geckon01/local-deep-research
1
0
Fork 0
mirror of https://github.com/LearningCircuit/local-deep-research.git synced 2026-06-15 19:46:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
b1cbc6fbe085d56effd5dbf499cf8071759d60f6
local-deep-research/scripts/ldr_entrypoint.sh
LearningCircuit 09f306f0c1 fix: set HOME=/home/ldruser in entrypoint before dropping to non-root (#2520) 
setpriv changes UID/GID but does not update HOME. Without this,
HOME stays as /root/ and platformdirs resolves data paths to
/root/.local/share/local-deep-research/ which ldruser cannot write to.

This causes PermissionError on startup when LDR_DATA_DIR is not
explicitly set (e.g. in the docker-multiarch-test workflow).

The Dockerfile already uses this pattern during build (line 246)
but the entrypoint was missing it.
2026-03-02 19:48:02 +01:00

58 lines
2.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
set -e
# This entrypoint handles volume permissions for the LDR container.
# Docker volumes are created with root ownership, but we need them
# accessible to the ldruser (UID 1000) that runs the application.
echo "Setting up /data directory permissions..."
# Create required subdirectories under /data if they don't exist
mkdir -p /data/logs
mkdir -p /data/cache
mkdir -p /data/cache/rag_indices
mkdir -p /data/research_outputs
mkdir -p /data/encrypted_databases
# Set permissions to 700 (owner-only access for security)
chmod 700 /data/logs
chmod 700 /data/cache
chmod 700 /data/cache/rag_indices
chmod 700 /data/research_outputs
chmod 700 /data/encrypted_databases
# Fix ownership of /data and all subdirectories
# This is safe because we're still root at this point (before USER directive takes effect)
chown -R ldruser:ldruser /data
# Create matplotlib cache directory for ldruser
echo "Setting up matplotlib cache directory..."
mkdir -p /home/ldruser/.config/matplotlib
chown -R ldruser:ldruser /home/ldruser/.config
chmod -R 700 /home/ldruser/.config
echo "Starting LDR application as ldruser..."
# Switch to ldruser and execute the command.
# setpriv needs CAP_SETUID and CAP_SETGID to call setuid()/setgid() syscalls.
# These are granted via cap_add in docker-compose.yml, but in restricted
# environments (e.g. Proxmox LXC) the outer container may block them.
if ! setpriv --reuid=ldruser --regid=ldruser --init-groups -- true 2>/dev/null; then
echo ""
echo "ERROR: Failed to switch to non-root user 'ldruser'."
echo ""
echo " setpriv requires CAP_SETUID and CAP_SETGID Linux capabilities."
echo " This typically happens in LXC containers (e.g. Proxmox) that"
echo " restrict these capabilities."
echo ""
echo " To fix, ensure your LXC container allows SETUID/SETGID:"
echo " - Proxmox: check 'Features' -> 'Nesting' is enabled"
echo " - Or add to LXC config: lxc.cap.keep = setuid setgid"
echo ""
echo " See: https://github.com/LearningCircuit/local-deep-research/issues"
echo ""
exit 1
fi
export HOME=/home/ldruser
exec setpriv --reuid=ldruser --regid=ldruser --init-groups -- "$@"
Reference in New Issue View Git Blame Copy Permalink