From 7a229396e756c1fc44e2f13c5c15aaca6a90a376 Mon Sep 17 00:00:00 2001 From: Mikel Larreategi Date: Thu, 19 Mar 2026 11:26:03 +0100 Subject: [PATCH 1/5] feat: only do a full chown of the /data directory if requested or if the /data directory is not owned by plone --- skeleton/docker-entrypoint.sh | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/skeleton/docker-entrypoint.sh b/skeleton/docker-entrypoint.sh index 96bf50b..6b6537c 100755 --- a/skeleton/docker-entrypoint.sh +++ b/skeleton/docker-entrypoint.sh @@ -16,10 +16,14 @@ USER="$(id -u)" # Create directories to be used by Plone mkdir -p /data/filestorage /data/blobstorage /data/cache /data/log $CLIENT_HOME if [ "$USER" = '0' ]; then - find /data -not -user plone -exec chown plone:plone {} \+ + # Check ownership, OR check if we are explicitly forcing a fix + if [ "$(stat -c '%U' /data)" != "plone" ] || [ "$FORCE_CHOWN" = "1" ]; then + echo "Fixing permissions on /data..." + find /data -not -user plone -exec chown plone:plone {} \+ + else + echo "Skipping deep permission check. (Pass FORCE_CHOWN=1 to force it)" + fi sudo="gosu plone" -else - sudo="" fi # MAIN ENV Vars From a5190cbae09ce087e1e55e34206f98d6c11f1223 Mon Sep 17 00:00:00 2001 From: Mikel Larreategi Date: Thu, 19 Mar 2026 11:30:38 +0100 Subject: [PATCH 2/5] fix --- skeleton/docker-entrypoint.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/skeleton/docker-entrypoint.sh b/skeleton/docker-entrypoint.sh index 6b6537c..4a48ab5 100755 --- a/skeleton/docker-entrypoint.sh +++ b/skeleton/docker-entrypoint.sh @@ -24,6 +24,8 @@ if [ "$USER" = '0' ]; then echo "Skipping deep permission check. (Pass FORCE_CHOWN=1 to force it)" fi sudo="gosu plone" +else + sudo="" fi # MAIN ENV Vars From f5bdf86d32959ce5e3345f6c01ab0de12d125419 Mon Sep 17 00:00:00 2001 From: Mikel Larreategi Date: Thu, 19 Mar 2026 12:59:09 +0100 Subject: [PATCH 3/5] remove echo --- skeleton/docker-entrypoint.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/skeleton/docker-entrypoint.sh b/skeleton/docker-entrypoint.sh index 4a48ab5..717e05c 100755 --- a/skeleton/docker-entrypoint.sh +++ b/skeleton/docker-entrypoint.sh @@ -18,10 +18,7 @@ mkdir -p /data/filestorage /data/blobstorage /data/cache /data/log $CLIENT_HOME if [ "$USER" = '0' ]; then # Check ownership, OR check if we are explicitly forcing a fix if [ "$(stat -c '%U' /data)" != "plone" ] || [ "$FORCE_CHOWN" = "1" ]; then - echo "Fixing permissions on /data..." find /data -not -user plone -exec chown plone:plone {} \+ - else - echo "Skipping deep permission check. (Pass FORCE_CHOWN=1 to force it)" fi sudo="gosu plone" else From e8e032eafb5785b0b35cef9ab699ee92b0a5f338 Mon Sep 17 00:00:00 2001 From: Mikel Larreategi Date: Thu, 7 May 2026 22:18:01 +0200 Subject: [PATCH 4/5] output a message when the docker image is running the find&chown --- skeleton/docker-entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/skeleton/docker-entrypoint.sh b/skeleton/docker-entrypoint.sh index 717e05c..927ca87 100755 --- a/skeleton/docker-entrypoint.sh +++ b/skeleton/docker-entrypoint.sh @@ -18,6 +18,7 @@ mkdir -p /data/filestorage /data/blobstorage /data/cache /data/log $CLIENT_HOME if [ "$USER" = '0' ]; then # Check ownership, OR check if we are explicitly forcing a fix if [ "$(stat -c '%U' /data)" != "plone" ] || [ "$FORCE_CHOWN" = "1" ]; then + echo "Running chown to fix ownership of the data directory" find /data -not -user plone -exec chown plone:plone {} \+ fi sudo="gosu plone" From 825dbde2a338b0c78b419968c8c1ddbfc2868c8d Mon Sep 17 00:00:00 2001 From: Mikel Larreategi Date: Thu, 7 May 2026 22:18:08 +0200 Subject: [PATCH 5/5] add tests --- test/config.sh | 1 + .../plone-basics-chown/expected-std-out.txt | 5 ++++ test/tests/plone-basics-chown/run.sh | 29 +++++++++++++++++++ 3 files changed, 35 insertions(+) create mode 100644 test/tests/plone-basics-chown/expected-std-out.txt create mode 100755 test/tests/plone-basics-chown/run.sh diff --git a/test/config.sh b/test/config.sh index 5f21f3c..c2365ee 100644 --- a/test/config.sh +++ b/test/config.sh @@ -16,6 +16,7 @@ plone-listenport plone-zeoclient plone-relstorage plone-shared-blob-dir +plone-basics-chown ' imageTests+=( diff --git a/test/tests/plone-basics-chown/expected-std-out.txt b/test/tests/plone-basics-chown/expected-std-out.txt new file mode 100644 index 0000000..32b6091 --- /dev/null +++ b/test/tests/plone-basics-chown/expected-std-out.txt @@ -0,0 +1,5 @@ +--- Case 1: Automatic fix --- +Running chown to fix ownership of the data directory +--- Case 2: Forced fix --- +Running chown to fix ownership of the data directory +--- Case 3: No fix --- diff --git a/test/tests/plone-basics-chown/run.sh b/test/tests/plone-basics-chown/run.sh new file mode 100755 index 0000000..4f6c0f3 --- /dev/null +++ b/test/tests/plone-basics-chown/run.sh @@ -0,0 +1,29 @@ +#!/bin/bash +set -eo pipefail + +image="$1" + +# Case 1: /data owned by root. Should fix it automatically. +echo "--- Case 1: Automatic fix ---" +cname1="plone-chown-auto-$RANDOM" +docker run --name "$cname1" -v /data busybox sh -c "chown root:root /data && touch /data/auto" +docker run --rm --volumes-from "$cname1" "$image" true +docker run --rm --volumes-from "$cname1" busybox stat -c "%u:%g" /data/auto | grep -q "500:500" +docker rm -v "$cname1" > /dev/null + +# Case 2: /data owned by plone, but FORCE_CHOWN=1. Should fix it manually. +echo "--- Case 2: Forced fix ---" +cname2="plone-chown-force-$RANDOM" +docker run --name "$cname2" -v /data busybox sh -c "chown 500:500 /data && touch /data/forced && chown root:root /data/forced" +docker run --rm --volumes-from "$cname2" -e FORCE_CHOWN="1" "$image" true +docker run --rm --volumes-from "$cname2" busybox stat -c "%u:%g" /data/forced | grep -q "500:500" +docker rm -v "$cname2" > /dev/null + +# Case 3: /data owned by plone, no FORCE_CHOWN. Should NOT fix (no message). +echo "--- Case 3: No fix ---" +cname3="plone-chown-none-$RANDOM" +docker run --name "$cname3" -v /data busybox sh -c "chown 500:500 /data && touch /data/no-fix && chown root:root /data/no-fix" +docker run --rm --volumes-from "$cname3" "$image" true +# Should still be root:root (0:0) +docker run --rm --volumes-from "$cname3" busybox stat -c "%u:%g" /data/no-fix | grep -q "0:0" +docker rm -v "$cname3" > /dev/null