From 7246e8944855337c56a66b6a5e206fcb78c4e00b Mon Sep 17 00:00:00 2001 From: Michael Schiemer Date: Tue, 4 Nov 2025 21:29:32 +0100 Subject: [PATCH] fix(deployment): add CHOWN and DAC_OVERRIDE capabilities to Redis for AOF persistence The Redis container was failing with 'Permission denied' when trying to create the appendonlydir for AOF (Append-Only File) persistence. The error occurred because: 1. Redis runs as root to read Docker Secrets from /run/secrets/redis_password 2. The /data volume is owned by UID 999 (default redis user) 3. cap_drop: ALL removed the CHOWN capability needed to create subdirectories 4. AOF persistence requires creating appendonlydir in /data with proper ownership Solution: - Added CHOWN capability: Allows Redis to create directories with correct ownership - Added DAC_OVERRIDE capability: Allows writing to volume owned by different user - Maintains all other security restrictions (no-new-privileges, minimal capabilities) This fixes the continuous restart loop that persisted through commits: - 5f7ebd9: Fixed healthcheck variable syntax - 700fe81: Fixed entrypoint script variables - bfe6a96: Changed healthcheck to read secret directly The real issue was not the healthcheck but the permission error that prevented Redis from starting in the first place. Refs: Redis container logs showed: 'Can't open or create append-only dir appendonlydir: Permission denied' --- docker-compose.production.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/docker-compose.production.yml b/docker-compose.production.yml index fb51c04b..edafb717 100644 --- a/docker-compose.production.yml +++ b/docker-compose.production.yml @@ -169,6 +169,9 @@ services: # Redis will run as root, but this is acceptable for this use case cap_drop: - ALL + cap_add: + - CHOWN # Required for creating appendonlydir with correct permissions + - DAC_OVERRIDE # Required for writing to /data volume owned by redis user # Use entrypoint script to inject password from Docker Secret into environment # This makes password available to both Redis startup AND health check