akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix: resolve Docker socket permissions and notification page routing

Browse Source 
- Add runtime Docker socket permission detection in entrypoint
  - Detects socket GID and logs helpful deployment guidance
  - Provides three resolution options (root user, group-add, or chmod)
  - Non-intrusive: logs only, doesn't modify permissions

- Fix notification page routing mismatch
  - Move notifications route from /notifications to /settings/notifications
  - Add notifications tab to Settings page with Bell icon
  - Align navigation structure with route definitions

- Enhance Docker API error handling
  - Return 503 (not 500) when Docker daemon unavailable
  - Add DockerUnavailableError type for clear error distinction
  - Implement SSRF hardening (reject arbitrary host values)

- Improve security and testability
  - Move ProxyHost routes to protected auth group
  - Refactor Docker handler tests to use mocks
  - Simplify useDocker hook query enablement logic

Docker socket fix addresses deployment-level permission issue without
code changes. The 503 error correctly signals service unavailability
due to configuration, not application bugs.

Closes #XX (if applicable)
This commit is contained in:
GitHub Actions
2025-12-22 21:58:20 +00:00
parent ffa74d0968
commit baf822e084
14 changed files with 938 additions and 153 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
.docker/docker-entrypoint.sh
View File

@@ -30,6 +30,27 @@ mkdir -p /app/data/caddy 2>/dev/null || true
mkdir -p /app/data/crowdsec 2>/dev/null || true
mkdir -p /app/data/geoip 2>/dev/null || true
# ============================================================================
# Docker Socket Permission Handling
# ============================================================================
# The Docker integration feature requires access to the Docker socket.
# When running as non-root user (charon), we need to ensure the user is in
# the same group as the mounted socket for permission access.
if [ -S "/var/run/docker.sock" ]; then
DOCKER_SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || echo "")
if [ -n "$DOCKER_SOCK_GID" ] && [ "$DOCKER_SOCK_GID" != "0" ]; then
# Check if a group with this GID exists
if ! getent group "$DOCKER_SOCK_GID" >/dev/null 2>&1; then
echo "Docker socket detected (gid=$DOCKER_SOCK_GID). Note: Container integration requires socket access."
echo " To enable Docker container discovery:"
echo " 1. Run container with --user root:root, OR"
echo " 2. Add host docker group: docker run --group-add $DOCKER_SOCK_GID ..., OR"
echo " 3. Change socket permissions: chmod 666 /var/run/docker.sock (not recommended)"
fi
fi
fi
# ============================================================================
# CrowdSec Initialization
# ============================================================================