNAME="0.0.0.0" -# Run pending migrations on startup, then boot the Next.js server. -# `migrate deploy` is idempotent — it skips already-applied migrations. -# If the DB is unreachable the container exits and docker-compose retries. -CMD ["sh", "-c", "node ./node_modules/prisma/build/index.js migrate deploy && node server.js"] +# Entrypoint runs briefly as root to chown mounted volumes (fixes EACCES +# on uploads when the host folder owner != container user), runs Prisma +# migrations, then drops to the nextjs user via su-exec. +COPY scripts/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh +RUN chmod +x /usr/local/bin/docker-entrypoint.sh + +ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh new file mode 100644 index 0000000..0a70d15 --- /dev/null +++ b/scripts/docker-entrypoint.sh @@ -0,0 +1,35 @@ +#!/bin/sh +# ───────────────────────────────────────────────────────────────────────────── +# FLUX container entrypoint. +# +# Runs as root briefly so we can: +# 1. Make sure all mounted upload dirs are writable by uid 1001 (nextjs). +# The host folders may have been mkdir'd by another user (debian) and +# docker-compose mounts preserve those permissions, which would lock +# the container out. This single chown fixes it on every start. +# 2. Apply pending Prisma migrations idempotently. +# 3. Hand off to the Next.js server, dropping privileges to nextjs. +# ───────────────────────────────────────────────────────────────────────────── + +set -e + +# Fix ownership on every mounted public/* folder so the container can write. +# Skips silently if a folder doesn't exist or chown isn't permitted. +for dir in \ + /app/public/branding \ + /app/public/footage \ + /app/public/applications \ + /app/public/cases \ + /app/public/news \ + /app/public/parts \ + /app/public/operations-inbox; do + if [ -d "$dir" ]; then + chown -R 1001:1001 "$dir" 2>/dev/null || true + fi +done + +# Run pending migrations (idempotent). +su-exec nextjs node ./node_modules/prisma/build/index.js migrate deploy + +# Boot the Next.js server as the unprivileged user. +exec su-exec nextjs node server.js diff --git a/src/app/[locale]/layout.tsx b/src/app/[locale]/layout.tsx index 207508e..da5b362 100644 --- a/src/app/[locale]/layout.tsx +++ b/src/app/[locale]/layout.tsx @@ -20,9 +20,15 @@ const inter = Inter({ subsets: ["latin"] }); // Dynamic metadata pulls favicon, logos, OG image and theme color from the // SiteSetting CMS. Falls back to defaults when the table is empty. +// +// metadataBase is required so Next.js can resolve relative OG/Twitter image +// URLs to absolute ones — otherwise it warns and falls back to localhost:3000. +const APP_BASE_URL = (process.env.NEXT_PUBLIC_APP_URL || "https://rf-flux.com").replace(/\/$/, ""); + export async function generateMetadata(): Promise { const branding = await getBranding(); return { + metadataBase: new URL(APP_BASE_URL), title: "FLUX | Energy, Directed.", description: "Advanced Radio Frequency Solutions by Patrizio Grando.", icons: {