fix(docker): volume permissions and su-exec drop to marchat

Cod-e-Codes · Cod-e-Codes · commit 9fc161e4dcdf · 2026-03-30T19:52:29.000-04:00
Keep docker-compose.yml to port/DB only; document MARCHAT_ADMIN_KEY and MARCHAT_USERS via .env in README.

chore: v0.10.0-beta.2
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,9 +6,9 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Version to build (e.g., v0.10.0-beta.1)'
+        description: 'Version to build (e.g., v0.10.0-beta.2)'
         required: true
-        default: 'v0.10.0-beta.1'
+        default: 'v0.10.0-beta.2'
 
 permissions:
   contents: read
diff --git a/Dockerfile b/Dockerfile
@@ -29,29 +29,20 @@ RUN apk update && apk upgrade --no-cache
 ARG USER_ID=1000
 ARG GROUP_ID=1000
 
-# Install necessary packages for user management
-RUN apk add --no-cache shadow
+# shadow: marchat user; su-exec: drop root after fixing volume permissions in entrypoint
+RUN apk add --no-cache shadow su-exec
 
 # Create marchat user with specified UID/GID
 RUN groupadd -g ${GROUP_ID} marchat && \
     useradd -u ${USER_ID} -g marchat -s /bin/sh -m marchat
 
-# Create config directory with proper ownership
-RUN mkdir -p /marchat/config && \
-    chown -R marchat:marchat /marchat
-
-# Switch to marchat user
-USER marchat
 WORKDIR /marchat
 
 # Copy the binary from builder stage (server only; release zips ship a separate client binary).
 COPY --from=builder /marchat/marchat-server .
-
-# Diagnostics: override the entrypoint to run `-doctor` or `-doctor-json` for an env/config summary without starting the HTTP server.
-
-# Copy entrypoint script
-COPY --chown=marchat:marchat entrypoint.sh /marchat/entrypoint.sh
-RUN chmod +x /marchat/entrypoint.sh
+COPY entrypoint.sh /marchat/entrypoint.sh
+RUN chmod +x /marchat/entrypoint.sh && \
+    chown marchat:marchat /marchat/marchat-server /marchat/entrypoint.sh
 
 # Expose port 8080
 EXPOSE 8080
diff --git a/README.md b/README.md
@@ -7,13 +7,20 @@
 [![Go Version](https://img.shields.io/github/go-mod/go-version/Cod-e-Codes/marchat?logo=go)](https://go.dev/dl/)
 [![GitHub all releases](https://img.shields.io/github/downloads/Cod-e-Codes/marchat/total?logo=github)](https://github.com/Cod-e-Codes/marchat/releases)
 [![Docker Pulls](https://img.shields.io/docker/pulls/codecodesxyz/marchat?logo=docker)](https://hub.docker.com/r/codecodesxyz/marchat)
-[![Version](https://img.shields.io/badge/version-v0.10.0--beta.1-blue)](https://github.com/Cod-e-Codes/marchat/releases/tag/v0.10.0-beta.1)
+[![Version](https://img.shields.io/badge/version-v0.10.0--beta.2-blue)](https://github.com/Cod-e-Codes/marchat/releases/tag/v0.10.0-beta.2)
 
 A lightweight terminal chat with real-time messaging over WebSockets, optional E2E encryption, and a flexible plugin ecosystem. Built for developers who prefer the command line.
 
