marcel/familienarchiv
1
0
Fork 0
Code Issues 118 Pull Requests 2 Actions 4 Packages Projects Releases Wiki Activity

fix(minio): bake bootstrap.sh into image instead of bind-mounting (#506) #507

Merged
marcel merged 1 commits from fix/issue-506-bootstrap-bind-mount-dood into main 2026-05-11 15:56:06 +02:00
Conversation 0 Commits 1 Files Changed 2 +22 -4
marcel commented 2026-05-11 15:33:21 +02:00
Owner
Copy Link

Summary

Closes #506.

Under Docker-out-of-Docker (the production Gitea Actions runner), the host daemon resolves the relative bind-mount path ./infra/minio/bootstrap.sh:/bootstrap.sh:ro against the host filesystem — not the runner container's /workspace/.... The script isn't there, so Docker creates an empty directory at /bootstrap.sh and the entrypoint fails with /bootstrap.sh: Is a directory.

This blocks the Compose Bucket Idempotency CI job (red on every PR since #499) and, more importantly, the actual staging / production deploys (they hit the same error when the create-buckets service starts).

Fix

Bake the script into a tiny derived image (infra/minio/Dockerfile). No runtime path resolution. Works in DooD, regular Docker, and CI.

docker-compose.prod.yml:

  • create-buckets.imagecreate-buckets.build.context: ./infra/minio
  • Drop the volumes: bind-mount and the explicit entrypoint: (the Dockerfile sets it)
  • Pin (RELEASE.2025-08-13T08-35-41Z) moves into the Dockerfile FROM line

Verified locally

  • docker compose -f docker-compose.prod.yml ... config --quiet parses
  • docker compose ... build create-buckets builds the image
  • docker run --rm --entrypoint /bin/sh <img> -c 'ls -l /bootstrap.sh && head -3 /bootstrap.sh' shows the script as a +x file with the right content

Test plan after merge

  • CI Compose Bucket Idempotency job goes green
  • Re-trigger nightly.yml for staging — create-buckets runs cleanly
  • mc admin user info myminio archiv-app on the running staging stack shows the bucket-scoped policy bound

🤖 Generated with Claude Code

## Summary Closes #506. Under Docker-out-of-Docker (the production Gitea Actions runner), the host daemon resolves the relative bind-mount path `./infra/minio/bootstrap.sh:/bootstrap.sh:ro` against the host filesystem — not the runner container's `/workspace/...`. The script isn't there, so Docker creates an empty directory at `/bootstrap.sh` and the entrypoint fails with `/bootstrap.sh: Is a directory`. This blocks the Compose Bucket Idempotency CI job (red on every PR since #499) and, more importantly, **the actual staging / production deploys** (they hit the same error when the `create-buckets` service starts). ## Fix Bake the script into a tiny derived image (`infra/minio/Dockerfile`). No runtime path resolution. Works in DooD, regular Docker, and CI. `docker-compose.prod.yml`: - `create-buckets.image` → `create-buckets.build.context: ./infra/minio` - Drop the `volumes:` bind-mount and the explicit `entrypoint:` (the Dockerfile sets it) - Pin (`RELEASE.2025-08-13T08-35-41Z`) moves into the Dockerfile FROM line ## Verified locally - [x] `docker compose -f docker-compose.prod.yml ... config --quiet` parses - [x] `docker compose ... build create-buckets` builds the image - [x] `docker run --rm --entrypoint /bin/sh <img> -c 'ls -l /bootstrap.sh && head -3 /bootstrap.sh'` shows the script as a `+x` file with the right content ## Test plan after merge - [ ] CI `Compose Bucket Idempotency` job goes green - [ ] Re-trigger `nightly.yml` for staging — `create-buckets` runs cleanly - [ ] `mc admin user info myminio archiv-app` on the running staging stack shows the bucket-scoped policy bound 🤖 Generated with [Claude Code](https://claude.com/claude-code)
marcel added 1 commit 2026-05-11 15:33:21 +02:00
fix(minio): bake bootstrap.sh into image instead of bind-mounting
Some checks failed
CI / Unit & Component Tests (push) Has been cancelled
Details
CI / OCR Service Tests (push) Has been cancelled
Details
CI / Backend Unit Tests (push) Has been cancelled
Details
CI / fail2ban Regex (push) Has been cancelled
Details
CI / Compose Bucket Idempotency (push) Has been cancelled
Details
CI / Unit & Component Tests (pull_request) Failing after 2m50s
Details
CI / OCR Service Tests (pull_request) Successful in 17s
Details
CI / Backend Unit Tests (pull_request) Successful in 4m9s
Details
CI / fail2ban Regex (pull_request) Failing after 12s
Details
CI / Compose Bucket Idempotency (pull_request) Successful in 57s
Details
f8f0951bd5 
Closes #506.

Under Docker-out-of-Docker (the production Gitea Actions runner), the
host daemon resolves the relative bind-mount path against the host
filesystem — not the runner container's /workspace. The script is not
there, so Docker creates an empty directory at /bootstrap.sh and the
entrypoint fails with `/bootstrap.sh: Is a directory`.

Bake the script into a tiny derived image (infra/minio/Dockerfile) so
there is no runtime path resolution. Works in DooD, regular Docker,
and CI.

Unblocks the staging / production deploy pipelines from #497 / #499
and turns the Compose Bucket Idempotency CI job green.

Verified locally:
- `docker compose ... config --quiet` parses
- `docker compose ... build create-buckets` builds the image
- bootstrap.sh exists as a +x file at /bootstrap.sh inside the image

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
marcel merged commit f8f0951bd5 into main 2026-05-11 15:56:06 +02:00
marcel deleted branch fix/issue-506-bootstrap-bind-mount-dood 2026-05-11 15:56:06 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
P0-critical
Blocks a core user journey, causes data loss, or is a security/accessibility barrier. Work on this before P1+.
 P1-high
Significant friction on a main user journey; workaround exists but is non-obvious. Next up after P0.
 P2-medium
Noticeable improvement; doesn't block anything; schedule opportunistically.
 P3-later
Cosmetic or parking-lot work; fine to stay open indefinitely.
 audit
Read-only audit / assessment work; produces a report rather than changing code
 bug
Something isn't working
 cleanup
Removal of dead code, vague comments, naming violations, and scratch artifacts
 collaboration
We want to extend the family archive to have more collaboration tools
 conversation
descoped
We will do that later
 devops
documentation
README, ARCHITECTURE, GLOSSARY, CONTRIBUTING, per-domain docs
 epic
Marker for epic-level issues that group multiple child issues
 feature
file-upload
legibility
Codebase Legibility Refactor — preparing the codebase for human evaluation and bus-factor reduction
 notification
person
phase-1: security
Security hygiene — must be done first
 phase-2: container-images
Production-ready multi-stage Docker images
 phase-3: prod-compose
Production compose overlay + Caddy reverse proxy
 phase-4: spring-prod-profile
Spring Boot production configuration profile
 phase-5: backups
Database and object storage backup strategy
 phase-6: deployment-docs
.env.example, DEPLOYMENT.md, runbook
 phase-7: monitoring
Prometheus, Loki, Grafana, Alertmanager
 refactor
Code restructuring without behaviour change
 security
test
ui
UI/UX and accessibility issues
 user
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Jens marcel
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: marcel/familienarchiv#507
Delete Branch "fix/issue-506-bootstrap-bind-mount-dood"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?