Discord report: container refused to start after pulling latest.
Logs showed `mkdir: cannot create directory '/app/Staging':
Permission denied`. `set -e` in entrypoint.sh then aborted the script
and the container restart-looped.
Root cause traced to commit 70e1750 (2026-05-08, image-bloat fix):
the Dockerfile chown was changed from `chown -R /app` to a scoped
chown on specific subdirs to avoid a redundant layer that was
duplicating the entire /app tree. Side effects:
1. `/app` itself went from soulsync:soulsync (via the recursive walk)
to root:root (Docker WORKDIR default — never re-chowned).
2. `/app/Staging` was the only runtime mount-point dir NOT pre-baked
into the image — every other bind-mountable dir (config, logs,
downloads, Transfer, MusicVideos, scripts) was in the Dockerfile's
`mkdir -p` + `chown` list. Staging was left to the entrypoint.
On rootless Docker / Podman where in-container "root" maps to a host
UID, the entrypoint mkdir on `/app/Staging` could fail with EACCES
depending on the bind-mount path's host ownership.
Fix has three parts:
1. **Dockerfile** — added `/app/Staging` to the runtime mkdir +
scoped chown list. Closes the asymmetry with the other bind-
mountable dirs. Image now ships with the directory pre-baked
owned soulsync:soulsync so the entrypoint mkdir is a guaranteed
no-op even when bind-mount perms are weird.
2. **entrypoint.sh mkdir + chown** — both now have `|| true` so any
future bind-mount permission quirk surfaces as a log line, not
a `set -e` crash + restart loop. Previously only the chown had
the `|| true` suffix; mkdir was bare.
3. **entrypoint.sh writability audit** — new loop at the end of
the setup phase runs `gosu soulsync test -w "$dir"` against
every bind-mountable dir. When a dir isn't writable by the
soulsync user, logs a loud warning with the exact host-side
`chown` command needed to fix it. Catches the underlying bind-
mount perm issue that the restart-loop fix would otherwise mask
(container starts but auto-import / downloads write into
unwritable dirs and fail silently). This is the diagnostic that
would have surfaced the root cause without needing the user to
share a container-restart screenshot.
Zero behavior change for users whose containers were already
starting fine. Defensive against the rootless/podman config that
broke after the image-bloat refactor.
Verified shell syntax with `bash -n entrypoint.sh`. Full pytest
2693 passed (no Python touched).
103 lines
3.8 KiB
Docker
103 lines
3.8 KiB
Docker
# SoulSync WebUI Dockerfile
|
|
# Multi-architecture support for AMD64 and ARM64
|
|
|
|
# Stage 1: Builder — install Python dependencies with compilation tools
|
|
FROM python:3.11-slim AS builder
|
|
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
gcc \
|
|
libc6-dev \
|
|
libffi-dev \
|
|
libssl-dev \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Create virtualenv and install dependencies
|
|
RUN python -m venv /opt/venv
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
COPY requirements.txt .
|
|
RUN pip install --no-cache-dir --upgrade pip && \
|
|
pip install --no-cache-dir -r requirements.txt
|
|
|
|
# Stage 2: Runtime — only runtime dependencies, no build tools
|
|
FROM python:3.11-slim
|
|
|
|
# Build-time commit SHA for update detection
|
|
ARG COMMIT_SHA=""
|
|
ENV SOULSYNC_COMMIT_SHA=${COMMIT_SHA}
|
|
|
|
# Copy pre-built virtualenv from builder
|
|
COPY --from=builder /opt/venv /opt/venv
|
|
ENV VIRTUAL_ENV=/opt/venv
|
|
ENV PATH="/opt/venv/bin:$PATH"
|
|
|
|
# Set working directory
|
|
WORKDIR /app
|
|
|
|
# Install runtime-only system dependencies (no gcc/build tools)
|
|
RUN apt-get update && apt-get install -y --no-install-recommends \
|
|
curl \
|
|
gosu \
|
|
ffmpeg \
|
|
libchromaprint-tools \
|
|
&& rm -rf /var/lib/apt/lists/*
|
|
|
|
# Create non-root user for security
|
|
RUN useradd --create-home --shell /bin/bash --uid 1000 soulsync
|
|
|
|
# Copy application code with ownership baked in.
|
|
# Using `COPY --chown` instead of `COPY` + `chown -R /app` avoids an
|
|
# extra image layer that duplicates the entire /app tree just to flip
|
|
# ownership bits — Docker layers are immutable, so chown -R rewrites
|
|
# every file into a new layer. On a clean repo that's small; if any
|
|
# bulky workspace file slips in (e.g. auto-downloaded ffmpeg binaries
|
|
# in tools/), it gets counted twice in the image. Cin caught this on
|
|
# 2026-05-08 — see the .dockerignore comment for the same incident.
|
|
COPY --chown=soulsync:soulsync . .
|
|
|
|
# Create runtime mount-point directories the app expects to exist.
|
|
# NOTE: /app/data is for database FILES, /app/database is the Python package
|
|
# NOTE: /app/Staging is required even though most users bind-mount it —
|
|
# the entrypoint mkdir runs early and is gated by `set -e`, so a missing
|
|
# pre-baked directory would crash the container into a restart loop on
|
|
# rootless Docker/Podman where in-container "root" can't write to /app.
|
|
# Pre-baking the dir here makes the entrypoint mkdir a guaranteed no-op.
|
|
RUN mkdir -p /app/config /app/data /app/logs /app/downloads /app/Transfer /app/Staging /app/MusicVideos /app/scripts && \
|
|
chown soulsync:soulsync /app/config /app/data /app/logs /app/downloads /app/Transfer /app/Staging /app/MusicVideos /app/scripts
|
|
|
|
# Create defaults directory and copy template files
|
|
# These will be used by entrypoint.sh to initialize empty volumes
|
|
RUN mkdir -p /defaults && \
|
|
cp /app/config/config.example.json /defaults/config.json && \
|
|
cp /app/config/settings.py /defaults/settings.py && \
|
|
chmod 644 /defaults/config.json /defaults/settings.py
|
|
|
|
# Create volume mount points
|
|
# NOTE: Changed /app/database to /app/data to avoid overwriting Python package
|
|
VOLUME ["/app/config", "/app/data", "/app/logs", "/app/downloads", "/app/Transfer", "/app/MusicVideos", "/app/scripts"]
|
|
|
|
# Copy and set up entrypoint script
|
|
COPY entrypoint.sh /entrypoint.sh
|
|
RUN chmod +x /entrypoint.sh
|
|
|
|
# Note: Don't switch to soulsync user yet - entrypoint needs root to change UIDs
|
|
# The entrypoint script will switch to soulsync after setting up permissions
|
|
|
|
# Expose port
|
|
EXPOSE 8008
|
|
|
|
# Health check
|
|
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
|
|
CMD curl -f http://localhost:8008/ || exit 1
|
|
|
|
# Set environment variables
|
|
ENV PYTHONPATH=/app
|
|
ENV PYTHONUNBUFFERED=1
|
|
ENV DATABASE_PATH=/app/data/music_library.db
|
|
ENV PUID=1000
|
|
ENV PGID=1000
|
|
ENV UMASK=022
|
|
|
|
# Set entrypoint and default command
|
|
ENTRYPOINT ["/entrypoint.sh"]
|
|
CMD ["gunicorn", "-c", "gunicorn.conf.py", "wsgi:application"]
|