#!/bin/bash set -e # This entrypoint handles volume permissions for the LDR container. # Docker volumes are created with root ownership, but we need them # accessible to the ldruser (UID 1000) that runs the application. echo "Setting up /data directory permissions..." # Create required subdirectories under /data if they don't exist mkdir -p /data/logs mkdir -p /data/cache mkdir -p /data/cache/rag_indices mkdir -p /data/research_outputs mkdir -p /data/encrypted_databases # Set permissions to 700 (owner-only access for security) chmod 700 /data/logs chmod 700 /data/cache chmod 700 /data/cache/rag_indices chmod 700 /data/research_outputs chmod 700 /data/encrypted_databases # Fix ownership of /data and all subdirectories # This is safe because we're still root at this point (before USER directive takes effect) chown -R ldruser:ldruser /data # Create matplotlib cache directory for ldruser echo "Setting up matplotlib cache directory..." mkdir -p /home/ldruser/.config/matplotlib chown -R ldruser:ldruser /home/ldruser/.config chmod -R 700 /home/ldruser/.config echo "Starting LDR application as ldruser..." # Switch to ldruser and execute the command. # setpriv needs CAP_SETUID and CAP_SETGID to call setuid()/setgid() syscalls. # These are granted via cap_add in docker-compose.yml, but in restricted # environments (e.g. Proxmox LXC) the outer container may block them. if ! setpriv --reuid=ldruser --regid=ldruser --init-groups -- true 2>/dev/null; then echo "" echo "ERROR: Failed to switch to non-root user 'ldruser'." echo "" echo " setpriv requires CAP_SETUID and CAP_SETGID Linux capabilities." echo " This typically happens in LXC containers (e.g. Proxmox) that" echo " restrict these capabilities." echo "" echo " To fix, ensure your LXC container allows SETUID/SETGID:" echo " - Proxmox: check 'Features' -> 'Nesting' is enabled" echo " - Or add to LXC config: lxc.cap.keep = setuid setgid" echo "" echo " See: https://github.com/LearningCircuit/local-deep-research/issues" echo "" exit 1 fi export HOME=/home/ldruser exec setpriv --reuid=ldruser --regid=ldruser --init-groups -- "$@"