Make persistent storage work smoothly for podman/docker.

Author: danielballan

Containerfile

@@ -81,14 +81,16 @@ RUN set -ex && \
 
 FROM docker.io/python:${PYTHON_VERSION}-slim AS app_runtime
 ARG PYTHON_VERSION=3.12
+ARG APP_UID=999
 
 # Add the application virtualenv to search path.
 ENV PATH=/app/bin:$PATH
 
-# Don't run your app as root.
+# We will run the app as a user 'app' with a stable uid that is
+# configurable via an ARG.
 RUN set -ex && \
-groupadd -r app && \
-useradd -r -d /app -g app -N app
+    groupadd -r -g ${APP_UID} app && \
+    useradd -r -d /app -g app -u ${APP_UID} -N app
 
 # See <https://hynek.me/articles/docker-signals/>.
 STOPSIGNAL SIGINT
@@ -100,7 +102,7 @@ apt-get update -qy && \
 apt-get install -qyy \
     -o APT::Install-Recommends=false \
     -o APT::Install-Suggests=false \
-    curl && \
+    curl gosu && \
 apt-get clean && \
 rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -129,4 +131,13 @@ python -Ic 'import tiled'
 
 EXPOSE 8000
 
+# Following the example of PG, Redis, and other services that write to a
+# storage volume, run the entrypoint as root. As root, ensure that the
+# /storage volume is writable by the app user. Then use gosu to switch to
+# the app user.
+USER root
+COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
 CMD ["tiled", "serve", "config", "--host", "0.0.0.0", "--port", "8000", "--scalable"]

docker-entrypoint.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+# docker-entrypoint.sh
+set -e
+
+# If storage dir exists but isn't owned by app, fix it
+if [ "$(stat -c %u /storage)" != "$(id -u app)" ]; then
+    chown -R app:app /storage
+fi
+
+exec gosu app "$@"