Skip to content

Swarm docker socket & PWA manifest

Choose a tag to compare

@btouchard btouchard released this 23 Jun 13:58

A patch release fixing two deployment issues: Docker socket access on Swarm and the PWA manifest behind an authenticating reverse proxy.

Bug fixes

Docker ? socket access auto-detected, works on Swarm without group_add (#29)

docker stack deploy silently drops group_add ? it is not part of the Swarm service spec ? so the container never joined the Docker group and the socket was unreachable, leaving Swarm deployments unable to talk to the daemon.

The entrypoint already runs as root before dropping to the unprivileged user, so it now reads the mounted socket's group and injects it via setpriv --groups, with an optional DOCKER_GID environment override. Socket access is auto-detected on both /var/run/docker.sock and /run/docker.sock, so:

  • Swarm deployments work out of the box ? no more unreachable socket.
  • group_add is now optional and existing setups keep working unchanged.
  • gid 0 is no longer carried to the runtime user, tightening the dropped-privilege set.

Docs and the compose examples are updated accordingly: socket access is auto-detected and group_add is no longer required.

Reverse proxy ? PWA manifest, public routes, and license status (#30)

Three issues surfaced when running behind an authenticating reverse proxy:

  • PWA manifest returned 401. The browser fetches the manifest without credentials, so it hit the authenticated router. The manifest <link> now uses crossorigin="use-credentials", and the docs add /manifest.webmanifest to the public-router examples (it carries no sensitive data).
  • Bare /status 401'd before redirecting. The public-router rules matched /status/ with a trailing slash, so the bare /status (which the app 301-redirects) reached the auth router and failed. The docs now match the prefix without the trailing slash, and clarify that a bare /ping/ legitimately returns 404 ? only /ping/{uuid} is an endpoint.
  • /api/v1/license/status returned 404 in Community. The route was registered only when a license manager was present. It is now always registered and reports an inactive state in Community.

The "trusted API" note is also reworded to clarify that a 403 on /api/v1/* is edition gating (PRO_REQUIRED), not a reverse-proxy or trust problem.

Upgrade notes

No configuration changes, database migrations, or API breaking changes. Rebuild the image to pick up the fixes. Swarm users can now drop the group_add block from their compose/stack files (it remains supported if you keep it).