From 38a7253c11dd520ada5e5866fab15aa5f13a5b41 Mon Sep 17 00:00:00 2001
From: johba <johba@disinto>
Date: Sat, 28 Mar 2026 09:40:44 +0000
Subject: [PATCH] fix: WP CI agent gRPC: use host networking to bypass Docker
 bridge (#813)

Docker bridge networking inside LXD (and potentially other nested container
environments) breaks gRPC/HTTP2 between containers. The gRPC handshake
times out because HTTP/2 frames are not properly forwarded.

Fix: run the WP agent with network_mode: host + privileged, connecting
to the server via localhost:9000 (port mapped from the server container).

- Add port 9000 mapping to woodpecker server
- Switch agent to network_mode: host with privileged: true
- Connect agent to localhost:9000 instead of woodpecker:9000
- Add WOODPECKER_GRPC_SECURE=false
- Move healthcheck to port 3333 (avoid clash with Forgejo on 3000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 bin/disinto | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/bin/disinto b/bin/disinto
index 4e66660..bc3340f 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -183,6 +183,7 @@ services:
       - apparmor=unconfined
     ports:
       - "8000:8000"
+      - "9000:9000"
     volumes:
       - woodpecker-data:/var/lib/woodpecker
     environment:
@@ -203,18 +204,18 @@ services:
   woodpecker-agent:
     image: woodpeckerci/woodpecker-agent:v3
     restart: unless-stopped
-    security_opt:
-      - apparmor=unconfined
+    network_mode: host
+    privileged: true
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     environment:
-      WOODPECKER_SERVER: woodpecker:9000
+      WOODPECKER_SERVER: localhost:9000
       WOODPECKER_AGENT_SECRET: ${WOODPECKER_AGENT_SECRET:-}
+      WOODPECKER_GRPC_SECURE: "false"
+      WOODPECKER_HEALTHCHECK_ADDR: ":3333"
       WOODPECKER_MAX_WORKFLOWS: 1
     depends_on:
       - woodpecker
-    networks:
-      - disinto-net
 
   agents:
     build: ./docker/agents