fix(api): mount host docker data for skiller

Author: skulidropek

docker-compose.api.yml

@@ -35,7 +35,7 @@ services:
       - 1.1.1.1
     volumes:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
-      - docker_git_docker_data:/var/lib/docker
+      - /var/lib/docker:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
     privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host

docker-compose.yml

@@ -35,7 +35,7 @@ services:
       - 1.1.1.1
     volumes:
       - docker_git_projects:${DOCKER_GIT_PROJECTS_ROOT:-/home/dev/.docker-git}
-      - docker_git_docker_data:/var/lib/docker
+      - /var/lib/docker:/var/lib/docker
       - /var/run/docker.sock:/var/run/docker.sock
     privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-false}
     cgroup: host

packages/api/README.md

@@ -12,14 +12,16 @@ This is now the intended controller plane:
 ## Runtime contract: host-Docker-backed
 
 `docker-git` is host-Docker-backed by default. The primary controller
-container created from this package binds the host socket
-(`/var/run/docker.sock:/var/run/docker.sock`, see `docker-compose.yml`) and
-uses it to spawn per-project containers. `DOCKER_GIT_DOCKER_RUNTIME=isolated`
-is an opt-in fallback for environments that explicitly require an embedded
-controller daemon. In isolated mode, start the controller through the host CLI
-or include `docker-compose.isolated.yml`; that overlay removes the host socket
-bind and defaults project containers to the embedded daemon endpoint
-`tcp://host.docker.internal:2375`.
+container created from this package binds the host socket and Docker data root
+(`/var/run/docker.sock:/var/run/docker.sock` and
+`/var/lib/docker:/var/lib/docker`, see `docker-compose.yml`) and uses them to
+spawn per-project containers and access the Docker volume paths reported by
+`docker inspect`. `DOCKER_GIT_DOCKER_RUNTIME=isolated` is an opt-in fallback for
+environments that explicitly require an embedded controller daemon. In isolated
+mode, start the controller through the host CLI or include
+`docker-compose.isolated.yml`; that overlay removes the host socket bind, keeps
+Docker data inside the controller volume, and defaults project containers to the
+embedded daemon endpoint `tcp://host.docker.internal:2375`.
 
 Security note: binding `/var/run/docker.sock` gives the controller container
 root-equivalent control over the host Docker daemon, including the ability to

packages/app/tests/docker-git/controller-resource-limits.test.ts

@@ -18,6 +18,8 @@ import {
 
 const composeFiles: ReadonlyArray<string> = ["docker-compose.yml", "docker-compose.api.yml"]
 const isolatedComposeFiles: ReadonlyArray<string> = ["docker-compose.isolated.yml", "docker-compose.api.isolated.yml"]
+const hostDockerDataBind = "/var/lib/docker:/var/lib/docker"
+const isolatedDockerDataVolume = "docker_git_docker_data:/var/lib/docker"
 
 const readComposeFile = (relativePath: string): Effect.Effect<string> =>
   Effect.gen(function*(_) {
@@ -50,6 +52,13 @@ describe("controller compose resource limits", () => {
           const contents = yield* _(readComposeFile(composeFile))
           expect(contents).toMatch(/pids_limit: \$\{DOCKER_GIT_CONTROLLER_PIDS:-\d+\}/u)
         }))
+
+      it.effect("binds host Docker data root for host runtime volume path access", () =>
+        Effect.gen(function*(_) {
+          const contents = yield* _(readComposeFile(composeFile))
+          expect(contents).toContain(`- ${hostDockerDataBind}`)
+          expect(contents).not.toContain(`- ${isolatedDockerDataVolume}`)
+        }))
     })
   }
 
@@ -75,6 +84,13 @@ describe("controller compose resource limits", () => {
           const contents = yield* _(readComposeFile(composeFile))
           expect(contents).toContain("privileged: ${DOCKER_GIT_CONTROLLER_PRIVILEGED:-true}")
         }))
+
+      it.effect("keeps Docker data inside the embedded controller daemon volume", () =>
+        Effect.gen(function*(_) {
+          const contents = yield* _(readComposeFile(composeFile))
+          expect(contents).toContain(`- ${isolatedDockerDataVolume}`)
+          expect(contents).not.toContain(`- ${hostDockerDataBind}`)
+        }))
     })
   }
 })