Skip to content

Daily fixes#1731

Merged
dgageot merged 3 commits intodocker:mainfrom
dgageot:daily-fixes
Feb 14, 2026
Merged

Daily fixes#1731
dgageot merged 3 commits intodocker:mainfrom
dgageot:daily-fixes

Conversation

@dgageot
Copy link
Member

@dgageot dgageot commented Feb 14, 2026

No description provided.

@dgageot
Fix race condition in isFirstRun using atomic file creation
ece3271 
Use os.OpenFile with os.O_EXCL|os.O_CREATE to atomically create the
marker file. This eliminates the check-then-act race condition where
multiple concurrent cagent processes could all see the marker file as
missing and all proceed with first-run initialization.

Fixes docker#1709

Assisted-By: cagent
@dgageot
Validate input and handle errors in RunBangCommand
92d8b18 
Add input validation to reject empty commands and properly handle
the error from exec.CommandContext instead of silently discarding it.
When the command fails and produces no output, the error message is
shown to the user.

Fixes docker#1716

Assisted-By: cagent
@dgageot
Add input validation and audit logging to shell tool
62bafde 
Validate that the command is not empty before execution, and add
debug-level logging for native (non-sandboxed) shell command execution
to improve auditability.

Fixes docker#1717

Assisted-By: cagent
@dgageot dgageot requested a review from a team as a code owner February 14, 2026 09:28
docker-agent[bot]
docker-agent bot reviewed Feb 14, 2026
View reviewed changes
Copy link

@docker-agent docker-agent bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

Found one issue in the error handling logic for the RunBangCommand method. The condition for displaying errors will suppress error information when commands produce output but still fail.

The rest of the changes look good - the atomic file creation fix for isFirstRun() properly addresses the race condition mentioned in the comments.

pkg/app/app.go

out, err := exec.CommandContext(ctx, "/bin/sh", "-c", command).CombinedOutput()
output := "$ " + command + "\n" + string(out)
if err != nil && len(out) == 0 {
Copy link

@docker-agent docker-agent bot Feb 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Issue: Error information is lost when command fails with partial output

The condition if err != nil && len(out) == 0 means errors are only reported when there's no output. When a shell command produces any output (stdout or stderr) but exits with a non-zero status, the error is never displayed to the user.

For example, if a command writes to stderr and then fails, the user will see the stderr output but won't see that the command actually failed.

Consider changing the logic to always include error information when err != nil:

if err != nil {
    output = "$ " + command + "\n" + string(out) + "\nError: " + err.Error()
} else {
    output = "$ " + command + "\n" + string(out)
}

This ensures users are always informed when a command fails, regardless of whether it produced output.

@dgageot dgageot merged commit f8d707e into docker:main Feb 14, 2026
8 checks passed
@BrewTestBot BrewTestBot mentioned this pull request Feb 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rumpl rumpl rumpl approved these changes

+1 more reviewer

@docker-agent docker-agent[bot] docker-agent[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dgageot @rumpl