oskar/homelab-codex-ws
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix(control-plane): run executor as uid 1000 with docker group access

Browse source 
Executor was the only control-plane container running as root (uid=0),
writing root-owned files to /opt/homelab via bind-mount and triggering
false sudo on every deploy.

- Dockerfile: add USER homelab after useradd (useradd already present)
- docker-compose.yml: add user: "1000:1000" and group_add: ["999"]
  (GID 999 = docker group on VPS) so executor retains docker.sock access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Oskar Kapala 2026-06-03 18:19:58 +02:00
parent e6a2443412
commit 7f17b65278
2 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
services/control-plane/Dockerfile
View file

@ -20,4 +20,5 @@ ENV RUNTIME_PATH=/opt/homelab
ENV PYTHONUNBUFFERED=1 ENV PYTHONUNBUFFERED=1
# Default command (will be overridden in docker-compose) # Default command (will be overridden in docker-compose)
USER homelab
CMD ["python", "src/operator_ui.py"] CMD ["python", "src/operator_ui.py"]

3
services/control-plane/docker-compose.yml
View file

@ -56,6 +56,9 @@ services:
executor: executor:
build: . build: .
container_name: control-plane-executor container_name: control-plane-executor
user: "1000:1000"
group_add:
- "999"
command: python src/executor.py command: python src/executor.py
volumes: volumes:
- /opt/homelab:/opt/homelab - /opt/homelab:/opt/homelab