diff --git a/simplerisk-minimal/common/entrypoint.sh b/simplerisk-minimal/common/entrypoint.sh
index 80e3bbe..5db23d6 100644
--- a/simplerisk-minimal/common/entrypoint.sh
+++ b/simplerisk-minimal/common/entrypoint.sh
@@ -91,16 +91,16 @@ set_csrf_secret(){
 set_cron(){
 	# If SIMPLERISK_CRON_SETUP was passed and it is set to disabled
 	if [[ -n "${SIMPLERISK_CRON_SETUP:-}" && "${SIMPLERISK_CRON_SETUP:-}" = disabled* ]]; then
-		print_log "SimpleRisk cron setup is disabled."
+		print_log "cron_setup" "SimpleRisk cron setup is disabled."
 	else
-		print_log "SimpleRisk cron setup is enabled."
+		print_log "cron_setup" "SimpleRisk cron setup is enabled."
 
 		CRON_PATH='/tmp/backup-cron'
 
 		# Create the cron file
-		exec_cmd "echo '* * * * * /usr/local/bin/php -f /var/www/simplerisk/cron/cron.php > /dev/null 2>&1' >> $CRON_PATH"
-		exec_cmd "chmod 0644 $CRON_PATH"
-		exec_cmd "crontab $CRON_PATH"
+		exec_cmd "echo '* * * * * /usr/local/bin/php -f /var/www/simplerisk/cron/cron.php > /dev/null 2>&1' >> $CRON_PATH" "Failed to write cron file. Exiting."
+		exec_cmd "chmod 0644 $CRON_PATH" "Failed to chmod cron file. Exiting."
+		exec_cmd_nobail "crontab $CRON_PATH" || print_log "cron_setup:warn" "crontab installation failed — cron may not run. Set SIMPLERISK_CRON_SETUP=disabled if cron is managed externally."
 	fi
 }
 
@@ -113,6 +113,7 @@ apply_mail_setting(){
 	      -p"$SIMPLERISK_DB_PASSWORD" \
 	      -h "$SIMPLERISK_DB_HOSTNAME" \
 	      -P "$SIMPLERISK_DB_PORT" \
+	      --ssl-mode=REQUIRED \
 	      "$SIMPLERISK_DB_DATABASE" \
 	      -e "UPDATE settings SET value='${escaped}' WHERE name='${db_key}';" \
 	    || print_log "mail_settings:warn" "Failed to update ${db_key}"
diff --git a/simplerisk-minimal/common/etc/supervisor/supervisord.conf b/simplerisk-minimal/common/etc/supervisor/supervisord.conf
index 17377f5..06ebfb4 100644
--- a/simplerisk-minimal/common/etc/supervisor/supervisord.conf
+++ b/simplerisk-minimal/common/etc/supervisor/supervisord.conf
@@ -3,12 +3,11 @@ file=/tmp/supervisor.sock                   ; (the path to the socket file)
 chmod=0700
 
 [supervisord]
-childlogdir=/var/log/supervisor
-logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log)
-logfile_maxbytes=50MB                       ; (max main logfile bytes b4 rotation;default 50MB)
-logfile_backups=10                          ; (num of main logfile rotation backups;default 10)
+childlogdir=/tmp
+logfile=/dev/stdout                         ; (log to stdout for container-native logging)
+logfile_maxbytes=0                          ; (disable rotation — stdout is not seekable)
 loglevel=info                               ; (log level;default info; others: debug,warn,trace)
-pidfile=/var/run/supervisor/supervisord.pid ; (supervisord pidfile;default supervisord.pid)
+pidfile=/tmp/supervisord.pid                ; (use /tmp — always writable in containers)
 nodaemon=true                               ; (start in foreground if true;default false)
 minfds=1024                                 ; (min. avail startup file descriptors;default 1024)
 minprocs=200                                ; (min. avail process descriptors;default 200)
@@ -22,11 +21,17 @@ serverurl=unix:///tmp/supervisor.sock ; use a unix:// URL  for a unix socket
 [program:apache2]
 command=/usr/sbin/apache2ctl -D FOREGROUND
 stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
 stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
 
 [program:rsyslog]
 command=/usr/sbin/rsyslogd -n
+stdout_logfile=/dev/stdout
+stdout_logfile_maxbytes=0
+stderr_logfile=/dev/stderr
+stderr_logfile_maxbytes=0
 autorestart=true
 priority=10