From 9f7a9e25b459955d14284293e48860d6080560e6 Mon Sep 17 00:00:00 2001
From: Markus Kahl <machisuji@gmail.com>
Date: Thu, 20 Feb 2025 10:16:47 +0000
Subject: [PATCH] fix tmp folder permissions on helm

this is mostly relevant when using the helm chart where the default is a read-only file system and mounted tmp volumes
---
 docker/prod/Dockerfile          |  9 +++++++++
 docker/prod/entrypoint-slim.sh  |  4 ++++
 docker/prod/fix-tmp-permissions | 10 ++++++++++
 3 files changed, 23 insertions(+)
 create mode 100755 docker/prod/fix-tmp-permissions

diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile
index a49f47967f59..3f8b4cf8a607 100755
--- a/docker/prod/Dockerfile
+++ b/docker/prod/Dockerfile
@@ -75,6 +75,15 @@ RUN cp Gemfile.lock.bak Gemfile.lock && rm Gemfile.lock.bak && \
 # -------------------------------------
 FROM base AS slim
 
+# install sudo so we can run the following single command as root on start-up
+# (see entrypoint-slim.sh)
+RUN apt-get update -qq && \
+    apt-get install -yq --no-install-recommends sudo && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    truncate -s 0 /var/log/*log
+RUN echo "$APP_USER ALL=(ALL) NOPASSWD:$APP_PATH/docker/prod/fix-tmp-permissions" > /etc/sudoers
+
 USER $APP_USER
 EXPOSE 8080
 CMD ["./docker/prod/web"]
diff --git a/docker/prod/entrypoint-slim.sh b/docker/prod/entrypoint-slim.sh
index 96a4cee71736..91c286346ad7 100755
--- a/docker/prod/entrypoint-slim.sh
+++ b/docker/prod/entrypoint-slim.sh
@@ -8,4 +8,8 @@ if [ "$USE_JEMALLOC" = "true" ]; then
 	export LD_PRELOAD=libjemalloc.so.2
 fi
 
+# make sure tmp folders have the correct owners and permissions
+# so that Ruby can create temporary files
+sudo docker/prod/fix-tmp-permissions
+
 exec "$@"
diff --git a/docker/prod/fix-tmp-permissions b/docker/prod/fix-tmp-permissions
new file mode 100755
index 000000000000..8f4eccf75255
--- /dev/null
+++ b/docker/prod/fix-tmp-permissions
@@ -0,0 +1,10 @@
+#!/bin/bash -e
+# needs to be executed as root
+
+APP_TMP_DIR=/app/tmp
+TMP_DIR=/tmp
+
+chmod 775 $APP_TMP_DIR
+chown app:app $APP_TMP_DIR
+
+chmod 1777 $TMP_DIR