From 2a856fdc435f93a626c6819d6c5834260833a2de Mon Sep 17 00:00:00 2001
From: Loris Moulin <contact@lorismoulin.com>
Date: Mon, 30 Jun 2025 23:30:12 +0200
Subject: [PATCH 1/3] added entrypoint as root to update dirs perms

---
 Dockerfile                   | 32 +++++++++++++++++++++++++++-----
 scripts/docker_entrypoint.sh | 11 +++++++++++
 2 files changed, 38 insertions(+), 5 deletions(-)
 create mode 100644 scripts/docker_entrypoint.sh

diff --git a/Dockerfile b/Dockerfile
index 447ed98b5e..06b7075b2a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -48,6 +48,10 @@ FROM ${BASE_IMAGE} AS subtensor
 # ---- security hardening: create least-privilege user ----
 RUN addgroup --system --gid 10001 subtensor && \
   adduser  --system --uid 10001 --gid 10001 --home /home/subtensor --disabled-password subtensor
+  
+# Install gosu for privilege dropping
+RUN apt-get update && apt-get install -y gosu && \
+  rm -rf /var/lib/apt/lists/*
 
 # Writable data directory to be used as --base-path
 RUN mkdir -p /data && chown -R subtensor:subtensor /data
@@ -61,10 +65,17 @@ COPY --chown=subtensor:subtensor --from=prod_builder /build/chainspecs/*.json ./
 COPY --from=prod_builder /build/target/production/node-subtensor /usr/local/bin/
 RUN chown subtensor:subtensor /usr/local/bin/node-subtensor
 
+# Copy and prepare entrypoint
+COPY ./scripts/docker_entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
 EXPOSE 30333 9933 9944
-USER subtensor
-ENTRYPOINT ["node-subtensor"]
-CMD ["--base-path","/data"]
+
+# Run entrypoint as root to handle permissions, then drop to subtensor user 
+# in the script
+USER root
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["--base-path", "/data"]
 
 ###############################################################################
 # ---------- 4. Local build stage --------------------------------------------
@@ -84,6 +95,10 @@ FROM ${BASE_IMAGE} AS subtensor-local
 RUN addgroup --system --gid 10001 subtensor && \
   adduser  --system --uid 10001 --gid 10001 --home /home/subtensor --disabled-password subtensor
 
+# Install gosu for privilege dropping
+RUN apt-get update && apt-get install -y gosu && \
+  rm -rf /var/lib/apt/lists/*
+
 RUN mkdir -p /data && chown -R subtensor:subtensor /data
 WORKDIR /home/subtensor
 
@@ -93,11 +108,18 @@ COPY --chown=subtensor:subtensor --from=local_builder /build/chainspecs/*.json .
 COPY --from=local_builder /build/target/release/node-subtensor /usr/local/bin/
 RUN chown subtensor:subtensor /usr/local/bin/node-subtensor
 
+# Copy and prepare entrypoint
+COPY ./scripts/docker_entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
 # Generate a local chainspec for convenience (run as root before user switch)
 RUN node-subtensor build-spec --disable-default-bootnode --raw --chain local > /localnet.json \
   && chown subtensor:subtensor /localnet.json
 
 EXPOSE 30333 9933 9944
-USER subtensor
-ENTRYPOINT ["node-subtensor"]
+
+# Run entrypoint as root to handle permissions, then drop to subtensor user
+# in the script
+USER root
+ENTRYPOINT ["/entrypoint.sh"]
 CMD ["--base-path","/data","--chain","/localnet.json"]
diff --git a/scripts/docker_entrypoint.sh b/scripts/docker_entrypoint.sh
new file mode 100644
index 0000000000..89b639ed4f
--- /dev/null
+++ b/scripts/docker_entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/sh
+set -e
+
+chown -R subtensor:subtensor /data
+
+if [ -d "/tmp/blockchain" ]; then
+    chown -R subtensor:subtensor /tmp/blockchain
+fi
+
+# Execute node-subtensor with any arguments passed to the script as subtensor user
+exec gosu subtensor node-subtensor "$@"
\ No newline at end of file

