fix(server): align CPU image port + /data ownership with CUDA image (v0.5.1)#31
Merged
fix(server): align CPU image port + /data ownership with CUDA image (v0.5.1)#31
Conversation
Two latent bugs in the v0.5.0 CPU image surfaced during post-release
smoke testing of dvcdsys/code-index:v0.5.0 on macOS arm64:
1) Port mismatch — image baked ENV CIX_PORT=8001 (Python parallel-PoC
carry-over) but docker-compose.yml mapped 21847:21847. A fresh
`docker compose up -d` from the published files left the host port
pointing at a non-listening container port; `curl` saw connection
reset. The Python backend was archived 2026-04, so the rationale
for 8001 is dead. CUDA image already uses 21847; CPU now matches.
2) /data ownership — distroless USER nonroot:nonroot (uid 65532) but
the Dockerfile declared `VOLUME ["/data"]` without pre-creating the
directory with nonroot ownership. A fresh Docker named volume
inherited root ownership from the daemon and the runtime user got
`mkdir /data/sqlite: permission denied` on first boot. CUDA image
pre-creates /data via COPY --chown=1001:1001; CPU now does the
same with --chown=65532:65532.
Changes:
- server/Dockerfile: ENV CIX_PORT=21847, EXPOSE 21847; mkdir /out/data
in builder stage; COPY --chown=65532:65532 /out/data /data before
VOLUME declaration.
- server/internal/config/config.go: getenvInt default 8001 → 21847.
Doc comment rewritten — "Python parallel rollout" rationale is dead.
- server/internal/config/config_test.go: TestLoadDefaults expects 21847.
- server/README.md: stale "phase 1 / Python parallel" preamble replaced;
port table cell updated; quick-start docker run example uses 21847
and shows the now-required bootstrap admin envs.
- docker-compose.yml + docker-compose.cuda.yml: explicit
CIX_PORT=${CIX_PORT:-21847} as defense in depth against future
Dockerfile regressions or third-party forks.
- docker-compose.yml: bind-mount uid comment updated 1001 → 65532
(the CPU image's nonroot uid; CUDA's 1001 only applies to the
CUDA compose file).
Local verification:
- `make` build green; full Go test suite green (one fixture updated).
- `docker buildx build` of the patched CPU Dockerfile produces an arm64
image. `docker run` with a NAMED VOLUME (no --user override) and the
DEFAULT port (no CIX_PORT env) now boots cleanly:
/health → 200
/api/v1/auth/bootstrap-status → 200
/dashboard/ → 200
/api/v1/admin/users → 200 (admin session)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two latent bugs in the v0.5.0 CPU image (`dvcdsys/code-index:v0.5.0` / `:latest`) surfaced during post-release smoke testing on macOS arm64. CUDA image is unaffected — both fixes bring the CPU image to parity.
🐛 #1 — Port mismatch
CPU image baked `ENV CIX_PORT=8001` (Python-FastAPI parallel-rollout carry-over), but `docker-compose.yml` maps `21847:21847`. A fresh `docker compose up -d` from the published files left the host port pointing at a non-listening container port → `curl: Recv failure: Connection reset by peer`.
The Python backend was archived 2026-04, so the rationale for 8001 is dead. CUDA image already uses 21847.
🐛 #2 — /data ownership for named volumes
CPU image runs as `nonroot:nonroot` (uid 65532) but the Dockerfile declared `VOLUME ["/data"]` without pre-creating the directory with proper ownership. A fresh Docker named volume inherited root ownership from the daemon → runtime user hit `mkdir /data/sqlite: permission denied` on first boot.
CUDA image pre-creates `/data` via `COPY --chown=1001:1001` from a builder stage. CPU now does the same with `--chown=65532:65532`.
Changes
Test plan
Release notes (for v0.5.1 GitHub Release body)
```markdown
Server v0.5.1 — CPU image fixes
port mapping). Previously the image listened on 8001 — a Python-FastAPI
parallel-rollout default that's no longer relevant.
so a fresh Docker named volume is writable on first boot. Previously
hit `mkdir /data/sqlite: permission denied` on first `docker compose
up -d`.
No breaking changes. CUDA image was already correct on both points.
```
🤖 Generated with Claude Code