fix(setup): auto-recover from stale docker group mid-session
- container: install Docker via setup/install-docker.sh when missing, distinguish socket EACCES from daemon-down so we bail fast instead of polling 60s, and re-exec the step under `sg docker` when usermod hasn't reached the current shell. - auto: after the container step, re-exec the whole driver under `sg docker` (with a NANOCLAW_REEXEC_SG guard) so onecli/service/verify also get docker-group access without a re-login. Surface the new docker_group_not_active error from the container step. - service: when the systemd user manager has a stale group list, auto- apply \`sudo setfacl -m u:\$USER:rw /var/run/docker.sock\` so the service can start without waiting for the next login. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
exe.dev user
@@ -11,6 +11,7 @@ import path from 'path';
|
||||
|
||||
import { log } from '../src/log.js';
|
||||
import {
|
||||
commandExists,
|
||||
getPlatform,
|
||||
getNodePath,
|
||||
getServiceManager,
|
||||
@@ -255,12 +256,34 @@ WantedBy=${runningAsRoot ? 'multi-user.target' : 'default.target'}`;
|
||||
fs.writeFileSync(unitPath, unit);
|
||||
log.info('Wrote systemd unit', { unitPath });
|
||||
|
||||
// Detect stale docker group before starting (user systemd only)
|
||||
const dockerGroupStale = !runningAsRoot && checkDockerGroupStale();
|
||||
// Detect stale docker group before starting (user systemd only). The user
|
||||
// systemd manager is a long-running process whose group list is frozen at
|
||||
// login, so `usermod -aG docker` mid-session doesn't reach it. Rather than
|
||||
// require the user to log out + back in, punch a POSIX ACL onto the socket
|
||||
// that grants the current user rw directly. This is temporary — the socket
|
||||
// is recreated by dockerd on restart (and by then the user has relogged, so
|
||||
// normal group perms apply again).
|
||||
let dockerGroupStale = !runningAsRoot && checkDockerGroupStale();
|
||||
if (dockerGroupStale) {
|
||||
log.warn(
|
||||
'Docker group not active in systemd session — user was likely added to docker group mid-session',
|
||||
);
|
||||
if (commandExists('setfacl')) {
|
||||
const user = execSync('whoami', { encoding: 'utf-8' }).trim();
|
||||
try {
|
||||
execSync(`sudo setfacl -m u:${user}:rw /var/run/docker.sock`, {
|
||||
stdio: 'inherit',
|
||||
});
|
||||
log.info(
|
||||
'Applied temporary ACL to /var/run/docker.sock (resets on docker restart or reboot)',
|
||||
);
|
||||
dockerGroupStale = false;
|
||||
} catch (err) {
|
||||
log.warn('Failed to apply setfacl workaround', { err });
|
||||
}
|
||||
} else {
|
||||
log.warn('setfacl not installed — cannot apply automatic workaround');
|
||||
}
|
||||
}
|
||||
|
||||
// Kill orphaned nanoclaw processes to avoid channel connection conflicts
|
||||
|
||||
Reference in New Issue
Block a user