From 41882dafe62c5a89fa94f457b2cc01ed2a57570c Mon Sep 17 00:00:00 2001 From: Michael Schiemer Date: Tue, 4 Nov 2025 16:43:46 +0100 Subject: [PATCH] fix(deployment): change application mount to read-write, remove storage/var volume overlays Docker named volumes cannot create mount points inside read-only directories. Previous configuration attempted to mount storage and var-data volumes at subdirectories inside a read-only base mount (/var/www/html:ro), causing deployment failures. Changes: - php service: Changed /var/www/html mount from :ro to :rw, removed storage volume - queue-worker service: Changed mount to :rw, removed storage and var-data volumes - scheduler service: Changed mount to :rw, removed storage and var-data volumes Security maintained through: - Container runs as non-root user (appuser via gosu) - Security hardening (no-new-privileges, dropped capabilities) - Rsync deployment from trusted source This is the eighth cumulative fix for production deployment pipeline. --- docker-compose.production.yml | 22 ++++++---------------- 1 file changed, 6 insertions(+), 16 deletions(-) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index db2b0182..0218ee29 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -146,10 +146,8 @@ services: # Production volumes volumes: - # Mount application code from rsync deployment (read-only) - - /home/deploy/michaelschiemer/current:/var/www/html:ro - # Mount storage directory as writable volume (overlays the read-only code mount) - - storage:/var/www/html/storage:rw + # Mount application code from rsync deployment (read-write for storage/var directories) + - /home/deploy/michaelschiemer/current:/var/www/html:rw # Database service removed - using external PostgreSQL Stack (deployment/stacks/postgresql/) # Connection via app-internal network using docker-compose.postgres-override.yml @@ -244,12 +242,8 @@ services: # Production volumes volumes: - # Mount application code from rsync deployment (read-only) - - /home/deploy/michaelschiemer/current:/var/www/html:ro - # Mount storage directory as writable volume (overlays the read-only code mount) - - storage:/var/www/html/storage:rw - # Mount var directory as writable volume for cache and logs (overlays read-only code mount) - - var-data:/var/www/html/var:rw + # Mount application code from rsync deployment (read-write for storage/var directories) + - /home/deploy/michaelschiemer/current:/var/www/html:rw environment: - APP_ENV=production @@ -317,12 +311,8 @@ services: # Production volumes volumes: - # Mount application code from rsync deployment (read-only) - - /home/deploy/michaelschiemer/current:/var/www/html:ro - # Mount storage directory as writable volume (overlays the read-only code mount) - - storage:/var/www/html/storage:rw - # Mount var directory as writable volume for cache and logs (overlays read-only code mount) - - var-data:/var/www/html/var:rw + # Mount application code from rsync deployment (read-write for storage/var directories) + - /home/deploy/michaelschiemer/current:/var/www/html:rw environment: - TZ=Europe/Berlin