fix: dispatcher cannot launch runner — docker compose context not available in edge container #153

New issue

Closed

opened 2026-04-02 17:57:02 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-02 17:57:02 +00:00

Collaborator

Problem

The dispatcher runs docker compose run --rm runner ... but the edge container has no compose file. This approach was wrong.

Fix

Use docker run directly via the mounted Docker socket. The socket talks to the host daemon, which creates a sibling container — same pattern as Woodpecker agents launching CI containers.

Replace the docker compose run --rm runner call in launch_runner() with:

docker run --rm \
  --name "vault-runner-${action_id}" \
  --network disinto_disinto-net \
  -e FORGE_URL="${FORGE_URL}" \
  -e FORGE_TOKEN="${FORGE_TOKEN}" \
  -e FORGE_REPO="${FORGE_REPO}" \
  -e FORGE_OPS_REPO="${FORGE_OPS_REPO}" \
  -e PRIMARY_BRANCH="${PRIMARY_BRANCH}" \
  -e DISINTO_CONTAINER=1 \
  ${secret_flags} \
  disinto-agents:latest \
  bash -c "cd /home/agent/disinto && bash formulas/${formula}.sh ${action_id}"

Where secret_flags is built from the TOML secrets array:

secret_flags=""
for secret in $VAULT_ACTION_SECRETS; do
  secret_flags="${secret_flags} -e ${secret}=${!secret}"
done

Key points:

--rm — ephemeral, removed after execution
--network disinto_disinto-net — can reach Forgejo and other services
Uses the disinto-agents:latest image (same image the agents run, has all tools)
Secrets injected via -e flags from the dispatcher's decrypted vault env
No compose file needed

Affected files

docker/edge/dispatcher.sh — launch_runner() function: replace docker compose run with docker run

Acceptance criteria

Runner launches as sibling container via Docker socket
Runner has network access to Forgejo
Secrets from TOML injected via -e flags
Container removed after execution (--rm)
Exit code propagated to dispatcher for result file
CI green

## Problem The dispatcher runs `docker compose run --rm runner ...` but the edge container has no compose file. This approach was wrong. ## Fix Use `docker run` directly via the mounted Docker socket. The socket talks to the host daemon, which creates a sibling container — same pattern as Woodpecker agents launching CI containers. Replace the `docker compose run --rm runner` call in `launch_runner()` with: ```bash docker run --rm \ --name "vault-runner-${action_id}" \ --network disinto_disinto-net \ -e FORGE_URL="${FORGE_URL}" \ -e FORGE_TOKEN="${FORGE_TOKEN}" \ -e FORGE_REPO="${FORGE_REPO}" \ -e FORGE_OPS_REPO="${FORGE_OPS_REPO}" \ -e PRIMARY_BRANCH="${PRIMARY_BRANCH}" \ -e DISINTO_CONTAINER=1 \ ${secret_flags} \ disinto-agents:latest \ bash -c "cd /home/agent/disinto && bash formulas/${formula}.sh ${action_id}" ``` Where `secret_flags` is built from the TOML `secrets` array: ```bash secret_flags="" for secret in $VAULT_ACTION_SECRETS; do secret_flags="${secret_flags} -e ${secret}=${!secret}" done ``` Key points: - `--rm` — ephemeral, removed after execution - `--network disinto_disinto-net` — can reach Forgejo and other services - Uses the `disinto-agents:latest` image (same image the agents run, has all tools) - Secrets injected via `-e` flags from the dispatcher's decrypted vault env - No compose file needed ## Affected files - `docker/edge/dispatcher.sh` — `launch_runner()` function: replace `docker compose run` with `docker run` ## Acceptance criteria - [ ] Runner launches as sibling container via Docker socket - [ ] Runner has network access to Forgejo - [ ] Secrets from TOML injected via `-e` flags - [ ] Container removed after execution (`--rm`) - [ ] Exit code propagated to dispatcher for result file - [ ] CI green