* feat(docker): default CMD to `mini -dir=/data` for service-container use
GitHub Actions service containers cannot pass arguments to the image
entrypoint, so `chrislusf/seaweedfs` is currently unusable as a service
because it requires a `weed` subcommand. Set a sensible default CMD so
the image starts a complete single-process cluster (master, volume,
filer, S3 on :8333, admin UI) out of the box, while still being
overridable by passing any other subcommand at `docker run` /
compose time.
Also add a `mini` case to entrypoint.sh so its logs go to stderr,
matching the existing master/volume/server cases.
Closes#9247
* fix(docker): make `isArgPassed` match `--flag` as well as `-flag`
The Go fla9 library accepts both `-flag` and `--flag` syntax, but
`isArgPassed` only matched the single-dash form. That meant a user
passing `--dir=/foo` to `weed mini` (or `--max=5` to `volume`,
`--volume.max=5` to `server`) would not suppress the entrypoint's
default, and the duplicate flag was silently appended to the command
line — relying on last-wins parsing for correctness. Match double-dash
explicitly so the override is detected for every case in the file.
build(docker): apply full apk upgrade in final image to pick up security patches
Trivy flagged CVE-2026-28390 (libcrypto3/libssl3) on the published image
because the final stage only upgraded zlib. Broaden to `apk upgrade
--no-cache` so all Alpine security fixes land at build time.
Alpine's busybox wget does not support --ca-cert, --certificate, and
--private-key options required for HTTPS healthchecks with client
certificate authentication.
Adding curl to Docker images enables proper HTTPS healthchecks.
Fixes#7707
