fix(docker): register safe.directory for all repos on bind-mount restart#1307
Conversation
…art (coleam00#1279) On macOS bind mounts (VirtioFS), host UIDs do not map to the container appuser (1001). Git 2.35.2+ rejects operations with "dubious ownership". The Dockerfile RUN-layer gitconfig is not inherited by bind mounts on restart, and worktree paths are unknown at build time. Add a find loop in docker-entrypoint.sh that dynamically registers every .git directory under /.archon as a safe directory after the chown block. This is idempotent and handles worktrees at any depth.
📝 WalkthroughWalkthroughAt container startup, Changes
Sequence Diagram(s)sequenceDiagram
participant Entrypoint as docker-entrypoint.sh
participant Shell as /bin/sh
participant Git as git
participant Credential as GH_TOKEN helper
participant Bun as Bun (setup-auth/start)
Entrypoint->>Shell: on container start
Shell->>Shell: chown -Rh appuser /.archon
Shell->>Git: find /.archon -name ".git" -> for each
Shell->>Git: git config --global --add safe.directory "<parent-dir>" (via gosu appuser or current user)
Shell->>Credential: configure GH_TOKEN credential helper
Shell->>Bun: run setup-auth
Shell->>Bun: run start
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Warning Review ran into problems🔥 ProblemsTimed out fetching pipeline failures after 30000ms Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@docker-entrypoint.sh`:
- Around line 29-31: The current find invocation that registers Git worktrees
(the loop using find /.archon -name ".git" and the while reading into git_dir)
still descends into .git directories causing startup to scan object databases;
update the find command used before the while loop to include -prune -print so
it prints the .git paths without descending into them (keep the surrounding loop
and the $RUNNER git config --global --add safe.directory "$(dirname "$git_dir")"
logic intact), ensuring the repo/worktree dirname is registered but Git
internals under .git are not scanned.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
|
Hi @kagura-agent — thanks for opening this PR. This repository uses a PR template at
Could you fill those out (even briefly)? The template helps reviewers understand scope, risk, and rollback — it speeds up review significantly. If a section genuinely doesn't apply, just write "N/A" in it rather than leaving it blank. |
|
Thanks @Wirasm — filled out all the template sections. Let me know if anything needs more detail! |
Review SummaryVerdict: ready-to-merge Clean, well-scoped fix for CVE-2022-24765 "dubious ownership" errors on macOS Docker Desktop bind mounts. The diff is 11 lines in one file, the implementation is correct, and your PR template is thorough — problem statement, root cause analysis, UX journey, validation evidence, and rollback plan are all there. Great work. Blocking issues(none) Suggested fixes(none) Minor / nice-to-have
Compliments
Reviewed via maintainer-review-pr workflow (Pi/Minimax). Aspects run: code-review, comment-quality. |
2 participants
Summary
findloop indocker-entrypoint.shthat dynamically discovers.gitdirectories under/.archonand registers them assafe.directoryon each container startProblem
On macOS with Docker Desktop (VirtioFS), bind-mount deployments break after every container restart. All git operations inside the container fail with:
This blocks every Archon workflow that touches a project.
Root Cause
Git 2.35.2+ (CVE-2022-24765) rejects repos where the directory owner differs from the running user. On macOS bind mounts, host UIDs (e.g. 501) do not map to the container's
appuser(1001). The DockerfileRUN git config --global --add safe.directory ...registers fixed paths at build time, but:/home/appuser/.gitconfigis not inherited from the image layer on restartFix
Add a
findloop indocker-entrypoint.shthat dynamically discovers every.gitdirectory under/.archonand registers its parent as asafe.directoryon each container start. This runs after thechownblock, is idempotent, and handles:/.archon/workspaces/owner/repo/source/--userflag or Kubernetes)UX Journey
Before
After
Architecture Diagram
Before
After
Connection inventory:
Label Snapshot
risk: lowsize: Sconfigconfig:docker-entrypointChange Metadata
bugconfigdocker-entrypoint.sh)Linked Issue
Validation Evidence (required)
find ... -name ".git"correctly discovers nested worktreessafe.directoryentries are harmless per git docsfind | while read)Security Impact (required)
NoNoNoNo— only reads.gitdirectory names under the existing/.archonmount, then writes to git global configCompatibility / Migration
Yes— additive only, no behavior change for non-bind-mount deploymentsNoNoHuman Verification (required)
.gitdirs found (loop is a no-op), deeply nested worktrees, non-root container userSide Effects / Blast Radius (required)
safe.directoryentries are additive and idempotent; duplicate entries are harmless per git documentationfindfails (e.g./.archondoesn't exist),2>/dev/nullsuppresses errors and the loop simply doesn't executeRollback Plan (required)
Risks and Mitigations
findscanning a very large/.archontree could slow container startupfinduses-pruneon.gitmatches, preventing descent into git internals; typical repos have < 10.gitdirsgit config --globalas root could write to wrong user's gitconfig$RUNNERvariable (set togosu appuserwhen running as root) ensures config is written to the correct user's gitconfigCloses #1279