 ## Latest Updates
 
-### v0.10.0-beta.1 (Current)
+### v0.10.0-beta.2 (Current)
+- **CLI diagnostics**: `marchat-client` and `marchat-server` support `-doctor` and `-doctor-json` for environment, paths, and config health
+- **Build**: `build-release.ps1` sets `CGO_ENABLED=0` for consistent cross-compilation
+- **Dependencies**: `modernc.org/sqlite` 1.47.0 → 1.48.0 (via Dependabot)
+- **Docs**: Updated LOC and test coverage figures; streamlined beta.1 feature list in README
+- **Docker**: image entrypoint fixes `/data` volume permissions and drops to non-root via `su-exec`; Unix line endings on `entrypoint.sh` for reliable Windows-built images
+
+### v0.10.0-beta.1
 - **Message Management**: Edit, delete, pin, search messages by ID
 - **Reactions**: React to messages with emoji aliases (`:react 42 +1`, `heart`, `fire`, `party`, etc.)
 - **Direct Messages**: Private DM conversations between users
@@ -27,6 +34,7 @@ A lightweight terminal chat with real-time messaging over WebSockets, optional E
 - **Plugins**: Full plugin system wiring (message forwarding, user list updates, command responses, init handshake, store UI, license enforcement)
 
 ### Recent Releases
+- **v0.10.0-beta.2**: Doctor CLI, build-release cross-compile fix, sqlite bump, doc metrics refresh, Docker image entrypoint/volume permission fixes
 - **v0.9.0-beta.6**: Rebuilt with Go 1.25.8 to address CVE-2026-25679, CVE-2026-27142, CVE-2026-27139
 - **v0.9.0-beta.5**: Automated release workflow, PBKDF2 keystore key derivation, JWT secret auto-generation, race condition fixes, Docker optimizations
 - **v0.9.0-beta.4**: Fixed admin metrics, restored plugin commands in encrypted sessions, dependency updates
@@ -129,27 +137,44 @@ Key tables for message tracking and moderation:
 **Binary Installation:**
 ```bash
 # Linux (amd64)
-wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.1/marchat-v0.10.0-beta.1-linux-amd64.zip
-unzip marchat-v0.10.0-beta.1-linux-amd64.zip && chmod +x marchat-*
+wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.2/marchat-v0.10.0-beta.2-linux-amd64.zip
+unzip marchat-v0.10.0-beta.2-linux-amd64.zip && chmod +x marchat-*
 
 # macOS (amd64)
-wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.1/marchat-v0.10.0-beta.1-darwin-amd64.zip
-unzip marchat-v0.10.0-beta.1-darwin-amd64.zip && chmod +x marchat-*
+wget https://github.com/Cod-e-Codes/marchat/releases/download/v0.10.0-beta.2/marchat-v0.10.0-beta.2-darwin-amd64.zip
+unzip marchat-v0.10.0-beta.2-darwin-amd64.zip && chmod +x marchat-*
 
 # Windows - PowerShell
 iwr -useb https://raw.githubusercontent.com/Cod-e-Codes/marchat/main/install.ps1 | iex
 ```
 
 **Docker:**
 ```bash
-docker pull codecodesxyz/marchat:v0.10.0-beta.1
+docker pull codecodesxyz/marchat:v0.10.0-beta.2
 docker run -d -p 8080:8080 \
   -e MARCHAT_ADMIN_KEY=$(openssl rand -hex 32) \
   -e MARCHAT_USERS=admin1,admin2 \
-  codecodesxyz/marchat:v0.10.0-beta.1
+  codecodesxyz/marchat:v0.10.0-beta.2
 ```
 
 **Docker Compose (local development):**
+
+The sample `docker-compose.yml` only sets port and database path. You must still provide **`MARCHAT_ADMIN_KEY`** and **`MARCHAT_USERS`** (see [Essential Environment Variables](#essential-environment-variables)). Typical approach: add the two lines below under `server.environment` and keep values in a gitignored `.env` file next to the compose file (Compose substitutes `${VAR}` from that `.env` automatically):
+
+```yaml
+      - MARCHAT_ADMIN_KEY=${MARCHAT_ADMIN_KEY}
+      - MARCHAT_USERS=${MARCHAT_USERS}
+```
+
+Example `.env` (generate a strong key for anything reachable from a network):
+
+```bash
+MARCHAT_ADMIN_KEY=your-secret-here
+MARCHAT_USERS=admin1,admin2
+```
+
+Then:
+
 ```bash
 docker compose up -d
 ```
diff --git a/SECURITY.md b/SECURITY.md
@@ -2,7 +2,7 @@
 
