bug(infra/minio): create-buckets bootstrap.sh bind-mount fails on DooD runner (Is a directory) #506

New Issue

Closed

opened 2026-05-11 15:31:42 +02:00 by marcel · 0 comments

marcel commented 2026-05-11 15:31:42 +02:00

Owner

Copy Link

Summary

docker-compose.prod.yml's create-buckets service mounts ./infra/minio/bootstrap.sh:/bootstrap.sh:ro. Under Docker-out-of-Docker (the production Gitea Actions runner is DooD), the host Docker daemon resolves the relative path against the host filesystem — not the runner container's /workspace/.... The path doesn't exist on the host, so Docker auto-creates an empty directory at the mount target, and the entrypoint /bin/sh /bootstrap.sh fails with /bootstrap.sh: Is a directory.

Reproduction

$ docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test run --rm create-buckets
 Container test-idem-minio-1 Running
 Container test-idem-minio-1 Healthy
 Container test-idem-create-buckets-run-... Creating
 Container test-idem-create-buckets-run-... Created
/bootstrap.sh: /bootstrap.sh: Is a directory
exitcode '126': failure

Reproduces on the self-hosted Gitea Actions runner. Works locally on a developer machine because the runner CWD equals the host filesystem path.

Impact

• Compose Bucket Idempotency CI job — failing on every PR since #499 landed.
• Actual staging + production deploys — nightly.yml and release.yml will hit the same error when the create-buckets service starts. The current production rollout is blocked.

Fix

Bake bootstrap.sh into a tiny derived image. No runtime path resolution required, works in DooD / regular Docker / any environment.

# infra/minio/Dockerfile
FROM minio/mc:RELEASE.2025-08-13T08-35-41Z
COPY bootstrap.sh /bootstrap.sh
RUN chmod +x /bootstrap.sh
ENTRYPOINT ["/bin/sh", "/bootstrap.sh"]

Update docker-compose.prod.yml:

create-buckets:
  build:
    context: ./infra/minio
  # remove: volumes: - ./infra/minio/bootstrap.sh:/bootstrap.sh:ro
  # remove: entrypoint: ["/bin/sh", "/bootstrap.sh"]

The image pin (RELEASE.2025-08-13T08-35-41Z) moves into the Dockerfile FROM line so Renovate-style upgrades still touch one canonical place.

Why the CI test didn't catch this earlier (or rather: caught it but was attributed to a CI bug)

The Compose Bucket Idempotency job IS the regression test — it has been red since merge. The failure was assumed to be a runner-specific quirk; it is actually a real production-deploy blocker.

Discovered

While running nightly.yml to deploy staging for the first time after #499 / #497.

