fix: Run container as root to fix react-router permission denied

- Change Dockerfile to run as root instead of peikarband user
- Update Helm values.yaml to use root user (runAsUser: 0, runAsNonRoot: false)
- Improve entrypoint.sh permission handling with reusable function
- Add reflex init before run if packages not installed
- Fix node_modules/.bin permissions for symlinks and targets

This resolves the 'react-router: Permission denied' error by running
containers with root privileges. TODO: Switch back to non-root user
after permission issues are fully resolved.

docker/Dockerfile

@@ -101,9 +101,10 @@ LABEL org.opencontainers.image.vendor="Peikarband"
 LABEL org.opencontainers.image.version="${VERSION}"
 LABEL org.opencontainers.image.created="${BUILD_DATE}"
 
-# Create non-root user
-RUN groupadd -r peikarband && \
-    useradd -r -g peikarband -u 1000 -m -s /bin/bash peikarband
+# Running as root for now to avoid permission issues
+# TODO: Switch back to non-root user after permission issues are resolved
+# RUN groupadd -r peikarband && \
+#     useradd -r -g peikarband -u 1000 -m -s /bin/bash peikarband
 
 WORKDIR /app
 
@@ -124,7 +125,8 @@ COPY --from=builder /usr/local/bin /usr/local/bin
 
 # Copy application code to /app/peikarband/ to create peikarband.peikarband structure
 # With app_name="peikarband", Reflex expects to find peikarband.peikarband module
-COPY --from=builder --chown=peikarband:peikarband /build/peikarband /app/peikarband
+# Running as root, so no need for chown
+COPY --from=builder /build/peikarband /app/peikarband
 
 # Copy entrypoint script
 COPY docker/entrypoint.sh /usr/local/bin/entrypoint.sh
@@ -163,7 +165,7 @@ ENV PYTHONUNBUFFERED=1 \
     REFLEX_DIR=/app/peikarband \
     NODE_ENV=production
 
-# Diagnostic information (before switching to non-root user)
+# Diagnostic information
 RUN echo "=== Diagnostic Info ===" && \
     if [ -f /app/peikarband/.web/node_modules/.bin/react-router ]; then \
         ls -la /app/peikarband/.web/node_modules/.bin/react-router && \
@@ -178,8 +180,8 @@ RUN echo "=== Diagnostic Info ===" && \
 HEALTHCHECK --interval=30s --timeout=10s --start-period=40s --retries=3 \
     CMD curl -f http://localhost:8000/ping || exit 1
 
-# Switch to non-root user
-USER peikarband
+# Running as root for now to avoid permission issues
+# USER peikarband
 
