🐛 fix(self-update): prefer the bind-mounted socket over TCP for the helper

s-b-e-n-s-o-n · s-b-e-n-s-o-n · commit aa828d8861fb · 2026-05-16T09:05:56.000-04:00
resolveHelperDockerConnection checked the watcher's TCP modem first, so a
self/infrastructure update would route the helper through a Docker socket
proxy even when the target container has the socket bind-mounted. For an
infrastructure update (dd.update.mode=infrastructure) that proxy is the
container being replaced — stopping it would sever the helper mid-update.

The helper now resolves a bind-mounted socket first and only falls back to
TCP when the target container has no socket bind. This keeps infrastructure
updates bypassing the proxy while still supporting socket-less TCP setups.
diff --git a/app/triggers/providers/docker/SelfUpdateTransitionShared.test.ts b/app/triggers/providers/docker/SelfUpdateTransitionShared.test.ts
@@ -275,15 +275,33 @@ describe('resolveHelperDockerConnection', () => {
     };
   }
 
-  test('returns tcp mode when modem.host is a non-empty string', () => {
+  test('returns tcp mode when modem.host is a non-empty string and no socket bind is present', () => {
     const deps = makeDeps();
     const result = resolveHelperDockerConnection(
       deps,
       { createContainer: vi.fn(), modem: { host: 'docker-host', port: 2376, protocol: 'https' } },
       undefined,
     );
     expect(result).toEqual({ mode: 'tcp', host: 'docker-host', port: 2376, protocol: 'https' });
-    expect(deps.findDockerSocketBind).not.toHaveBeenCalled();
+    // findDockerSocketBind is called first (socket-first precedence); it returns undefined
+    // here, so the code falls through to TCP.
+    expect(deps.findDockerSocketBind).toHaveBeenCalledWith(undefined);
+  });
+
+  test('infrastructure-update guard: socket bind takes precedence over modem.host', () => {
+    // When the target container has the Docker socket bind-mounted AND the watcher also
+    // has a TCP modem.host (e.g. Drydock talks to sockguard over TCP), the helper must
+    // use the direct socket path — not the TCP connection that runs through the proxy
+    // being replaced. This is the infrastructure update mode invariant.
+    const deps = makeDeps('/var/run/docker.sock');
+    const spec = createCurrentContainerSpec();
+    const result = resolveHelperDockerConnection(
+      deps,
+      { createContainer: vi.fn(), modem: { host: 'sockguard-host', port: 2375, protocol: 'http' } },
+      spec,
+    );
+    expect(result).toEqual({ mode: 'socket', socketPath: '/var/run/docker.sock' });
+    expect(deps.findDockerSocketBind).toHaveBeenCalledWith(spec);
   });
 
   test('defaults port to 2375 and protocol to http when not provided', () => {
diff --git a/app/triggers/providers/docker/SelfUpdateTransitionShared.ts b/app/triggers/providers/docker/SelfUpdateTransitionShared.ts
@@ -75,6 +75,18 @@ function resolveHelperDockerConnection(
   dockerApi: SelfUpdateDockerApi,
   currentContainerSpec: SelfUpdateContainerSpec | undefined,
 ): HelperDockerConnection {
+  // Socket-bind-first: when the target container has the Docker socket bind-mounted,
+  // the helper MUST use that direct socket path. Using the TCP connection (which may
+  // run through a proxy) would sever the helper the moment that proxy is stopped and
+  // replaced — exactly the scenario in infrastructure update mode (dd.update.mode=infrastructure),
+  // where the socket proxy itself is the container being updated. TCP is only the
+  // fallback for deployments where Drydock reaches Docker purely over a remote TCP host
+  // and has no local socket bind.
+  const socketPath = dependencies.findDockerSocketBind(currentContainerSpec);
+  if (socketPath) {
+    return { mode: 'socket', socketPath };
+  }
+
   const modemHost = dockerApi.modem?.host;
   if (typeof modemHost === 'string' && modemHost.length > 0) {
     return {
@@ -85,13 +97,9 @@ function resolveHelperDockerConnection(
     };
   }
 
-  const socketPath = dependencies.findDockerSocketBind(currentContainerSpec);
-  if (!socketPath) {
-    throw new Error(
-      'Self-update requires the Docker socket to be bind-mounted (e.g. /var/run/docker.sock:/var/run/docker.sock), or the watcher must be configured with a TCP Docker host',
-    );
-  }
-  return { mode: 'socket', socketPath };
+  throw new Error(
+    'Self-update requires the Docker socket to be bind-mounted (e.g. /var/run/docker.sock:/var/run/docker.sock), or the watcher must be configured with a TCP Docker host',
+  );
 }
 
 async function executeSelfUpdateTransition(