From 77f9f9fbae2f10e7f000483ff75ea08602d20acb Mon Sep 17 00:00:00 2001
From: Loris Moulin <contact@lorismoulin.com>
Date: Mon, 30 Jun 2025 23:48:41 +0200
Subject: [PATCH 2/3] handle both types of args --foo=bar and --foo=bar for
 overrided base-path/chain-spec

---
 scripts/docker_entrypoint.sh | 50 +++++++++++++++++++++++++++++++++---
 1 file changed, 47 insertions(+), 3 deletions(-)

diff --git a/scripts/docker_entrypoint.sh b/scripts/docker_entrypoint.sh
index 89b639ed4f..9465e6bef2 100644
--- a/scripts/docker_entrypoint.sh
+++ b/scripts/docker_entrypoint.sh
@@ -1,11 +1,55 @@
 #!/bin/sh
 set -e
 
-chown -R subtensor:subtensor /data
+# Store original arguments to pass to the final exec call
+original_args="$@"
 
+base_path=''
+chain_spec=''
+
+# Parse arguments to find the real --base-path and --chain, handles both
+# --key value and --key=value formats.
+while [ $# -gt 0 ]; do
+  case "$1" in
+    --base-path)
+      # Check if the next argument exists and is not another option
+      if [ -n "$2" ] && ! expr "$2" : '--' > /dev/null; then
+        base_path="$2"
+        shift
+      fi
+      ;;
+    --base-path=*)
+      base_path="${1#*=}"
+      ;;
+    --chain)
+      # Check if the next argument exists and is not another option
+      if [ -n "$2" ] && ! expr "$2" : '--' > /dev/null; then
+        chain_spec="$2"
+        shift
+      fi
+      ;;
+    --chain=*)
+      chain_spec="${1#*=}"
+      ;;
+  esac
+  shift
+done
+
+echo "Entrypoint: ensuring permissions for base path: ${base_path}"
+mkdir -p "$base_path"
+chown -R subtensor:subtensor "$base_path"
+
+# Check if a chain spec was provided and if it's an existing file
+if [ -n "$chain_spec" ] && [ -f "$chain_spec" ]; then
+    echo "Entrypoint: ensuring permissions for chain spec: ${chain_spec}"
+    chown subtensor:subtensor "$chain_spec"
+fi
+
+# Also check for the hardcoded /tmp/blockchain directory
 if [ -d "/tmp/blockchain" ]; then
     chown -R subtensor:subtensor /tmp/blockchain
 fi
 
-# Execute node-subtensor with any arguments passed to the script as subtensor user
-exec gosu subtensor node-subtensor "$@"
\ No newline at end of file
+# Execute node-subtensor with the original, unmodified arguments
+echo "executing: gosu subtensor node-subtensor $original_args"
+exec gosu subtensor node-subtensor $original_args
\ No newline at end of file

From 892044609644dd2d6027fdabe02682d288de664c Mon Sep 17 00:00:00 2001
From: Loris Moulin <contact@lorismoulin.com>
Date: Mon, 30 Jun 2025 23:50:48 +0200
Subject: [PATCH 3/3] fix the default as /data for base path

---
 scripts/docker_entrypoint.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/scripts/docker_entrypoint.sh b/scripts/docker_entrypoint.sh
index 9465e6bef2..e5a5e15289 100644
--- a/scripts/docker_entrypoint.sh
+++ b/scripts/docker_entrypoint.sh
@@ -4,7 +4,8 @@ set -e
 # Store original arguments to pass to the final exec call
 original_args="$@"
 
-base_path=''
+# Set default values
+base_path='/data'
 chain_spec=''
 
 # Parse arguments to find the real --base-path and --chain, handles both
@@ -35,13 +36,13 @@ while [ $# -gt 0 ]; do
   shift
 done
 
-echo "Entrypoint: ensuring permissions for base path: ${base_path}"
+echo "entrypoint: ensuring permissions for base path: ${base_path}"
 mkdir -p "$base_path"
 chown -R subtensor:subtensor "$base_path"
 
 # Check if a chain spec was provided and if it's an existing file
 if [ -n "$chain_spec" ] && [ -f "$chain_spec" ]; then
-    echo "Entrypoint: ensuring permissions for chain spec: ${chain_spec}"
+    echo "entrypoint: ensuring permissions for chain spec: ${chain_spec}"
     chown subtensor:subtensor "$chain_spec"
 fi