Skip to content

fix(installer): report unexpected Docker access #4201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
chengjiew wants to merge 5 commits into
base: main
Choose a base branch
from
+72 −0
Open

fix(installer): report unexpected Docker access #4201

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a0ffbd2
fix(installer): report unexpected docker access
chengjiew May 25, 2026
089bedb
Merge branch 'main' into fix/3952_docker-access-diagnostics
prekshivyas Jun 10, 2026
b033fa7
style: biome-format install-preflight test + bump its size budget
prekshivyas Jun 10, 2026
c53f992
Revert install-preflight budget bump (legacy budgets can't be raised)
prekshivyas Jun 10, 2026
f116cfe
Merge branch 'main' into fix/3952_docker-access-diagnostics
prekshivyas Jun 10, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions scripts/install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2193,6 +2193,39 @@ run_onboard() {
# instructions to relogin/newgrp — Linux only loads group membership at
# login, so the rest of this script (onboard, etc.) would fail otherwise.
# Skipped on macOS (Docker Desktop) and inside WSL (host-managed Docker).
report_unexpected_docker_access() {
# If Docker is reachable, installation can continue. Still surface the
# unusual QA/security posture where a non-root user outside the docker group
# can control the daemon, because that makes "non-docker user denied" checks
# non-reproducible on this host.
if [ "$(id -u 2>/dev/null || printf 1)" -eq 0 ]; then
return 0
fi

local current_user
current_user="$(id -un 2>/dev/null || printf unknown)"

if id -nG "$current_user" 2>/dev/null | tr ' ' '\n' | grep -qx docker; then
return 0
fi
if id -nG 2>/dev/null | tr ' ' '\n' | grep -qx docker; then
return 0
fi

info "Docker is reachable even though user '$current_user' is not in the docker group."
info "This host grants Docker daemon access through another path, so a negative test that expects 'docker info' to fail for non-docker users will not reproduce here."
if [ -n "${DOCKER_HOST:-}" ]; then
info "DOCKER_HOST is set to: $DOCKER_HOST"
else
info "DOCKER_HOST is not set; check for a docker wrapper, socket ACLs, sudo/policy rules, or host-specific daemon access configuration."
fi
local socket_state
socket_state="$(stat -Lc '%a %U %G %n' /var/run/docker.sock 2>/dev/null || true)"
if [ -n "$socket_state" ]; then
info "Docker socket: $socket_state"
fi
}

ensure_docker() {
case "$(uname -s)" in
Darwin | MINGW* | MSYS*) return 0 ;;
Expand All @@ -2202,6 +2235,7 @@ ensure_docker() {
fi
# Fast path: docker info works → already set up (root, or already-active group).
if docker info >/dev/null 2>&1; then
report_unexpected_docker_access
return 0
fi

Expand Down
38 changes: 38 additions & 0 deletions test/install-preflight.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3090,6 +3090,7 @@ describe("installer Docker bootstrap (sourced)", () => {
function runEnsureDockerWithStubs({
dockerScript,
idScript,
statScript,
systemctlScript = `#!/usr/bin/env bash
if [ "\${1:-}" = "is-active" ]; then exit 0; fi
if [ "\${1:-}" = "enable" ]; then exit 0; fi
Expand All @@ -3104,6 +3105,7 @@ exec "$@"
}: {
dockerScript: string;
idScript: string;
statScript?: string;
systemctlScript?: string;
sudoScript?: string;
}) {
Expand All @@ -3116,6 +3118,7 @@ exec "$@"

writeExecutable(path.join(fakeBin, "docker"), dockerScript);
writeExecutable(path.join(fakeBin, "id"), idScript);
if (statScript) writeExecutable(path.join(fakeBin, "stat"), statScript);
writeExecutable(path.join(fakeBin, "sudo"), sudoScript);
writeExecutable(path.join(fakeBin, "systemctl"), systemctlScript);
writeExecutable(
Expand Down Expand Up @@ -3163,6 +3166,41 @@ ensure_docker
};
}

it("reports when Docker is reachable for a non-docker-group Linux user", () => {
const { result, sudoLog } = runEnsureDockerWithStubs({
dockerScript: `#!/usr/bin/env bash
if [ "\${1:-}" = "info" ]; then exit 0; fi
exit 0
`,
idScript: `#!/usr/bin/env bash
case "$*" in
"-u") printf '1000\\n' ;;
"-un") printf 'alice\\n' ;;
"-nG alice") printf 'alice sudo\\n' ;;
"-nG") printf 'alice sudo\\n' ;;
*) printf 'unexpected id %s\\n' "$*" >&2; exit 99 ;;
esac
`,
statScript: `#!/usr/bin/env bash
if [ "\${1:-}" = "-Lc" ]; then
printf '660 root docker /var/run/docker.sock\\n'
exit 0
fi
exit 99
`,
});

const output = `${result.stdout}${result.stderr}`;
expect(result.status, output).toBe(0);
expect(output).toMatch(
/Docker is reachable even though user 'alice' is not in the docker group/,
);
expect(output).toMatch(/DOCKER_HOST/);
expect(output).toMatch(/660 root docker \/var\/run\/docker\.sock/);
expect(output).not.toMatch(/newgrp docker/);
expect(sudoLog).not.toMatch(/usermod/);
});
Comment on lines +3169 to +3202

@coderabbitai coderabbitai Bot Jun 10, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Test size guardrail is now blocking CI.

This file now exceeds its legacy size budget (4432 > 4396), and CI is failing. Please move this new Docker diagnostics test (and any closely related helper logic) into a dedicated test file to get back under the enforced limit.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@test/install-preflight.test.ts` around lines 3169 - 3200, The test file
exceeds the size budget because you added a new Docker diagnostics test; extract
the "reports when Docker is reachable for a non-docker-group Linux user" test
and any closely related helpers into a new test file (e.g., create a new spec
file) to reduce test/install-preflight.test.ts back under the limit. Move the
test block and the supporting stub utilities used here (references: the it(...)
test title, runEnsureDockerWithStubs, dockerScript/idScript/statScript literals,
and assertions that reference sudoLog and result) into the new file, update
imports/exports so runEnsureDockerWithStubs is imported from the shared helper
module (or split helper into a shared helpers file if needed), and ensure test
suite setup/teardown and any path-relative requires are adjusted so the moved
test runs unchanged.

Source: Pipeline failures


it("prompts for newgrp when persisted docker membership is not active", () => {
const { result, sudoLog } = runEnsureDockerWithStubs({
dockerScript: `#!/usr/bin/env bash
Expand Down
Loading