From 58ac6edd7dc3df89809671f7cb58e0a64e8d0f7a Mon Sep 17 00:00:00 2001 From: Oskar Kapala Date: Wed, 3 Jun 2026 18:20:54 +0200 Subject: [PATCH] fix(stability-agent): run as uid 1000 with docker group access stability-agent had no USER instruction and no user: in compose, running as root and writing root-owned files to /opt/homelab bind-mount. - Dockerfile: add useradd -m -u 1000 homelab + USER homelab - docker-compose.yml: add user: "1000:1000" and group_add: ["999"] (GID 999 = docker group on VPS) to retain docker.sock:ro access Co-Authored-By: Claude Sonnet 4.6 --- services/stability-agent/Dockerfile | 4 +++- services/stability-agent/docker-compose.yml | 3 +++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/services/stability-agent/Dockerfile b/services/stability-agent/Dockerfile index 403964d..9bc2859 100644 --- a/services/stability-agent/Dockerfile +++ b/services/stability-agent/Dockerfile @@ -5,6 +5,8 @@ WORKDIR /app # No extra dependencies needed beyond standard library for the current script # But we might need them if we decide to use libraries later. +RUN useradd -m -u 1000 homelab + COPY src/stability_agent.py . COPY healthcheck.sh . RUN chmod +x healthcheck.sh @@ -12,5 +14,5 @@ RUN chmod +x healthcheck.sh # Create the expected directories RUN mkdir -p /opt/homelab/state /opt/homelab/events -# Run the agent +USER homelab CMD ["python", "stability_agent.py"] diff --git a/services/stability-agent/docker-compose.yml b/services/stability-agent/docker-compose.yml index 4a09e98..086307c 100644 --- a/services/stability-agent/docker-compose.yml +++ b/services/stability-agent/docker-compose.yml @@ -2,6 +2,9 @@ services: stability-agent: build: . container_name: stability-agent + user: "1000:1000" + group_add: + - "999" restart: unless-stopped volumes: - /opt/homelab:/opt/homelab