[nomad-step-4] S4-fix-3 — Dockerfile COPY sops fails on fresh clone (download instead) #974

New issue

Closed

opened 2026-04-17 16:07:05 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-17 16:07:05 +00:00

Collaborator

Step 4 verification: docker build -t disinto/agents:latest fails because docker/agents/bin/sops is not in the repo.

Symptom

COPY failed: file not found in build context: stat docker/agents/bin/sops: file does not exist

The sops binary was manually placed on disinto-dev-box, never committed. On a fresh LXC clone, the file is missing.

Fix

Replace the COPY docker/agents/bin/sops /usr/local/bin/sops line in docker/agents/Dockerfile with a RUN that downloads sops from GitHub releases:

# Download sops binary (replaces manual COPY of vendored binary)
ARG SOPS_VERSION=3.9.4
RUN curl -fsSL "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64" \
    -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops

This makes the build self-contained — no manual file placement needed on any host.

Note: under the Nomad+Vault migration, agents won't need sops at all (Vault templates replace sops decryption). But changing the Dockerfile to remove sops entirely would break the live docker-compose stack. The download approach works for both backends.

Acceptance criteria

docker build -t disinto/agents:latest -f docker/agents/Dockerfile . succeeds on a fresh clone with no pre-placed binaries.
docker run --rm disinto/agents:latest sops --version returns the expected version.
Live docker-compose stack on disinto-dev-box unaffected (sops still available inside container).

Labels / meta

backlog + bug-report.

Step 4 verification: `docker build -t disinto/agents:latest` fails because `docker/agents/bin/sops` is not in the repo. ## Symptom ``` COPY failed: file not found in build context: stat docker/agents/bin/sops: file does not exist ``` The sops binary was manually placed on disinto-dev-box, never committed. On a fresh LXC clone, the file is missing. ## Fix Replace the `COPY docker/agents/bin/sops /usr/local/bin/sops` line in `docker/agents/Dockerfile` with a `RUN` that downloads sops from GitHub releases: ```dockerfile # Download sops binary (replaces manual COPY of vendored binary) ARG SOPS_VERSION=3.9.4 RUN curl -fsSL "https://github.com/getsops/sops/releases/download/v${SOPS_VERSION}/sops-v${SOPS_VERSION}.linux.amd64" \ -o /usr/local/bin/sops && chmod +x /usr/local/bin/sops ``` This makes the build self-contained — no manual file placement needed on any host. Note: under the Nomad+Vault migration, agents won't need sops at all (Vault templates replace sops decryption). But changing the Dockerfile to remove sops entirely would break the live docker-compose stack. The download approach works for both backends. ## Acceptance criteria - `docker build -t disinto/agents:latest -f docker/agents/Dockerfile .` succeeds on a fresh clone with no pre-placed binaries. - `docker run --rm disinto/agents:latest sops --version` returns the expected version. - Live docker-compose stack on disinto-dev-box unaffected (sops still available inside container). ## Labels / meta - `backlog` + `bug-report`.