Commit c790e6a
committed
fix(docker): run as root so Railway-mounted volumes are writable
Railway (and other managed PaaS platforms) mount fresh volumes as
root-owned at runtime, shadowing the image-baked /data directory we
chowned to `app:app` at build time. Result: EACCES on first write to
/data/memory or /data/sessions.
Drop the non-root user. For a single-tenant personal bot on a sandboxed
PaaS, the hardening is marginal compared to the volume-permission
friction it creates. The alternative — root entrypoint + su-exec drop —
adds dependencies and complexity without meaningful security benefit
in this deployment model.1 parent 810f0ec commit c790e6a
2 files changed
Lines changed: 2 additions & 6 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
25 | 25 | | |
26 | 26 | | |
27 | 27 | | |
28 | | - | |
29 | | - | |
30 | | - | |
31 | | - | |
32 | | - | |
| 28 | + | |
33 | 29 | | |
34 | 30 | | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
309 | 309 | | |
310 | 310 | | |
311 | 311 | | |
312 | | - | |
| 312 | + | |
313 | 313 | | |
314 | 314 | | |
315 | 315 | | |
| |||
0 commit comments