From c302b1d71999371bd8f0b48bdcdbb9aeec39a2f3 Mon Sep 17 00:00:00 2001 From: Kyle Isom Date: Thu, 11 Jun 2026 11:14:46 -0700 Subject: [PATCH] docker: drop VOLUME/USER/pre-created dir for rootless podman The images created /srv/metacrypt and chowned it to a non-root user with VOLUME + USER, which fails to unpack under rootless podman (mkdir /srv/metacrypt: operation not permitted). MCP bind-mounts /srv/metacrypt and runs --user 0:0, so none of that is needed. Co-Authored-By: Claude Opus 4.8 --- Dockerfile.api | 18 +++++------------- Dockerfile.web | 18 ++++++------------ 2 files changed, 11 insertions(+), 25 deletions(-) diff --git a/Dockerfile.api b/Dockerfile.api index a136ad2..efc078c 100644 --- a/Dockerfile.api +++ b/Dockerfile.api @@ -12,25 +12,17 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" FROM alpine:3.21 -RUN apk add --no-cache ca-certificates tzdata \ - && addgroup -S metacrypt \ - && adduser -S -G metacrypt -h /srv/metacrypt -s /sbin/nologin metacrypt \ - && mkdir -p /srv/metacrypt && chown metacrypt:metacrypt /srv/metacrypt +RUN apk add --no-cache ca-certificates tzdata COPY --from=builder /metacrypt /usr/local/bin/metacrypt -# /srv/metacrypt is the single volume mount point. -# It must contain: -# metacrypt.toml — configuration file -# certs/ — TLS certificate and key -# metacrypt.db — created automatically on first run -VOLUME /srv/metacrypt -WORKDIR /srv/metacrypt +# /srv/metacrypt (config, certs/, metacrypt.db) is bind-mounted at runtime by +# MCP. No VOLUME / pre-created dir / USER — the agent supplies --user 0:0, so +# the image unpacks and runs cleanly under rootless podman. +WORKDIR / EXPOSE 8443 EXPOSE 9443 -USER metacrypt - ENTRYPOINT ["metacrypt"] CMD ["server", "--config", "/srv/metacrypt/metacrypt.toml"] diff --git a/Dockerfile.web b/Dockerfile.web index 89a9619..e4dde1d 100644 --- a/Dockerfile.web +++ b/Dockerfile.web @@ -12,23 +12,17 @@ RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" FROM alpine:3.21 -RUN apk add --no-cache ca-certificates tzdata \ - && addgroup -S metacrypt \ - && adduser -S -G metacrypt -h /srv/metacrypt -s /sbin/nologin metacrypt \ - && mkdir -p /srv/metacrypt && chown metacrypt:metacrypt /srv/metacrypt +RUN apk add --no-cache ca-certificates tzdata COPY --from=builder /metacrypt-web /usr/local/bin/metacrypt-web -# /srv/metacrypt is the single volume mount point. -# It must contain: -# metacrypt.toml — configuration file -# certs/ — TLS certificate and key -VOLUME /srv/metacrypt -WORKDIR /srv/metacrypt +# /srv/metacrypt is bind-mounted at runtime by MCP (config + certs/). The +# image deliberately does NOT declare a VOLUME or pre-create/chown the +# directory, and does NOT set USER (the agent supplies --user 0:0), so it +# unpacks and runs cleanly under rootless podman. +WORKDIR / EXPOSE 8080 -USER metacrypt - ENTRYPOINT ["metacrypt-web"] CMD ["--config", "/srv/metacrypt/metacrypt.toml"]