fix(satellite): resolve Docker volume permission issues preventing credential persistence

Lasim · Lasim · commit 6aa532f24650 · 2025-12-14T17:04:51.000+01:00
The satellite container failed to save credentials to persistent storage due to
Docker volume permission mismatch. Volumes default to root:root ownership, but
the container runs as non-root user (deploystack, uid=1001) for security.
diff --git a/services/satellite/Dockerfile b/services/satellite/Dockerfile
@@ -5,10 +5,11 @@ FROM node:24-bookworm-slim
 # Create deploystack user with home directory
 RUN useradd -m -d /opt/deploystack -s /bin/bash deploystack
 
-# Install only essential runtime dependencies
+# Install essential runtime dependencies including gosu for privilege dropping
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     ca-certificates \
+    gosu \
     && rm -rf /var/lib/apt/lists/*
 
 # Create mcp-cache base directory with proper ownership
@@ -32,6 +33,10 @@ RUN npm install --omit=dev --no-package-lock
 # Copy pre-built files
 COPY services/satellite/dist ./dist
 
+# Copy entrypoint script
+COPY services/satellite/scripts/docker-entrypoint.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/docker-entrypoint.sh
+
 # Create a default .env file with development defaults
 # NODE_ENV=development ensures no nsjail isolation is used
 RUN echo "NODE_ENV=development" > .env && \
@@ -40,7 +45,6 @@ RUN echo "NODE_ENV=development" > .env && \
 
 EXPOSE 3001
 
-# Run as deploystack user
-USER deploystack
-
+# Use entrypoint script that fixes permissions and drops privileges
+ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"]
 CMD ["node", "--env-file=.env", "dist/index.js"]
diff --git a/services/satellite/scripts/docker-entrypoint.sh b/services/satellite/scripts/docker-entrypoint.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+set -e
+
+# If running as root, fix permissions before dropping privileges
+if [ "$(id -u)" = "0" ]; then
+  # Fix persistent_data directory permissions for Docker volume
+  if [ -d "/app/persistent_data" ]; then
+    echo "Fixing persistent_data directory permissions for deploystack user..."
+    chown -R deploystack:deploystack /app/persistent_data
+    chmod 755 /app/persistent_data
+    echo "✓ Persistent data permissions fixed"
+  fi
+
+  # Ensure all /app files are owned by deploystack user
+  # This fixes any files that were created as root during build
+  echo "Ensuring /app files are owned by deploystack user..."
+  chown -R deploystack:deploystack /app
+  echo "✓ App files permissions fixed"
+
+  # Drop privileges to deploystack user and execute command
+  echo "Starting satellite as deploystack user..."
+  exec gosu deploystack "$@"
+else
+  # Already running as non-root user, just execute
+  exec "$@"
+fi