## Summary `docker-compose.prod.yml`'s `create-buckets` service mounts `./infra/minio/bootstrap.sh:/bootstrap.sh:ro`. Under Docker-out-of-Docker (the production Gitea Actions runner is DooD), the host Docker daemon resolves the relative path against the host filesystem — not the runner container's `/workspace/...`. The path doesn't exist on the host, so Docker auto-creates an empty directory at the mount target, and the entrypoint `/bin/sh /bootstrap.sh` fails with `/bootstrap.sh: Is a directory`. ## Reproduction ``` $ docker compose -f docker-compose.prod.yml -p test-idem --env-file .env.test run --rm create-buckets Container test-idem-minio-1 Running Container test-idem-minio-1 Healthy Container test-idem-create-buckets-run-... Creating Container test-idem-create-buckets-run-... Created /bootstrap.sh: /bootstrap.sh: Is a directory exitcode '126': failure ``` Reproduces on the self-hosted Gitea Actions runner. Works locally on a developer machine because the runner CWD equals the host filesystem path. ## Impact - **Compose Bucket Idempotency CI job** — failing on every PR since #499 landed. - **Actual staging + production deploys** — `nightly.yml` and `release.yml` will hit the same error when the create-buckets service starts. The current production rollout is blocked. ## Fix Bake `bootstrap.sh` into a tiny derived image. No runtime path resolution required, works in DooD / regular Docker / any environment. ```dockerfile # infra/minio/Dockerfile FROM minio/mc:RELEASE.2025-08-13T08-35-41Z COPY bootstrap.sh /bootstrap.sh RUN chmod +x /bootstrap.sh ENTRYPOINT ["/bin/sh", "/bootstrap.sh"] ``` Update `docker-compose.prod.yml`: ```yaml create-buckets: build: context: ./infra/minio # remove: volumes: - ./infra/minio/bootstrap.sh:/bootstrap.sh:ro # remove: entrypoint: ["/bin/sh", "/bootstrap.sh"] ``` The image pin (`RELEASE.2025-08-13T08-35-41Z`) moves into the Dockerfile FROM line so Renovate-style upgrades still touch one canonical place. ## Why the CI test didn't catch this earlier (or rather: caught it but was attributed to a CI bug) The Compose Bucket Idempotency job IS the regression test — it has been red since merge. The failure was assumed to be a runner-specific quirk; it is actually a real production-deploy blocker. ## Discovered While running `nightly.yml` to deploy staging for the first time after #499 / #497.

marcel referenced this issue from a commit 2026-05-11 15:33:12 +02:00

fix(minio): bake bootstrap.sh into image instead of bind-mounting

marcel referenced a pull request that will close this issue 2026-05-11 15:33:21 +02:00

fix(minio): bake bootstrap.sh into image instead of bind-mounting (#506) #507

marcel closed this issue 2026-05-11 15:56:06 +02:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

feat/issue-533-mass-import-ux

feat/issue-527-unsaved-warning-new-pages

worktree-feat+issue-557-upload-artifact-v3-pin

worktree-chore+issue-556-drop-client-branches-coverage-gate

fix/issue-514-prerender-crawl-bakes-redirects

fix/issue-472-prerender-entries

feat/issue-395-readme

feat/issue-345-bulk-mark-reviewed

feat/issue-344-bell-tooltip

feat/issue-341-annotieren-contrast

feat/issue-225-bulk-metadata-edit

feat/issue-317-bulk-upload

feat/issue-271-dashboard-redesign

docs/issue-240-mission-control-spec

refactor/issues-193-200

feat/issue-162-korrespondenz-redesign

feature/68-new-document-file-first

feat/81-discussion-discoverability

feat/62-document-bottom-panel

feature/56-backfill-file-hashes

feat/38-document-edit-history

fix/svelte5-test-delegation-and-login-auth

No results found.

Labels

Clear labels

P0-critical

Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.

P1-high

Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.

P2-medium

Noticeable improvement; doesn't block anything; schedule opportunistically.

P3-later

Cosmetic or parking-lot work; fine to stay open indefinitely.

audit

Read-only audit / assessment work; produces a report rather than changing code

bug

Something isn't working

cleanup

Removal of dead code, vague comments, naming violations, and scratch artifacts

collaboration

We want to extend the family archive to have more collaboration tools

conversation

descoped

We will do that later

devops

documentation

README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs

epic

Marker for epic-level issues that group multiple child issues

feature

file-upload

legibility

Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction

notification

person

phase-1: security

Security hygiene — must be done first

phase-2: container-images

Production-ready multi-stage Docker images

phase-3: prod-compose

Production compose overlay + Caddy reverse proxy

phase-4: spring-prod-profile

Spring Boot production configuration profile

phase-5: backups

Database and object storage backup strategy

phase-6: deployment-docs

.env.example, DEPLOYMENT.md, runbook

phase-7: monitoring

Prometheus, Loki, Grafana, Alertmanager

refactor

Code restructuring without behaviour change

security

test

ui

UI/UX and accessibility issues

user

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Jens marcel

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: marcel/familienarchiv#506