c302b1d719
The images created /srv/metacrypt and chowned it to a non-root user with VOLUME + USER, which fails to unpack under rootless podman (mkdir /srv/metacrypt: operation not permitted). MCP bind-mounts /srv/metacrypt and runs --user 0:0, so none of that is needed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
29 lines
769 B
Docker
29 lines
769 B
Docker
FROM golang:1.25-alpine AS builder
|
|
|
|
RUN apk add --no-cache git
|
|
WORKDIR /build
|
|
COPY go.mod go.sum ./
|
|
RUN go mod download
|
|
|
|
COPY . .
|
|
|
|
ARG VERSION=dev
|
|
RUN CGO_ENABLED=0 go build -trimpath -ldflags="-s -w -X main.version=${VERSION}" -o /metacrypt-web ./cmd/metacrypt-web
|
|
|
|
FROM alpine:3.21
|
|
|
|
RUN apk add --no-cache ca-certificates tzdata
|
|
|
|
COPY --from=builder /metacrypt-web /usr/local/bin/metacrypt-web
|
|
|
|
# /srv/metacrypt is bind-mounted at runtime by MCP (config + certs/). The
|
|
# image deliberately does NOT declare a VOLUME or pre-create/chown the
|
|
# directory, and does NOT set USER (the agent supplies --user 0:0), so it
|
|
# unpacks and runs cleanly under rootless podman.
|
|
WORKDIR /
|
|
|
|
EXPOSE 8080
|
|
|
|
ENTRYPOINT ["metacrypt-web"]
|
|
CMD ["--config", "/srv/metacrypt/metacrypt.toml"]
|