Add docker

Author: joecorall

Dockerfile

@@ -83,6 +83,14 @@ ARG \
   BIND9_VERSION=1:9.20.23-1~deb13u1 \
   # renovate: datasource=repology depName=debian_13/bubblewrap
   BW_VERSION=0.11.0-2+deb13u1 \
+  # renovate: datasource=deb depName=docker-ce
+  DOCKER_CE_VERSION=5:29.5.3-1~debian.13~trixie \
+  # renovate: datasource=deb depName=containerd.io
+  CONTAINERD_IO_VERSION=2.2.4-1~debian.13~trixie \
+  # renovate: datasource=deb depName=docker-buildx-plugin
+  DOCKER_BUILDX_PLUGIN_VERSION=0.34.1-1~debian.13~trixie \
+  # renovate: datasource=deb depName=docker-compose-plugin
+  DOCKER_COMPOSE_PLUGIN_VERSION=5.1.4-1~debian.13~trixie \
   # renovate: datasource=repology depName=debian_13/fzf
   FZF_VERSION=0.60.3-1+b2 \
   # renovate: datasource=repology depName=debian_13/gh
@@ -140,6 +148,17 @@ SHELL ["/bin/bash", "-o", "pipefail", "-ex", "-c"]
 RUN --mount=type=cache,id=apt-cache-${TARGETARCH},sharing=locked,target=/var/cache/apt \
   BC_VERSION_HACK="${BC_VERSION}$([ "${TARGETARCH}" = "arm64" ] && echo "+b1" || echo "")" && \
   rm -f /etc/apt/apt.conf.d/docker-clean && \
+  install -m 0755 -d /etc/apt/keyrings && \
+  wget -q -O /etc/apt/keyrings/docker.asc https://download.docker.com/linux/debian/gpg && \
+  chmod a+r /etc/apt/keyrings/docker.asc && \
+  printf '%s\n' \
+    'Types: deb' \
+    'URIs: https://download.docker.com/linux/debian' \
+    'Suites: trixie' \
+    'Components: stable' \
+    "Architectures: $(dpkg --print-architecture)" \
+    'Signed-By: /etc/apt/keyrings/docker.asc' \
+    > /etc/apt/sources.list.d/docker.sources && \
   wget -q -O - https://apt.releases.hashicorp.com/gpg | gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg && \
   echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com trixie main" | tee /etc/apt/sources.list.d/hashicorp.list && \
   apt-get update && \
@@ -149,6 +168,11 @@ RUN --mount=type=cache,id=apt-cache-${TARGETARCH},sharing=locked,target=/var/cac
     bind9-dnsutils="${BIND9_VERSION}" \
     bubblewrap="${BW_VERSION}" \
     composer="${COMPOSER_VERSION}" \
+    containerd.io="${CONTAINERD_IO_VERSION}" \
+    docker-buildx-plugin="${DOCKER_BUILDX_PLUGIN_VERSION}" \
+    docker-ce="${DOCKER_CE_VERSION}" \
+    docker-ce-cli="${DOCKER_CE_VERSION}" \
+    docker-compose-plugin="${DOCKER_COMPOSE_PLUGIN_VERSION}" \
     fzf="${FZF_VERSION}" \
     gh="${GH_VERSION}" \
     git="${GIT_VERSION}" \
@@ -180,6 +204,12 @@ RUN --mount=type=cache,id=apt-cache-${TARGETARCH},sharing=locked,target=/var/cac
     unzip="${UNZIP_VERSION}" \
     vim="${VIM_VERSION}" \
     terraform="${TERRAFORM_VERSION}" && \
+  apt-mark hold \
+    containerd.io \
+    docker-buildx-plugin \
+    docker-ce \
+    docker-ce-cli \
+    docker-compose-plugin && \
   rm -rf /var/lib/apt/lists/*
 
 COPY download.sh /usr/local/bin
@@ -209,10 +239,19 @@ COPY --from=go-tools-builder /root/go/bin/buf /usr/local/bin/
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 COPY --chown=node init-firewall.sh /usr/local/bin/
-RUN chmod +x /usr/local/bin/init-firewall.sh && \
-  echo "node ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh" > /etc/sudoers.d/node-firewall && \
+COPY --chown=node fix-docker-socket.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/init-firewall.sh /usr/local/bin/fix-docker-socket.sh && \
+  printf '%s\n' \
+    'node ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh' \
+    'node ALL=(root) NOPASSWD: /usr/local/bin/fix-docker-socket.sh' \
+    > /etc/sudoers.d/node-firewall && \
   chmod 0440 /etc/sudoers.d/node-firewall
 
