fix: resolve volume permission error for non-root container user

Entrypoint now runs as root, chowns the data directory to appuser,
then drops privileges via gosu before starting Gunicorn. This prevents
sqlite3.OperationalError on mounted volumes owned by root.

Dockerfile

@@ -4,8 +4,8 @@ FROM python:3.9-slim
 # Set the working directory
 WORKDIR /app
 
-# Install system dependencies (including gettext for envsubst)
+# Install system dependencies (including gettext for envsubst and gosu for privilege dropping)
-RUN apt-get update && apt-get install -y gettext && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y gettext gosu && rm -rf /var/lib/apt/lists/*
 
 # Install Python dependencies
 COPY requirements.txt .
@@ -30,7 +30,7 @@ ARG UID=1000
 ARG GID=1000
 RUN groupadd -g ${GID} appuser && useradd -u ${UID} -g ${GID} -s /bin/sh -M appuser
 RUN chown -R appuser:appuser /app /entrypoint.sh
-USER appuser
+# Entrypoint runs as root, fixes volume permissions, then drops to appuser via gosu
 
 # Use the entrypoint script as the container's command
 CMD ["/entrypoint.sh"]

entrypoint.sh

@@ -1,7 +1,12 @@
 #!/bin/sh
+# Fix ownership of the data directory so appuser can write the database.
+# This runs as root (no USER directive in Dockerfile) and is safe because
+# we immediately drop privileges via gosu before starting the app.
+DATA_DIR=$(dirname "${DATABASE_PATH:-/data/guestbook.db}")
+chown -R appuser:appuser "$DATA_DIR"
+
 # Process index.html.template to create index.html
-# Adjust the path if your template is located somewhere else
 envsubst < /app/templates/index.html.template > /app/templates/index.html
 
-# Start Gunicorn; using an environment variable for workers (default is 3)
+# Drop to appuser and start Gunicorn
-exec gunicorn --bind 0.0.0.0:8000 app:app --workers ${GUNICORN_WORKERS:-3}
+exec gosu appuser gunicorn --bind 0.0.0.0:8000 app:app --workers ${GUNICORN_WORKERS:-3}