Changes before error encountered

Agent-Logs-Url: https://github.com/nextcloud/all-in-one/sessions/6f198732-63c3-41b7-8b2e-1b5fa565ee21 Co-authored-by: szaimen <42591237+szaimen@users.noreply.github.com>
2026-05-28 06:20:14 +00:00 · 2026-04-27 02:12:13 +00:00
parent 5cbdb00ff4
commit 312acddf27
3 changed files with 33 additions and 30 deletions
--- a/Containers/windmill/Dockerfile
+++ b/Containers/windmill/Dockerfile
@@ -32,28 +32,33 @@ RUN set -ex; \
        netcat-openbsd; \
    rm -rf /var/lib/apt/lists/*; \
    \
-    # Create the postgres system user and group (without a fixed GID to avoid conflicts)
-    groupadd -r postgres || true; \
-    useradd -r -g postgres --home-dir=/var/lib/postgresql --shell=/bin/bash postgres || true; \
+    # Create a single non-root windmill user (uid=10001) that owns both PostgreSQL
+    # and Windmill processes — no root or privilege-switching needed at runtime
+    groupadd -r windmill --gid=10001; \
+    useradd -r -g windmill --uid=10001 --home-dir=/var/lib/windmill --shell=/sbin/nologin windmill; \
    \
-    # Create required directories
+    # Create required directories and give windmill user full ownership
    mkdir -p \
        /var/lib/postgresql/data \
        /var/run/postgresql \
        /var/log/supervisord \
        /var/run/supervisord \
-        /tmp/windmill/cache; \
-    chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql; \
-    chmod 775 /var/run/postgresql; \
-    chmod 777 \
+        /tmp/windmill/cache \
+        /var/lib/windmill; \
+    chown -R windmill:windmill \
+        /var/lib/postgresql \
+        /var/run/postgresql \
        /var/log/supervisord \
        /var/run/supervisord \
-        /tmp/windmill/cache; \
+        /tmp/windmill/cache \
+        /var/lib/windmill; \
+    chmod 750 /var/run/postgresql; \
+    chmod 750 /var/log/supervisord /var/run/supervisord; \
    \
-    # Create a symlink so 'postgres' and other pg tools are on PATH
+    # Create symlinks so postgres tools are on PATH
    ln -sf /usr/lib/postgresql/17/bin/postgres /usr/local/bin/postgres; \
-    ln -sf /usr/lib/postgresql/17/bin/initdb /usr/local/bin/initdb; \
-    ln -sf /usr/lib/postgresql/17/bin/pg_ctl /usr/local/bin/pg_ctl
+    ln -sf /usr/lib/postgresql/17/bin/initdb   /usr/local/bin/initdb; \
+    ln -sf /usr/lib/postgresql/17/bin/pg_ctl   /usr/local/bin/pg_ctl

 COPY --chmod=775 start.sh /start.sh
 COPY --chmod=775 healthcheck.sh /healthcheck.sh
@@ -62,6 +67,8 @@ COPY --chmod=664 supervisord.conf /supervisord.conf

 VOLUME ["/var/lib/postgresql/data", "/tmp/windmill/cache"]

+USER 10001
+
 EXPOSE 8000

 ENTRYPOINT ["/start.sh"]
--- a/Containers/windmill/start.sh
+++ b/Containers/windmill/start.sh
@@ -10,21 +10,18 @@ fi
 export TZ="${TZ:-Etc/UTC}"
 PGDATA="/var/lib/postgresql/data"

-# Fix runtime directory permissions (tmpfs mounts start owned by root)
-chown postgres:postgres /var/run/postgresql
-chmod 775 /var/run/postgresql
-
-# Initialize PostgreSQL data directory on first run
+# Initialize PostgreSQL data directory on first run.
+# No su/chown needed — we already own PGDATA (uid=10001 owns the volume).
 if [ -z "$(ls -A "$PGDATA" 2>/dev/null)" ]; then
    echo "Initializing PostgreSQL database for Windmill..."

-    # Ensure the data directory is owned by postgres before initdb
-    chown postgres:postgres "$PGDATA"
+    initdb -D "$PGDATA" \
+        --username=windmill \
+        --auth-local=trust \
+        --auth-host=trust \
+        --no-instructions

-    # Run initdb as the postgres user
-    su postgres -s /bin/bash -c "initdb -D '$PGDATA' --username=postgres --auth-local=trust --auth-host=trust --no-instructions"
-
-    # Allow connections from localhost without a password
+    # Allow local connections without a password; listen only on localhost
    cat > "$PGDATA/pg_hba.conf" << 'EOF'
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 local   all             all                                     trust
@@ -32,16 +29,16 @@ host    all             all             127.0.0.1/32            trust
 host    all             all             ::1/128                 trust
 EOF

-    # Only listen on localhost; the database is not exposed externally
    cat >> "$PGDATA/postgresql.conf" << 'EOF'
 listen_addresses = 'localhost'
 EOF

-    # Start PostgreSQL temporarily to create the windmill database and user
-    su postgres -s /bin/bash -c "pg_ctl -D '$PGDATA' start -w -o '-k /var/run/postgresql'"
-    su postgres -s /bin/bash -c "psql -h /var/run/postgresql -c \"CREATE USER windmill;\""
-    su postgres -s /bin/bash -c "psql -h /var/run/postgresql -c \"CREATE DATABASE windmill OWNER windmill;\""
-    su postgres -s /bin/bash -c "pg_ctl -D '$PGDATA' stop"
+    # Start PostgreSQL temporarily to create the windmill database, then stop it.
+    # supervisord will restart it properly afterward.
+    pg_ctl -D "$PGDATA" start -w -o "-k /var/run/postgresql"
+    psql -h /var/run/postgresql -U windmill postgres \
+        -c "CREATE DATABASE windmill OWNER windmill;"
+    pg_ctl -D "$PGDATA" stop -w

    echo "PostgreSQL initialization complete."
 fi
--- a/Containers/windmill/supervisord.conf
+++ b/Containers/windmill/supervisord.conf
@@ -8,7 +8,6 @@ logfile_backups=10
 loglevel=error

 [program:postgresql]
-user=postgres
 command=postgres -D /var/lib/postgresql/data -k /var/run/postgresql
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0