Fix Docker data directory permissions#1910
Conversation
|
@snvtac is attempting to deploy a commit to the motia Team on Vercel. A member of the Team first needs to authorize it. |
License agreement recorded@snvtac, your agreement has been recorded and you have been added to contributors.md. All future PRs from your account will pass this check automatically. |
📝 WalkthroughWalkthroughThe Docker image now pre-creates writable data directories for the non-root runtime. The generated Docker Compose template mounts a named ChangesWritable Docker data path
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
1330221 to
55f4176
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
engine/tests/project_init_e2e.rs (1)
25-35: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winAlso lock the Dockerfile
9464removal in these e2e checks.This helper covers the new compose-volume contract, but the PR also changes the generated Dockerfile to drop
9464. Neither e2e path asserts that, so the stale expose can come back without failing these tests.Suggested shape
fn assert_compose_mounts_engine_data_volume(project: &Path) { let compose = std::fs::read_to_string(project.join("docker-compose.yml")).unwrap(); assert!( compose.contains("- iii_data:/app/data"), "docker-compose.yml should mount writable engine data, got:\n{compose}" ); assert!( compose.contains("volumes:\n iii_data:"), "docker-compose.yml should declare the iii_data named volume, got:\n{compose}" ); } + +fn assert_dockerfile_drops_9464(project: &Path) { + let dockerfile = std::fs::read_to_string(project.join("Dockerfile")).unwrap(); + assert!( + !dockerfile.contains("9464"), + "Dockerfile should not expose 9464, got:\n{dockerfile}" + ); +}assert_compose_mounts_engine_data_volume(dir.path()); + assert_dockerfile_drops_9464(dir.path());🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@engine/tests/project_init_e2e.rs` around lines 25 - 35, The e2e coverage in assert_compose_mounts_engine_data_volume only checks the compose volume contract and does not guard the generated Dockerfile change. Update the project init e2e assertions to also verify the Dockerfile no longer exposes 9464, using the existing project initialization test helpers and the generated Dockerfile content so the stale port cannot regress unnoticed.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@engine/Dockerfile`:
- Line 1: The BusyBox base image used in the data-dirs stage is still referenced
by a mutable tag, so update the FROM instruction in the data-dirs stage to use
an immutable sha256 digest instead of busybox:1.36.1. Keep the stage name and
overall Dockerfile structure the same, and replace the tag with the pinned
digest so builds remain reproducible.
---
Nitpick comments:
In `@engine/tests/project_init_e2e.rs`:
- Around line 25-35: The e2e coverage in
assert_compose_mounts_engine_data_volume only checks the compose volume contract
and does not guard the generated Dockerfile change. Update the project init e2e
assertions to also verify the Dockerfile no longer exposes 9464, using the
existing project initialization test helpers and the generated Dockerfile
content so the stale port cannot regress unnoticed.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro
Run ID: accbbc30-3216-4b02-a196-ac997b894b57
📒 Files selected for processing (4)
engine/Dockerfileengine/tests/fixtures/templates/docker/Dockerfileengine/tests/fixtures/templates/docker/docker-compose.ymlengine/tests/project_init_e2e.rs
| @@ -1,12 +1,18 @@ | |||
| FROM busybox:1.36.1 AS data-dirs | |||
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor
Pin the new BusyBox stage to an immutable digest.
The busybox:1.36.1 tag is mutable; pin the reference to a sha256 digest to ensure build reproducibility and prevent supply-chain risks where the image content changes without a code change.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@engine/Dockerfile` at line 1, The BusyBox base image used in the data-dirs
stage is still referenced by a mutable tag, so update the FROM instruction in
the data-dirs stage to use an immutable sha256 digest instead of busybox:1.36.1.
Keep the stage name and overall Dockerfile structure the same, and replace the
tag with the pinned digest so builds remain reproducible.
What
/app/dataand/dataas UID/GID 65532 in the published distroless engine image.iii_dataat/app/data.9464exposure from the engine image and generated Docker fixture.Why
Fixes #1883. On Linux,
iii project init --docker && docker compose upcan crash-loop because the configuration worker defaults to./data/configurationunder/app, while the image runs as non-root UID 65532 and has no writable data directory.Notes
I license my contributions to this repository under Apache 2.0, and I have all necessary rights over the code I am contributing.
The live generated template is fetched from
iii-hq/templates; companion template PR: Fix Docker template data volume templates#31Validation run:
rustfmt --check engine/tests/project_init_e2e.rs, YAML parse for the compose fixture, semantic check foriii_data:/app/data, and diff whitespace check.Full
cargo test/ Docker smoke were not run here: full Git clone repeatedly stalled in this environment, and Docker CLI is unavailable.