diff --git a/Dockerfile b/Dockerfile
index c29abe5..3110e4b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -23,10 +23,9 @@ ENV NEXT_TELEMETRY_DISABLED 1
 RUN npm run build
 
 # Production image, copy all the files and run next
-FROM base AS runner
 # Install OpenSSL (required for Prisma) and Prisma CLI globally directly as root
-# We install prisma@5.22.0 to match project dependencies
-RUN apk add --no-cache openssl && \
+# Install su-exec for user switching
+RUN apk add --no-cache openssl su-exec && \
     npm install -g prisma@5.22.0
 
 WORKDIR /app
@@ -50,7 +49,8 @@ COPY --from=builder --chown=nextjs:nodejs /app/docker-entrypoint.sh ./
 # Set permissions
 RUN chmod +x ./docker-entrypoint.sh
 
-USER nextjs
+# Do not switch to user nextjs here, we let entrypoint handle it
+# USER nextjs
 
 EXPOSE 3000
 
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index db07efa..4b94d32 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,11 +1,28 @@
 #!/bin/sh
-# Dừng script nếu có lỗi
 set -e
 
-# Chạy migration database (tạo bảng nếu chưa có)
-echo "Running database migrations..."
-prisma migrate deploy
+# Fix permissions for the database directory
+# This script runs as root, so we can change ownership of the mounted volume
+echo "Fixing permissions for /app/db..."
+mkdir -p /app/db
+chown -R nextjs:nodejs /app/db
+if [ -f "/app/db/prod.db" ]; then
+    chown nextjs:nodejs /app/db/prod.db
+fi
+if [ -f "/app/db/prod.db-journal" ]; then
+    chown nextjs:nodejs /app/db/prod.db-journal
+fi
+if [ -f "/app/db/prod.db-shm" ]; then
+    chown nextjs:nodejs /app/db/prod.db-shm
+fi
+if [ -f "/app/db/prod.db-wal" ]; then
+    chown nextjs:nodejs /app/db/prod.db-wal
+fi
+
+# Switch to nextjs user to run migration and app
+echo "Running database migrations..."
+su-exec nextjs prisma migrate deploy
 
-# Chạy ứng dụng Next.js
 echo "Starting Next.js application..."
-exec node server.js
+# exec replaces the shell process, su-exec switches user
+exec su-exec nextjs node server.js