Swarm docker socket & PWA manifest
A patch release fixing two deployment issues: Docker socket access on Swarm and the PWA manifest behind an authenticating reverse proxy.
Bug fixes
Docker ? socket access auto-detected, works on Swarm without group_add (#29)
docker stack deploy silently drops group_add ? it is not part of the Swarm service spec ? so the container never joined the Docker group and the socket was unreachable, leaving Swarm deployments unable to talk to the daemon.
The entrypoint already runs as root before dropping to the unprivileged user, so it now reads the mounted socket's group and injects it via setpriv --groups, with an optional DOCKER_GID environment override. Socket access is auto-detected on both /var/run/docker.sock and /run/docker.sock, so:
- Swarm deployments work out of the box ? no more unreachable socket.
group_addis now optional and existing setups keep working unchanged.- gid 0 is no longer carried to the runtime user, tightening the dropped-privilege set.
Docs and the compose examples are updated accordingly: socket access is auto-detected and group_add is no longer required.
Reverse proxy ? PWA manifest, public routes, and license status (#30)
Three issues surfaced when running behind an authenticating reverse proxy:
- PWA manifest returned 401. The browser fetches the manifest without credentials, so it hit the authenticated router. The manifest
<link>now usescrossorigin="use-credentials", and the docs add/manifest.webmanifestto the public-router examples (it carries no sensitive data). - Bare
/status401'd before redirecting. The public-router rules matched/status/with a trailing slash, so the bare/status(which the app 301-redirects) reached the auth router and failed. The docs now match the prefix without the trailing slash, and clarify that a bare/ping/legitimately returns 404 ? only/ping/{uuid}is an endpoint. /api/v1/license/statusreturned 404 in Community. The route was registered only when a license manager was present. It is now always registered and reports aninactivestate in Community.
The "trusted API" note is also reworded to clarify that a 403 on /api/v1/* is edition gating (PRO_REQUIRED), not a reverse-proxy or trust problem.
Upgrade notes
No configuration changes, database migrations, or API breaking changes. Rebuild the image to pick up the fixes. Swarm users can now drop the group_add block from their compose/stack files (it remains supported if you keep it).