From e13c8b1bd5822ab9ebd7b7f2230e6b3863fa38c5 Mon Sep 17 00:00:00 2001
From: Lyn Nagara <lynnagara@users.noreply.github.com>
Date: Tue, 19 May 2026 12:46:23 -0700
Subject: [PATCH] dev: Fix cache directory permissions for nonroot user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The distroless runtime image runs as `nonroot`, but `/tmp/synapse-cache`
doesn't exist in the image — so when devservices mounts a named volume
there, Docker creates the mountpoint as root and the locator's
filesystem backup store fails to write.

Pre-create the directory in the builder stage and COPY it into the
runtime image with `--chown=nonroot:nonroot`, so named volumes inherit
nonroot ownership.

Since the path is now baked into the image, make `base_dir` optional in
the locator config (defaulting to `/tmp/synapse-cache`) and drop the
explicit setting from the devservices YAMLs.
---
 Dockerfile                     | 3 ++-
 devservices/ingest-router.yaml | 1 -
 devservices/proxy.yaml         | 1 -
 locator/src/config.rs          | 5 +++++
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index dedb422..1ed8387 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -18,7 +18,7 @@ COPY shared ./shared
 
 RUN cargo build --release
 
-RUN mkdir /stage && cp --parents /usr/lib/$(gcc -print-multiarch)/libzstd.so.1 /stage
+RUN mkdir /stage /synapse-cache && cp --parents /usr/lib/$(gcc -print-multiarch)/libzstd.so.1 /stage
 
 # Runtime stage
 FROM gcr.io/distroless/cc-debian13:nonroot
@@ -26,6 +26,7 @@ WORKDIR /app
 
 COPY --from=builder /app/target/release/synapse synapse
 COPY --from=builder /stage/ /
+COPY --from=builder --chown=nonroot:nonroot /synapse-cache /tmp/synapse-cache
 
 ENTRYPOINT ["/app/synapse"]
 CMD []
diff --git a/devservices/ingest-router.yaml b/devservices/ingest-router.yaml
index 7d2650e..f9b495b 100644
--- a/devservices/ingest-router.yaml
+++ b/devservices/ingest-router.yaml
@@ -12,7 +12,6 @@ ingest_router:
       url: http://host.docker.internal:8000
     backup_route_store:
       type: filesystem
-      base_dir: /tmp/synapse-cache
       filename: backup.bin
       compression: zstd1
     localities:
diff --git a/devservices/proxy.yaml b/devservices/proxy.yaml
index dcf1c4c..77a9c2f 100644
--- a/devservices/proxy.yaml
+++ b/devservices/proxy.yaml
@@ -11,7 +11,6 @@ proxy:
       url: http://host.docker.internal:8000
     backup_route_store:
       type: filesystem
-      base_dir: /tmp/synapse-cache
       filename: backup.bin
       compression: zstd1
     localities:
diff --git a/locator/src/config.rs b/locator/src/config.rs
index ffcf311..845338c 100644
--- a/locator/src/config.rs
+++ b/locator/src/config.rs
@@ -12,11 +12,16 @@ pub enum Compression {
     Zstd3,
 }
 
+fn default_base_dir() -> String {
+    "/tmp/synapse-cache".into()
+}
+
 #[derive(Clone, Deserialize, Debug, PartialEq)]
 #[serde(rename_all = "snake_case")]
 #[serde(tag = "type")]
 pub enum BackupRouteStoreType {
     Filesystem {
+        #[serde(default = "default_base_dir")]
         base_dir: String,
         filename: String,
         compression: Compression,