oskar/homelab-codex-ws
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity
homelab-codex-ws/services/control-plane/docker-compose.yml
Oskar Kapala 7f17b65278 fix(control-plane): run executor as uid 1000 with docker group access 
Executor was the only control-plane container running as root (uid=0),
writing root-owned files to /opt/homelab via bind-mount and triggering
false sudo on every deploy.

- Dockerfile: add USER homelab after useradd (useradd already present)
- docker-compose.yml: add user: "1000:1000" and group_add: ["999"]
  (GID 999 = docker group on VPS) so executor retains docker.sock access

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-03 18:19:58 +02:00

77 lines
1.9 KiB
YAML
Raw Blame History

services:
operator-ui:
build: .
container_name: control-plane-ui
user: "1000:1000"
command: python src/operator_ui.py
ports:
- "18180:8080"
volumes:
- /opt/homelab:/opt/homelab
restart: unless-stopped
healthcheck:
test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://127.0.0.1:8080/', timeout=3).read()"]
interval: 30s
timeout: 10s
retries: 3
observer:
build: .
container_name: control-plane-observer
user: "1000:1000"
command: python /repo/scripts/observer/observer.py
volumes:
- /opt/homelab:/opt/homelab
- ../..:/repo:ro
restart: unless-stopped
environment:
- REPO_ROOT=/repo
- RUNTIME_PATH=/opt/homelab
healthcheck:
test: ["CMD", "test", "-f", "/opt/homelab/state/observer.heartbeat"]
interval: 30s
timeout: 5s
retries: 3
start_period: 5s
supervisor:
build: .
container_name: control-plane-supervisor
user: "1000:1000"
command: python src/supervisor.py
volumes:
- /opt/homelab:/opt/homelab
- ../..:/repo:ro
restart: unless-stopped
environment:
- REPO_ROOT=/repo
- RUNTIME_PATH=/opt/homelab
healthcheck:
test: ["CMD", "test", "-f", "/opt/homelab/state/supervisor.heartbeat"]
interval: 60s
timeout: 5s
retries: 3
start_period: 10s
executor:
build: .
container_name: control-plane-executor
user: "1000:1000"
group_add:
- "999"
command: python src/executor.py
volumes:
- /opt/homelab:/opt/homelab
- ../..:/repo
- /var/run/docker.sock:/var/run/docker.sock
restart: unless-stopped
environment:
- REPO_ROOT=/repo
- RUNTIME_PATH=/opt/homelab
healthcheck:
test: ["CMD", "test", "-f", "/opt/homelab/state/executor.heartbeat"]
interval: 30s
timeout: 5s
retries: 3
start_period: 5s
Reference in a new issue View git blame Copy permalink