aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGravatar Carey Metcalfe <carey@cmetcalfe.ca> 2025-08-08 07:36:57 -0400
committerGravatar GitHub <noreply@github.com> 2025-08-08 13:36:57 +0200
commitbb659ee27ab2fd4c90c801151603defc4da7211a (patch)
tree64e874993182955ecdd0fc22deb9e7388e7bde3a
parent084f9549804b98a266a8438614064f873fd07b07 (diff)
Optimize how much data needs to be `chown`/`chmod`ed on container startup (#7793)
* Optimize how much data needs to be `chown`/`chmod`ed on container startup This works around an issue where `chmod`/`chown` operations inside a container can be extremely slow when using the `overlay2` storage driver, resulting in 10min+ container startup times. It modifies the owner of the webapp when building the container so that only the `data` and `extensions` directories (which are commonly mapped as volumes into the container) have to be modified by the `access-permissions.sh` script at container startup. When not running via docker the behaviour of the `access-permissions.sh` script is unchanged. * Take DATA_PATH environment variable into account when fixing permissions * Revert change to using bash for arrays (the alpine image doesn't include `bash`) * A few more improvements * Slightly tweak reapply permissions variable - lowercase to indicate it's not an env variable - use 0/1 to address potentially-irrational paranoia about unset variables * Remove conditional logic to skip reapplying permissions Also documents why in a comment so it's not missed in the future. --------- Co-authored-by: Alexandre Alapetite <alexandre@alapetite.fr>
Diffstat
-rw-r--r--Docker/Dockerfile2
-rw-r--r--Docker/Dockerfile-Alpine2
-rw-r--r--Docker/Dockerfile-Newest2
-rw-r--r--Docker/Dockerfile-Oldest2
-rwxr-xr-xDocker/entrypoint.sh6
-rwxr-xr-xcli/access-permissions.sh20
6 files changed, 23 insertions, 11 deletions
diff --git a/Docker/Dockerfile b/Docker/Dockerfile
index ab7bcacb9..9dc24fe60 100644
--- a/Docker/Dockerfile
+++ b/Docker/Dockerfile
@@ -16,7 +16,7 @@ RUN apt-get update && \
RUN mkdir -p /var/www/FreshRSS/ /run/apache2/
WORKDIR /var/www/FreshRSS
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
COPY ./Docker/*.Apache.conf /etc/apache2/sites-available/
ARG FRESHRSS_VERSION
diff --git a/Docker/Dockerfile-Alpine b/Docker/Dockerfile-Alpine
index 74729f53a..26cccd6c9 100644
--- a/Docker/Dockerfile-Alpine
+++ b/Docker/Dockerfile-Alpine
@@ -13,7 +13,7 @@ RUN apk add --no-cache \
RUN mkdir -p /var/www/FreshRSS /run/apache2/
WORKDIR /var/www/FreshRSS
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
ARG FRESHRSS_VERSION
diff --git a/Docker/Dockerfile-Newest b/Docker/Dockerfile-Newest
index 96b9660db..470e66733 100644
--- a/Docker/Dockerfile-Newest
+++ b/Docker/Dockerfile-Newest
@@ -14,7 +14,7 @@ RUN echo 'http://dl-cdn.alpinelinux.org/alpine/edge/testing' >> /etc/apk/reposit
RUN mkdir -p /var/www/FreshRSS /run/apache2/
WORKDIR /var/www/FreshRSS
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
ARG FRESHRSS_VERSION
diff --git a/Docker/Dockerfile-Oldest b/Docker/Dockerfile-Oldest
index 38fbadede..e31c75f20 100644
--- a/Docker/Dockerfile-Oldest
+++ b/Docker/Dockerfile-Oldest
@@ -13,7 +13,7 @@ RUN apk add --no-cache \
RUN mkdir -p /var/www/FreshRSS /run/apache2/
WORKDIR /var/www/FreshRSS
-COPY . /var/www/FreshRSS
+COPY --chown=root:www-data . /var/www/FreshRSS
COPY ./Docker/*.Apache.conf /etc/apache2/conf.d/
ARG FRESHRSS_VERSION
diff --git a/Docker/entrypoint.sh b/Docker/entrypoint.sh
index 47a132d53..88e00bbce 100755
--- a/Docker/entrypoint.sh
+++ b/Docker/entrypoint.sh
@@ -45,7 +45,7 @@ if [ -n "$CRON_MIN" ]; then
-r "s#^[^ ]+ #$CRON_MIN #" | crontab -
fi
-./cli/access-permissions.sh
+./cli/access-permissions.sh --only-userdirs
php -f ./cli/prepare.php >/dev/null
@@ -82,6 +82,8 @@ if [ -n "$FRESHRSS_USER" ]; then
fi
fi
-./cli/access-permissions.sh
+# Fix permissions of data added by prepare.php as well as a potential
+# installation/user setup
+./cli/access-permissions.sh --only-userdirs
exec "$@"
diff --git a/cli/access-permissions.sh b/cli/access-permissions.sh
index 6a6038ef4..1286d34aa 100755
--- a/cli/access-permissions.sh
+++ b/cli/access-permissions.sh
@@ -11,12 +11,22 @@ if [ "$(id -u)" -ne 0 ]; then
exit 3
fi
+# Always fix permissions on the data and extensions directories
+# If specified, only fix the data and extensions directories
+data_path="${DATA_PATH:-./data}"
+if [ "${1:-}" = "--only-userdirs" ]; then
+ to_update="./extensions"
+else
+ to_update="."
+fi
+
+mkdir -p "${data_path}/users/_/"
+
# Based on group access
-chown -R :www-data .
+chown -R :www-data "$data_path" "$to_update"
# Read files, and directory traversal
-chmod -R g+rX .
+chmod -R g+rX "$data_path" "$to_update"
-# Write access
-mkdir -p ./data/users/_/
-chmod -R g+w ./data/
+# Write access to data
+chmod -R g+w "$data_path"
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-10 14:09:26 +0000