Skip to content

Soft-fail chown during container init#36

Open
pacso wants to merge 1 commit into
Forceu:masterfrom
pacso:soft-fail-chown
Open

Soft-fail chown during container init#36
pacso wants to merge 1 commit into
Forceu:masterfrom
pacso:soft-fail-chown

Conversation

@pacso

@pacso pacso commented May 10, 2026

Copy link
Copy Markdown

Summary

The supervisor's setPermissions() calls ChownFolderRecursive on /app and /config and log.Fatals on any error. On filesystems where root cannot chown arbitrary files — notably NFS exports with root_squash (common on K8s home labs and NAS-backed clusters) — this prevents the container from starting, even though /config is typically already writable.

This change logs a warning and continues. The chown is a best-effort permission tighten-up; nginx/php-fpm only need write access inside /config/data, which is satisfied by the volume's existing mode regardless of ownership.

Test plan

  • Verified container starts on NFS-backed PVC (Synology export with root_squash) — supervisor logs the chown warning, then proceeds through SSL key generation, nginx/php-fpm/redis/wsserver startup
  • Verified the web UI is reachable and PHP can read/write /config/data (SQLite DB created)
  • Behaviour on local FS unchanged — chown still succeeds, no warning logged

Happy to narrow the soft-fail to errors.Is(err, syscall.EPERM) if you'd prefer to keep log.Fatal for genuine permission errors (e.g. read-only mount), or move it behind an env var. Let me know.

setPermissions calls ChownFolderRecursive on /app and /config and
log.Fatal's on any error. On filesystems where root cannot chown
arbitrary files (notably NFS exports with root_squash, common on
Kubernetes-backed home labs and NAS-backed clusters), this prevents
the supervisor from starting even though /config is typically already
writable to the application.

Log a warning and continue instead. The chown is a best-effort
permissions tighten-up; nginx/php-fpm only need to be able to write
inside /config/data, which is satisfied by the volume's existing
mode regardless of ownership.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant