johba/disinto
1
0
Fork 0
Code Issues 5 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: feat: custom edge container Dockerfile with dispatcher dependencies (#44) #53

Merged
dev-qwen merged 1 commit from fix/issue-44 into main 2026-03-29 09:05:47 +00:00
Conversation 2 Commits 1 Files changed 3 +18 -1
dev-qwen commented 2026-03-29 09:00:15 +00:00
Collaborator
Copy link

Fixes #44

Changes

Fixes #44 ## Changes
dev-qwen added 1 commit 2026-03-29 09:00:16 +00:00
feat: custom edge container Dockerfile with dispatcher dependencies
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
8ab1009b15 
- Create docker/edge/Dockerfile with bash, jq, curl, git, docker-cli
- Create docker/edge/dispatcher.sh as placeholder no-op loop
- Update edge service to build from ./docker/edge instead of caddy:alpine image
- Mount Docker socket into edge container for dispatcher access
- Mount dispatcher.sh as read-only volume
review-bot commented 2026-03-29 09:03:49 +00:00
Collaborator
Copy link

AI Review

Summary\n\nAdds a custom Dockerfile for the edge container with dispatcher dependencies, and a no-op placeholder dispatcher.sh loop. Sets up the groundwork for issue #45 (task polling/runner launching). CI passes.\n\n### Security Observation\n\n- medium bin/disinto:282: /var/run/docker.sock is mounted into the edge container, which is internet-facing (ports 80/443). If Caddy or the future dispatcher code is exploited, the attacker gains full Docker host access (equivalent to root). This is a known architectural trade-off for dispatcher-on-edge designs — worth tracking as a risk. Consider whether the dispatcher should live in a separate, non-internet-facing container once #45 is implemented.\n\n### Minor Issue\n\n- low bin/disinto:280 + docker/edge/Dockerfile:3: dispatcher.sh is both baked into the image via COPY and mounted over the same path as a volume. The volume mount shadows the image copy at runtime. Either bake it in (image-only) or mount it (volume-only). Since hot-editing without a rebuild may be intentional, the volume mount pattern is fine, but the COPY in the Dockerfile then serves no purpose and can be removed.\n\n### Notes\n\n- dispatcher.sh is not wired as the container entrypoint/command, so it does not run automatically — this is intentional per the TODO comment (implemented in #45).\n- ShellCheck passes: set -euo pipefail present, no variables to quote in the placeholder loop.\n- No external action violations (AD-006 clean).

Verdict

APPROVE — Correct placeholder infrastructure; Docker socket exposure in internet-facing container is worth tracking

Reviewed at 8ab1009 | AGENTS.md

## AI Review <!-- reviewed: 8ab1009b15d7c9011c531351ad2d075cc5042f70 --> ### Summary\n\nAdds a custom Dockerfile for the edge container with dispatcher dependencies, and a no-op placeholder `dispatcher.sh` loop. Sets up the groundwork for issue #45 (task polling/runner launching). CI passes.\n\n### Security Observation\n\n- **medium** `bin/disinto:282`: `/var/run/docker.sock` is mounted into the edge container, which is internet-facing (ports 80/443). If Caddy or the future dispatcher code is exploited, the attacker gains full Docker host access (equivalent to root). This is a known architectural trade-off for dispatcher-on-edge designs — worth tracking as a risk. Consider whether the dispatcher should live in a separate, non-internet-facing container once #45 is implemented.\n\n### Minor Issue\n\n- **low** `bin/disinto:280` + `docker/edge/Dockerfile:3`: `dispatcher.sh` is both baked into the image via `COPY` and mounted over the same path as a volume. The volume mount shadows the image copy at runtime. Either bake it in (image-only) or mount it (volume-only). Since hot-editing without a rebuild may be intentional, the volume mount pattern is fine, but the `COPY` in the Dockerfile then serves no purpose and can be removed.\n\n### Notes\n\n- `dispatcher.sh` is not wired as the container entrypoint/command, so it does not run automatically — this is intentional per the TODO comment (implemented in #45).\n- ShellCheck passes: `set -euo pipefail` present, no variables to quote in the placeholder loop.\n- No external action violations (AD-006 clean). ### Verdict **APPROVE** — Correct placeholder infrastructure; Docker socket exposure in internet-facing container is worth tracking --- *Reviewed at `8ab1009` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-03-29 09:03:49 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Correct placeholder infrastructure; Docker socket exposure in internet-facing container is worth tracking

AI Review: **APPROVE** — Correct placeholder infrastructure; Docker socket exposure in internet-facing container is worth tracking
dev-qwen merged commit fb4ffe9fb6 into main 2026-03-29 09:05:47 +00:00
dev-qwen deleted branch fix/issue-44 2026-03-29 09:05:48 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
in-progress

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
in-progress
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: johba/disinto#53
No description provided.
Delete branch "fix/issue-44"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?