 ## Supported Versions
 
-`marchat` is currently at **v0.10.0-beta.1**.  
+`marchat` is currently at **v0.10.0-beta.2**.  
 All security updates and fixes are applied to the `main` branch.
 
 | Version            | Supported |
diff --git a/build-release.ps1 b/build-release.ps1
@@ -1,9 +1,9 @@
-# Build script for marchat v0.10.0-beta.1
+# Build script for marchat v0.10.0-beta.2
 # This script builds all platform targets and creates release zips
 
 $ErrorActionPreference = "Stop"
 
-$VERSION = "v0.10.0-beta.1"
+$VERSION = "v0.10.0-beta.2"
 $BUILD_DIR = "build"
 $RELEASE_DIR = "release"
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,13 +1,13 @@
-services:
-  server:
-    build: .
-    ports:
-      - "8080:8080"
-    environment:
-      - MARCHAT_PORT=8080
-      - MARCHAT_DB_PATH=/data/marchat.db
-    volumes:
-      - marchat-data:/data
-
-volumes:
-  marchat-data:
+services:
+  server:
+    build: .
+    ports:
+      - "8080:8080"
+    environment:
+      - MARCHAT_PORT=8080
+      - MARCHAT_DB_PATH=/data/marchat.db
+    volumes:
+      - marchat-data:/data
+
+volumes:
+  marchat-data:
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -1,25 +1,19 @@
 #!/bin/sh
 set -e
 
-# Ensure base server directory exists
-mkdir -p /marchat/server
+# When running as root (default), fix ownership of app dirs and common volume
+# mount points so the marchat user can write SQLite and config, then drop privileges.
+if [ "$(id -u)" = 0 ]; then
+	mkdir -p /marchat/server /marchat/server/config /marchat/server/db \
+		/marchat/server/data /marchat/server/plugins /data
+	chown -R marchat:marchat /marchat /data 2>/dev/null || true
+	exec su-exec marchat "$0" "$@"
+fi
 
-# Ensure config directory exists inside server directory
+mkdir -p /marchat/server
 mkdir -p /marchat/server/config
-
-# Ensure db directory exists inside server directory
 mkdir -p /marchat/server/db
-
-# Ensure data directory exists inside server directory
 mkdir -p /marchat/server/data
-
-# Ensure plugins directory exists inside server directory
 mkdir -p /marchat/server/plugins
 
-# Fix ownership if we have write access
-if [ -w "/marchat/server" ]; then
-    chown -R marchat:marchat /marchat/server 2>/dev/null || true
-fi
-
-# Execute the main application
 exec ./marchat-server "$@"
diff --git a/install.ps1 b/install.ps1
@@ -4,7 +4,7 @@
 # Supports Windows, Linux, macOS, and Android (via PowerShell Core)
 
 param(
-    [string]$Version = "v0.10.0-beta.1"
+    [string]$Version = "v0.10.0-beta.2"
 )
 
 $ErrorActionPreference = "Stop"
diff --git a/install.sh b/install.sh
@@ -5,7 +5,7 @@
 
 set -e  # Exit on any error
 
-VERSION="v0.10.0-beta.1"
+VERSION="v0.10.0-beta.2"
 
 # Detect OS and architecture
 OS=$(uname | tr '[:upper:]' '[:lower:]')

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`# Supports Windows, Linux, macOS, and Android (via PowerShell Core)`
`5`	`5`
`6`	`6`	`param(`
`7`		`- [string]$Version = "v0.10.0-beta.1"`
	`7`	`+ [string]$Version = "v0.10.0-beta.2"`
`8`	`8`	`)`
`9`	`9`
`10`	`10`	`$ErrorActionPreference = "Stop"`