fix(setup): auto-recover from stale docker group mid-session
- container: install Docker via setup/install-docker.sh when missing, distinguish socket EACCES from daemon-down so we bail fast instead of polling 60s, and re-exec the step under `sg docker` when usermod hasn't reached the current shell. - auto: after the container step, re-exec the whole driver under `sg docker` (with a NANOCLAW_REEXEC_SG guard) so onecli/service/verify also get docker-group access without a re-login. Surface the new docker_group_not_active error from the container step. - service: when the systemd user manager has a stale group list, auto- apply \`sudo setfacl -m u:\$USER:rw /var/run/docker.sock\` so the service can start without waiting for the next login. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
exe.dev user
@@ -2,7 +2,7 @@
|
||||
* Step: container — Build container image and verify with test run.
|
||||
* Replaces 03-setup-container.sh
|
||||
*/
|
||||
import { execSync } from 'child_process';
|
||||
import { execSync, spawnSync } from 'child_process';
|
||||
import path from 'path';
|
||||
import { setTimeout as sleep } from 'timers/promises';
|
||||
|
||||
@@ -10,20 +10,28 @@ import { log } from '../src/log.js';
|
||||
import { commandExists, getPlatform } from './platform.js';
|
||||
import { emitStatus } from './status.js';
|
||||
|
||||
type DockerStatus = 'ok' | 'no-permission' | 'no-daemon' | 'other';
|
||||
|
||||
function dockerStatus(): DockerStatus {
|
||||
const res = spawnSync('docker', ['info'], { encoding: 'utf-8' });
|
||||
if (res.status === 0) return 'ok';
|
||||
const err = `${res.stderr ?? ''}\n${res.stdout ?? ''}`;
|
||||
if (/permission denied/i.test(err)) return 'no-permission';
|
||||
if (/cannot connect|is the docker daemon running|no such file/i.test(err)) return 'no-daemon';
|
||||
return 'other';
|
||||
}
|
||||
|
||||
function dockerRunning(): boolean {
|
||||
try {
|
||||
execSync('docker info', { stdio: 'ignore' });
|
||||
return true;
|
||||
} catch {
|
||||
return false;
|
||||
}
|
||||
return dockerStatus() === 'ok';
|
||||
}
|
||||
|
||||
/**
|
||||
* Try to start Docker if it's installed but idle. Poll for up to 60s.
|
||||
* Returns true once `docker info` succeeds, false if we gave up.
|
||||
* Try to start Docker if it's installed but idle. Poll up to 60s for the
|
||||
* daemon to come up — but bail immediately if the socket is reachable and
|
||||
* only blocked by a group-permission error, since that won't resolve by
|
||||
* waiting (the caller handles the sg re-exec for that case).
|
||||
*/
|
||||
async function tryStartDocker(): Promise<boolean> {
|
||||
async function tryStartDocker(): Promise<DockerStatus> {
|
||||
const platform = getPlatform();
|
||||
log.info('Docker not running — attempting to start', { platform });
|
||||
|
||||
@@ -34,22 +42,27 @@ async function tryStartDocker(): Promise<boolean> {
|
||||
// Inherit stdio so sudo can prompt for a password if needed.
|
||||
execSync('sudo systemctl start docker', { stdio: 'inherit' });
|
||||
} else {
|
||||
return false;
|
||||
return 'other';
|
||||
}
|
||||
} catch (err) {
|
||||
log.warn('Start command failed', { err });
|
||||
return false;
|
||||
return 'other';
|
||||
}
|
||||
|
||||
for (let i = 0; i < 30; i++) {
|
||||
await sleep(2000);
|
||||
if (dockerRunning()) {
|
||||
const s = dockerStatus();
|
||||
if (s === 'ok') {
|
||||
log.info('Docker is up');
|
||||
return true;
|
||||
return 'ok';
|
||||
}
|
||||
if (s === 'no-permission') {
|
||||
log.info('Docker daemon is up but socket is not accessible (group membership)');
|
||||
return 'no-permission';
|
||||
}
|
||||
}
|
||||
log.warn('Docker did not become ready within 60s');
|
||||
return false;
|
||||
return 'no-daemon';
|
||||
}
|
||||
|
||||
function parseArgs(args: string[]): { runtime: string } {
|
||||
@@ -84,6 +97,15 @@ export async function run(args: string[]): Promise<void> {
|
||||
process.exit(4);
|
||||
}
|
||||
|
||||
if (!commandExists('docker')) {
|
||||
log.info('Docker not found — running setup/install-docker.sh');
|
||||
try {
|
||||
execSync('bash setup/install-docker.sh', { cwd: projectRoot, stdio: 'inherit' });
|
||||
} catch (err) {
|
||||
log.warn('install-docker.sh failed', { err });
|
||||
}
|
||||
}
|
||||
|
||||
if (!commandExists('docker')) {
|
||||
emitStatus('SETUP_CONTAINER', {
|
||||
RUNTIME: runtime,
|
||||
@@ -97,16 +119,37 @@ export async function run(args: string[]): Promise<void> {
|
||||
process.exit(2);
|
||||
}
|
||||
|
||||
if (!dockerRunning()) {
|
||||
const started = await tryStartDocker();
|
||||
if (!started) {
|
||||
{
|
||||
let status = dockerStatus();
|
||||
if (status !== 'ok') {
|
||||
status = await tryStartDocker();
|
||||
}
|
||||
|
||||
// Socket is unreachable due to group perms — current shell's supplementary
|
||||
// groups are fixed at login, so `usermod -aG docker` (via install-docker.sh
|
||||
// or a prior install) doesn't affect us until next login. Re-exec this
|
||||
// step under `sg docker` so the child picks up docker as its primary
|
||||
// group and can talk to /var/run/docker.sock without a logout.
|
||||
if (status === 'no-permission' && getPlatform() === 'linux' && commandExists('sg')) {
|
||||
log.info('Re-executing container step under `sg docker`');
|
||||
const res = spawnSync(
|
||||
'sg',
|
||||
['docker', '-c', 'pnpm exec tsx setup/index.ts --step container'],
|
||||
{ cwd: projectRoot, stdio: 'inherit' },
|
||||
);
|
||||
process.exit(res.status ?? 1);
|
||||
}
|
||||
|
||||
if (status !== 'ok') {
|
||||
const error =
|
||||
status === 'no-permission' ? 'docker_group_not_active' : 'runtime_not_available';
|
||||
emitStatus('SETUP_CONTAINER', {
|
||||
RUNTIME: runtime,
|
||||
IMAGE: image,
|
||||
BUILD_OK: false,
|
||||
TEST_OK: false,
|
||||
STATUS: 'failed',
|
||||
ERROR: 'runtime_not_available',
|
||||
ERROR: error,
|
||||
LOG: 'logs/setup.log',
|
||||
});
|
||||
process.exit(2);
|
||||
|
||||
Reference in New Issue
Block a user