fix(control-plane): run executor as uid 1000 with docker group access

Executor was the only control-plane container running as root (uid=0), writing root-owned files to /opt/homelab via bind-mount and triggering false sudo on every deploy. - Dockerfile: add USER homelab after useradd (useradd already present) - docker-compose.yml: add user: "1000:1000" and group_add: ["999"] (GID 999 = docker group on VPS) so executor retains docker.sock access Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 18:19:58 +02:00 · 2026-06-03 18:19:58 +02:00 · 7f17b65278
parent e6a2443412
commit 7f17b65278
2 changed files with 4 additions and 0 deletions
--- a/services/control-plane/Dockerfile
+++ b/services/control-plane/Dockerfile
@ -20,4 +20,5 @@ ENV RUNTIME_PATH=/opt/homelab
 ENV PYTHONUNBUFFERED=1

 # Default command (will be overridden in docker-compose)
+USER homelab
 CMD ["python", "src/operator_ui.py"]
--- a/services/control-plane/docker-compose.yml
+++ b/services/control-plane/docker-compose.yml
@ -56,6 +56,9 @@ services:
  executor:
    build: .
    container_name: control-plane-executor
+    user: "1000:1000"
+    group_add:
+      - "999"
    command: python src/executor.py
    volumes:
      - /opt/homelab:/opt/homelab