fix(deployment): change application mount to read-write, remove storage/var volume overlays

Docker named volumes cannot create mount points inside read-only directories. Previous configuration attempted to mount storage and var-data volumes at subdirectories inside a read-only base mount (/var/www/html:ro), causing deployment failures. Changes: - php service: Changed /var/www/html mount from :ro to :rw, removed storage volume - queue-worker service: Changed mount to :rw, removed storage and var-data volumes - scheduler service: Changed mount to :rw, removed storage and var-data volumes Security maintained through: - Container runs as non-root user (appuser via gosu) - Security hardening (no-new-privileges, dropped capabilities) - Rsync deployment from trusted source This is the eighth cumulative fix for production deployment pipeline.
2025-11-04 16:43:46 +01:00
parent 0c0c3ba845
commit 41882dafe6
1 changed files with 6 additions and 16 deletions
--- a/docker-compose.production.yml
+++ b/docker-compose.production.yml
@@ -146,10 +146,8 @@ services:

    # Production volumes
    volumes:
-      # Mount application code from rsync deployment (read-only)
-      - /home/deploy/michaelschiemer/current:/var/www/html:ro
-      # Mount storage directory as writable volume (overlays the read-only code mount)
-      - storage:/var/www/html/storage:rw
+      # Mount application code from rsync deployment (read-write for storage/var directories)
+      - /home/deploy/michaelschiemer/current:/var/www/html:rw

  # Database service removed - using external PostgreSQL Stack (deployment/stacks/postgresql/)
  # Connection via app-internal network using docker-compose.postgres-override.yml
@@ -244,12 +242,8 @@ services:

    # Production volumes
    volumes:
-      # Mount application code from rsync deployment (read-only)
-      - /home/deploy/michaelschiemer/current:/var/www/html:ro
-      # Mount storage directory as writable volume (overlays the read-only code mount)
-      - storage:/var/www/html/storage:rw
-      # Mount var directory as writable volume for cache and logs (overlays read-only code mount)
-      - var-data:/var/www/html/var:rw
+      # Mount application code from rsync deployment (read-write for storage/var directories)
+      - /home/deploy/michaelschiemer/current:/var/www/html:rw

    environment:
      - APP_ENV=production
@@ -317,12 +311,8 @@ services:

    # Production volumes
    volumes:
-      # Mount application code from rsync deployment (read-only)
-      - /home/deploy/michaelschiemer/current:/var/www/html:ro
-      # Mount storage directory as writable volume (overlays the read-only code mount)
-      - storage:/var/www/html/storage:rw
-      # Mount var directory as writable volume for cache and logs (overlays read-only code mount)
-      - var-data:/var/www/html/var:rw
+      # Mount application code from rsync deployment (read-write for storage/var directories)
+      - /home/deploy/michaelschiemer/current:/var/www/html:rw

    environment:
      - TZ=Europe/Berlin