 # Expose port
 EXPOSE 3000 8000

docker/entrypoint.sh

@@ -1,55 +1,71 @@
 #!/bin/bash
 set -e
 
-# Validate node_modules permissions before starting
-if [ -d /app/peikarband/.web/node_modules/.bin ]; then
-    echo "Checking node_modules/.bin permissions..."
-    
-    REACT_ROUTER_BIN="/app/peikarband/.web/node_modules/.bin/react-router"
-    
-    # Check if react-router exists
-    if [ -e "$REACT_ROUTER_BIN" ]; then
-        # If it's a symlink, check and fix the target
-        if [ -L "$REACT_ROUTER_BIN" ]; then
-            TARGET=$(readlink -f "$REACT_ROUTER_BIN")
-            echo "react-router is a symlink pointing to: $TARGET"
-            if [ -f "$TARGET" ] && [ ! -x "$TARGET" ]; then
-                echo "WARNING: Target file is not executable, attempting to fix..."
-                chmod +x "$TARGET" 2>/dev/null || true
+# Function to fix node_modules permissions
+fix_node_modules_permissions() {
+    if [ -d /app/peikarband/.web/node_modules/.bin ]; then
+        echo "Checking node_modules/.bin permissions..."
+        
+        REACT_ROUTER_BIN="/app/peikarband/.web/node_modules/.bin/react-router"
+        
+        # Check if react-router exists
+        if [ -e "$REACT_ROUTER_BIN" ]; then
+            # If it's a symlink, check and fix the target
+            if [ -L "$REACT_ROUTER_BIN" ]; then
+                TARGET=$(readlink -f "$REACT_ROUTER_BIN")
+                echo "react-router is a symlink pointing to: $TARGET"
+                if [ -f "$TARGET" ] && [ ! -x "$TARGET" ]; then
+                    echo "WARNING: Target file is not executable, attempting to fix..."
+                    chmod +x "$TARGET" 2>/dev/null || true
+                fi
             fi
-        fi
-        
-        # Fix permissions for react-router itself (file or symlink)
-        if [ ! -x "$REACT_ROUTER_BIN" ]; then
-            echo "WARNING: react-router is not executable, attempting to fix..."
-            chmod +x "$REACT_ROUTER_BIN" 2>/dev/null || true
-        fi
-        
-        # Fix all .bin files and their symlink targets
-        echo "Fixing permissions for all .bin files and symlink targets..."
-        find /app/peikarband/.web/node_modules/.bin -type f -exec chmod +x {} \; 2>/dev/null || true
-        find /app/peikarband/.web/node_modules/.bin -type l | while read symlink; do
-            target=$(readlink -f "$symlink" 2>/dev/null || true)
-            if [ -n "$target" ] && [ -f "$target" ]; then
-                chmod +x "$target" 2>/dev/null || true
+            
+            # Fix permissions for react-router itself (file or symlink)
+            if [ ! -x "$REACT_ROUTER_BIN" ]; then
+                echo "WARNING: react-router is not executable, attempting to fix..."
+                chmod +x "$REACT_ROUTER_BIN" 2>/dev/null || true
+            fi
+            
+            # Fix all .bin files and their symlink targets
+            echo "Fixing permissions for all .bin files and symlink targets..."
+            find /app/peikarband/.web/node_modules/.bin -type f -exec chmod +x {} \; 2>/dev/null || true
+            find /app/peikarband/.web/node_modules/.bin -type l | while read symlink; do
+                target=$(readlink -f "$symlink" 2>/dev/null || true)
+                if [ -n "$target" ] && [ -f "$target" ]; then
+                    chmod +x "$target" 2>/dev/null || true
+                fi
+                chmod +x "$symlink" 2>/dev/null || true
+            done
+            
+            # Verify react-router is executable
+            if [ -x "$REACT_ROUTER_BIN" ]; then
+                echo "✅ react-router is executable"
+            else
+                echo "⚠️  WARNING: react-router may still not be executable (running as non-root)"
             fi
-            chmod +x "$symlink" 2>/dev/null || true
-        done
-        
-        # Verify react-router is executable
-        if [ -x "$REACT_ROUTER_BIN" ]; then
-            echo "✅ react-router is executable"
         else
-            echo "⚠️  WARNING: react-router may still not be executable (running as non-root)"
+            echo "⚠️  WARNING: react-router binary not found (packages may not be installed yet)"
         fi
     else
-        echo "⚠️  WARNING: react-router binary not found"
+        echo "⚠️  WARNING: .web/node_modules/.bin directory not found (packages may not be installed yet)"
     fi
-fi
+}
 
 # Change to the directory containing rxconfig.py
 cd /app/peikarband
 
+# If reflex run is being executed, ensure packages are installed first
+# This handles the case where .web directory doesn't exist from build time
+if [ "$1" = "run" ] && [ ! -d /app/peikarband/.web/node_modules ]; then
+    echo "Initializing Reflex (installing packages)..."
+    reflex init --loglevel info || true
+    echo "Packages installed, fixing permissions..."
+    fix_node_modules_permissions
+fi
+
+# Fix permissions if node_modules already exists (from build time or init)
+fix_node_modules_permissions
+
 # Run reflex with all passed arguments
 exec reflex "$@"
 

helm/peikarband/values.yaml

@@ -50,10 +50,12 @@ podAnnotations:
   prometheus.io/port: "8000"
   prometheus.io/path: "/metrics"
 
+# Running as root for now to avoid permission issues
+# TODO: Switch back to non-root user after permission issues are resolved
 podSecurityContext:
-  runAsNonRoot: true
-  runAsUser: 1000
-  fsGroup: 1000
+  runAsNonRoot: false
+  runAsUser: 0
+  fsGroup: 0
 
 securityContext:
   allowPrivilegeEscalation: false