johba/disinto
1
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

fix: Docker-in-LXD — su-exec spins at 100% CPU due to AppArmor blocking setuid (#635)

Browse source 
Add security_opt: [apparmor=unconfined] to all three compose services
(forgejo, woodpecker, agents) in generate_compose(). This prevents
su-exec from entering an infinite CPU loop when Docker runs inside an
LXD container whose default AppArmor profile blocks setuid/execve.
Harmless on bare-metal Docker hosts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
openhands 2026-03-24 22:05:14 +00:00
parent 1c3f845115
commit 0b54f5e9e9
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
bin/disinto
View file

@ -161,6 +161,8 @@ services:
forgejo:
image: codeberg.org/forgejo/forgejo:11.0
restart: unless-stopped
security_opt:
- apparmor=unconfined
volumes:
- forgejo-data:/data
environment:
@ -175,6 +177,8 @@ services:
woodpecker:
image: woodpeckerci/woodpecker-server:latest
restart: unless-stopped
security_opt:
- apparmor=unconfined
volumes:
- woodpecker-data:/var/lib/woodpecker
environment:
@ -193,6 +197,8 @@ services:
agents:
build: ./docker/agents
restart: unless-stopped
security_opt:
- apparmor=unconfined
volumes:
- agent-data:/home/agent/data
- project-repos:/home/agent/repos