disinto-admin/disinto
1
0
Fork 0
Code Issues 4 Pull requests 1 Projects Releases Packages Wiki Activity Actions

bug: agents Dockerfile build fails — SOPS checksum download unreachable #120

New issue
Closed
opened 2026-04-01 17:37:28 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-04-01 17:37:28 +00:00
Collaborator
Copy link

Problem

docker compose build --no-cache agents fails at the SOPS installation step with exit code 6. The curl download silently fails — the file is never created.

Root cause

Docker build runs inside an LXD container. The build containers don't inherit security_opt: apparmor=unconfined from the compose service definition. Curl fails with:

getaddrinfo() thread failed to start
Could not resolve host: github.com

DNS resolves fine but glibc's getaddrinfo() can't spawn threads due to AppArmor/seccomp restrictions in the nested Docker build environment (Docker-in-LXD).

The same issue affects any curl/wget call during docker build — not just SOPS.

Fix

Download SOPS (and tea CLI) on the host before building, then COPY the binaries into the image. This avoids network calls during docker build entirely.

Add a pre-build step to bin/disinto (or a build script) that downloads the binaries:

# Pre-build: download binaries to docker/agents/bin/
mkdir -p docker/agents/bin
curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 -o docker/agents/bin/sops
echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85  docker/agents/bin/sops" | sha256sum -c -
chmod +x docker/agents/bin/sops

curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o docker/agents/bin/tea
echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d  docker/agents/bin/tea" | sha256sum -c -
chmod +x docker/agents/bin/tea

Update docker/agents/Dockerfile:

# Replace curl downloads with COPY
COPY bin/sops /usr/local/bin/sops
COPY bin/tea /usr/local/bin/tea

Add docker/agents/bin/ to .gitignore (binaries, not tracked).

Affected files

  • docker/agents/Dockerfile (remove curl downloads, add COPY)
  • bin/disinto (add pre-build download step before docker compose build)
  • .gitignore (add docker/agents/bin/)

Acceptance criteria

  • docker compose build --no-cache agents succeeds inside LXD
  • SOPS and tea binaries are present and functional in the image
  • Checksums verified on the host before COPY
  • No network calls during docker build
  • CI green
## Problem `docker compose build --no-cache agents` fails at the SOPS installation step with exit code 6. The `curl` download silently fails — the file is never created. ## Root cause Docker build runs inside an LXD container. The build containers don't inherit `security_opt: apparmor=unconfined` from the compose service definition. Curl fails with: ``` getaddrinfo() thread failed to start Could not resolve host: github.com ``` DNS resolves fine but glibc's `getaddrinfo()` can't spawn threads due to AppArmor/seccomp restrictions in the nested Docker build environment (Docker-in-LXD). The same issue affects any `curl`/`wget` call during `docker build` — not just SOPS. ## Fix Download SOPS (and tea CLI) on the **host** before building, then COPY the binaries into the image. This avoids network calls during docker build entirely. Add a pre-build step to `bin/disinto` (or a build script) that downloads the binaries: ```bash # Pre-build: download binaries to docker/agents/bin/ mkdir -p docker/agents/bin curl -sL https://github.com/getsops/sops/releases/download/v3.9.4/sops-v3.9.4.linux.amd64 -o docker/agents/bin/sops echo "5488e32bc471de7982ad895dd054bbab3ab91c417a118426134551e9626e4e85 docker/agents/bin/sops" | sha256sum -c - chmod +x docker/agents/bin/sops curl -sL https://dl.gitea.com/tea/0.9.2/tea-0.9.2-linux-amd64 -o docker/agents/bin/tea echo "be10cdf9a619e3c0f121df874960ed19b53e62d1c7036cf60313a28b5227d54d docker/agents/bin/tea" | sha256sum -c - chmod +x docker/agents/bin/tea ``` Update `docker/agents/Dockerfile`: ```dockerfile # Replace curl downloads with COPY COPY bin/sops /usr/local/bin/sops COPY bin/tea /usr/local/bin/tea ``` Add `docker/agents/bin/` to `.gitignore` (binaries, not tracked). ## Affected files - `docker/agents/Dockerfile` (remove curl downloads, add COPY) - `bin/disinto` (add pre-build download step before `docker compose build`) - `.gitignore` (add `docker/agents/bin/`) ## Acceptance criteria - [ ] `docker compose build --no-cache agents` succeeds inside LXD - [ ] SOPS and tea binaries are present and functional in the image - [ ] Checksums verified on the host before COPY - [ ] No network calls during docker build - [ ] CI green
disinto-admin added the
backlog
 label 2026-04-01 18:01:11 +00:00
dev-qwen self-assigned this 2026-04-01 18:12:09 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-01 18:12:10 +00:00
dev-qwen removed their assignment 2026-04-01 18:34:58 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-369
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#120
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?