+# Add node to the docker group (the docker-ce postinst created it).
+# usermod/gpasswd aren't installed, so edit /etc/group directly:
+# add a comma separator only if the member list is non-empty, then append node.
+RUN sed -i -E '/^docker:/{ /:$/! s/$/,/; s/$/node/ }' /etc/group
+
 USER node
 
 ENV \

docker-entrypoint.sh

@@ -11,15 +11,32 @@ if [ "${SKIP_EGRESS_FIREWALL:-false}" != "true" ]; then
         )
 fi
 
+# If a Docker socket is mounted in, make node a member of the group that owns
+# it. The socket is read-only so we cannot chmod it; the sudo'd helper only
+# edits /etc/group (the one bit that needs root) and prints the group name.
+# We must NOT run the workload itself through sudo: env_reset would clobber
+# HOME, CODEX_HOME, PATH, etc. and the command would run with root's HOME.
+docker_grp=""
+if [ -S /var/run/docker.sock ]; then
+  docker_grp="$(sudo /usr/local/bin/fix-docker-socket.sh || true)"
+fi
+
 # sometimes i forget where i started after all the firewall rule stdout
 ls -la
 
 if [ -d "$HOME/.local/bin" ]; then
   export PATH="$HOME/.local/bin:$PATH"
 fi
 
+# Build the command we actually want to run.
 if [ "$#" -eq 0 ]; then
-  exec /bin/bash -l
+  set -- /bin/bash -l
+fi
+
+if [ -n "$docker_grp" ]; then
+  # Re-exec with the socket's group added. Unlike sudo, sg preserves the
+  # environment and needs no password now that node is a member of the group.
+  exec sg "$docker_grp" -c "exec $(printf '%q ' "$@")"
 else
   exec "$@"
 fi

fix-docker-socket.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+#
+# Ensure the node user is a member of the group that owns the Docker socket,
+# and print that group's name on stdout.
+#
+# Why this shape:
+#   * The socket is usually bind-mounted read-only, so we CANNOT chgrp/chmod
+#     it from inside the container.
+#   * A running process's supplementary groups are fixed at exec time, so the
+#     caller must re-exec (via sg) to pick up the membership we add here.
+#
+# This script does the ONLY part that needs root: editing /etc/group. It does
+# NOT exec the workload, so we never drag the command through sudo's
+# env_reset (which would clobber HOME, CODEX_HOME, PATH, etc.). Keep it side
+# effect free on stdout apart from the final group name.
+set -euo pipefail
+
+SOCK=/var/run/docker.sock
+
+[ -S "$SOCK" ] || exit 0
+
+gid="$(stat -c %g "$SOCK")"
+
+# Find the group name for that GID, creating one if the GID is unknown.
+grp="$(getent group "$gid" | cut -d: -f1 || true)"
+if [ -z "$grp" ]; then
+  grp=hostdocker
+  echo "${grp}:x:${gid}:" >> /etc/group
+fi
+
+# Add node to that group if it isn't already a member.
+if ! id -nG node | tr ' ' '\n' | grep -qx "$grp"; then
+  sed -i -E "/^${grp}:/ { /:\$/! s/\$/,/; s/\$/node/ }" /etc/group
+fi
+
+printf '%s\n' "$grp"

renovate.json5

@@ -3,6 +3,17 @@
   extends: [
     'github>libops/renovate-config:default.json5',
   ],
+  customManagers: [
+    {
+      customType: 'regex',
+      managerFilePatterns: ['/^Dockerfile$/'],
+      matchStrings: [
+        '#\\s*renovate:\\s*datasource=deb\\s+depName=(?<depName>[^\\s]+)[^\\n]*\\n\\s+[A-Z0-9_]+_VERSION=(?<currentValue>[^\\s\\\\]+)',
+      ],
+      datasourceTemplate: 'deb',
+      registryUrlTemplate: 'https://download.docker.com/linux/debian?suite=trixie&components=stable&binaryArch=amd64',
+    },
+  ],
   packageRules: [
     {
       matchDatasources: ['golang-version'],