From 0b54f5e9e9f219cf83d88336397197e0ad19c055 Mon Sep 17 00:00:00 2001
From: openhands <openhands@all-hands.dev>
Date: Tue, 24 Mar 2026 22:05:14 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20Docker-in-LXD=20=E2=80=94=20su-exec=20sp?=
 =?UTF-8?q?ins=20at=20100%=20CPU=20due=20to=20AppArmor=20blocking=20setuid?=
 =?UTF-8?q?=20(#635)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add security_opt: [apparmor=unconfined] to all three compose services
(forgejo, woodpecker, agents) in generate_compose(). This prevents
su-exec from entering an infinite CPU loop when Docker runs inside an
LXD container whose default AppArmor profile blocks setuid/execve.
Harmless on bare-metal Docker hosts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 bin/disinto | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/bin/disinto b/bin/disinto
index b111bf9..e8d95df 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -161,6 +161,8 @@ services:
   forgejo:
     image: codeberg.org/forgejo/forgejo:11.0
     restart: unless-stopped
+    security_opt:
+      - apparmor=unconfined
     volumes:
       - forgejo-data:/data
     environment:
@@ -175,6 +177,8 @@ services:
   woodpecker:
     image: woodpeckerci/woodpecker-server:latest
     restart: unless-stopped
+    security_opt:
+      - apparmor=unconfined
     volumes:
       - woodpecker-data:/var/lib/woodpecker
     environment:
@@ -193,6 +197,8 @@ services:
   agents:
     build: ./docker/agents
     restart: unless-stopped
+    security_opt:
+      - apparmor=unconfined
     volumes:
       - agent-data:/home/agent/data
       - project-repos:/home/agent/repos