Fix permission errors on the /tmp volume (#4457)

marcoacierno · web-flow · commit 9a8117ffa8ca · 2025-08-02T22:31:41.000+01:00
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -80,10 +80,8 @@ COPY --chown=app:app --from=js-stage ${FUNCTION_DIR}/dist/_astro ${FUNCTION_DIR}
 COPY --chown=app:app --from=build-stage ${FUNCTION_DIR}/.venv ${FUNCTION_DIR}/.venv
 
 COPY --chown=app:app . ${FUNCTION_DIR}
-
-USER app
+COPY ./entrypoint.sh /entrypoint.sh
 
 RUN mkdir -p assets && .venv/bin/python manage.py collectstatic --noinput
 
-ENTRYPOINT ["/home/app/.venv/bin/gunicorn"]
-CMD [ "pycon.wsgi" ]
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/backend/entrypoint.sh b/backend/entrypoint.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+chown -R app:app /tmp
+
+exec su -p app -c "exec $*"
diff --git a/infrastructure/applications/pycon_backend/web_task.tf b/infrastructure/applications/pycon_backend/web_task.tf
@@ -7,12 +7,9 @@ resource "aws_ecs_task_definition" "web" {
       image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
       memoryReservation = local.is_prod ? 400 : 10
       essential         = true
-      entrypoint = [
-        "/home/app/.venv/bin/gunicorn",
-      ]
 
       command = [
-        "-w", "5", "-b", "0.0.0.0:8000", "pycon.wsgi"
+        "/home/app/.venv/bin/gunicorn", "-w", "5", "-b", "0.0.0.0:8000", "pycon.wsgi"
       ]
 
       dockerLabels = {
diff --git a/infrastructure/applications/pycon_backend/worker.tf b/infrastructure/applications/pycon_backend/worker.tf
@@ -218,12 +218,9 @@ resource "aws_ecs_task_definition" "worker" {
       image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
       memoryReservation = local.is_prod ? 200 : 10
       essential         = true
-      entrypoint = [
-        "/home/app/.venv/bin/celery",
-      ]
 
       command = [
-        "-A", "pycon", "worker", "-l", "info", "-E"
+        "/home/app/.venv/bin/celery", "-A", "pycon", "worker", "-l", "info", "-E"
       ]
 
       environment = local.env_vars
@@ -262,12 +259,9 @@ resource "aws_ecs_task_definition" "worker" {
       image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
       memoryReservation = local.is_prod ? 200 : 10
       essential         = false
-      entrypoint = [
-        "/home/app/.venv/bin/python",
-      ]
 
       command = [
-        "manage.py", "migrate"
+        "/home/app/.venv/bin/python", "manage.py", "migrate"
       ]
 
       environment = local.env_vars
@@ -316,12 +310,9 @@ resource "aws_ecs_task_definition" "beat" {
       image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
       memoryReservation = local.is_prod ? 200 : 10
       essential         = true
-      entrypoint = [
-        "/home/app/.venv/bin/celery",
-      ]
 
       command = [
-        "-A", "pycon", "beat", "-l", "info"
+        "/home/app/.venv/bin/celery", "-A", "pycon", "beat", "-l", "info"
       ]
 
       environment = local.env_vars
diff --git a/infrastructure/applications/pycon_backend/worker_heavy_processing.tf b/infrastructure/applications/pycon_backend/worker_heavy_processing.tf
@@ -22,12 +22,9 @@ resource "aws_ecs_task_definition" "heavy_processing_worker" {
       image             = "${data.aws_ecr_repository.be_repo.repository_url}@${data.aws_ecr_image.be_arm_image.image_digest}"
       memoryReservation = 16384
       essential         = true
-      entrypoint = [
-        "/home/app/.venv/bin/celery",
-      ]
 
       command = [
-        "-A", "pycon", "worker", "-l", "info", "-Q", "heavy_processing", "--hostname", "heavyprocessing@%h", "-E"
+        "/home/app/.venv/bin/celery", "-A", "pycon", "worker", "-l", "info", "-Q", "heavy_processing", "--hostname", "heavyprocessing@%h", "-E"
       ]
 
       environment = local.env_vars
