Change copy command to install with permissions

[adamoutler]

Switches config initialization from cp to install to handle permissions atomically and prevent access errors caused by restrictive source file mode 004.

Summary by CodeRabbit

• Bug Fixes

  • Initial setup now creates the configuration file with correct permissions and ownership to improve security and reliability.
  • Fixed a missing initial database entry encountered during first run.

• New Features

  • Database schema extended to store a device FQDN field so devices can retain fully qualified domain names.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Replaces cp with install -m 600 -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} when placing the default app.conf; and adds a new devFQDN TEXT column to the Devices table in the first-run DB schema. Error handling and surrounding control flow remain unchanged.

Changes

Cohort / File(s)	Change Summary
Configuration installation install/production-filesystem/entrypoint.d/15-first-run-config.sh	Replaced cp with install -m 600 -o ${NETALERTX_USER} -g ${NETALERTX_GROUP} to create app.conf with explicit mode and ownership. Error checks and exit behavior unchanged.
Database schema update install/production-filesystem/entrypoint.d/20-first-run-db.sh	Added devFQDN TEXT column to the Devices table schema (inserted after devSourcePlugin TEXT); adjusted surrounding punctuation/formatting to include the new column.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Verify ${NETALERTX_USER} and ${NETALERTX_GROUP} are defined at runtime and that mode 600 is appropriate.
• Confirm DB schema SQL syntax is valid and that adding devFQDN won't break migrations or code expecting the previous schema.

Poem

I nibble on diffs beneath moonlight light,
Swapping cp for install to set things right,
A hostname column sprouts, concise and bright,
Config snug, DB wiser — hop into the night! 🐇✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Change copy command to install with permissions' accurately summarizes the main change in the pull request, which replaces cp with install command while adding explicit permissions and ownership.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ecb5c14 and 2c75285.

📒 Files selected for processing (1)

• install/production-filesystem/entrypoint.d/15-first-run-config.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: docker_dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

install/production-filesystem/entrypoint.d/15-first-run-config.sh (1)

10-13: Good use of install for atomic permission handling.

The change from cp to install with explicit mode and ownership is a solid improvement. It atomically handles permissions and ownership, addressing the issue where restrictive source modes (like 004) would cause access errors.

However, the error message on line 11 still refers to "copy" when the operation is now "deploy" or "install". This is a minor textual accuracy issue that should be updated for clarity.

Consider updating the error message:

-        >&2 echo "ERROR: Failed to copy default config to ${NETALERTX_CONFIG}/app.conf"
+        >&2 echo "ERROR: Failed to deploy default config to ${NETALERTX_CONFIG}/app.conf"

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e7f2556 and c83bfbd.

📒 Files selected for processing (1)

• install/production-filesystem/entrypoint.d/15-first-run-config.sh (1 hunks)

🧰 Additional context used

🧠 Learnings (6)

📓 Common learnings

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1263
File: install/production-filesystem/entrypoint.sh:60-86
Timestamp: 2025-11-01T19:02:10.635Z
Learning: In the NetAlertX project (install/production-filesystem/entrypoint.sh), when fail-fast behavior is adopted for entrypoint checks in the future, be lenient during review because tests will be removed or changed to accommodate that behavior. The current continue-on-failure approach exists to support the existing test suite, but this is expected to change along with corresponding test adjustments.

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1184
File: .devcontainer/scripts/setup.sh:103-116
Timestamp: 2025-09-20T14:09:29.159Z
Learning: In NetAlertX devcontainer setup, the netalertx user has write permissions to /var/log/nginx/ directory as it's explicitly chowned to netalertx:www-data in the Dockerfile, so setup.sh can write to nginx log files without sudo.

📚 Learning: 2025-11-01T19:02:10.635Z

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1263
File: install/production-filesystem/entrypoint.sh:60-86
Timestamp: 2025-11-01T19:02:10.635Z
Learning: In the NetAlertX project (install/production-filesystem/entrypoint.sh), when fail-fast behavior is adopted for entrypoint checks in the future, be lenient during review because tests will be removed or changed to accommodate that behavior. The current continue-on-failure approach exists to support the existing test suite, but this is expected to change along with corresponding test adjustments.

Applied to files:

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

📚 Learning: 2025-11-23T16:05:31.339Z

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1302
File: back/cron_script.sh:6-18
Timestamp: 2025-11-23T16:05:31.339Z
Learning: The `/back/cron_script.sh` file is legacy code maintained only for compatibility with other components. The active/production version is in `install/production-filesystem/services/scripts/cron_script.sh`. Changes to `/back` directory are typically outside the scope of PRs unless specifically addressing compatibility.

Applied to files:

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

📚 Learning: 2025-09-20T14:09:29.159Z

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1184
File: .devcontainer/scripts/setup.sh:103-116
Timestamp: 2025-09-20T14:09:29.159Z
Learning: In NetAlertX devcontainer setup, the netalertx user has write permissions to /var/log/nginx/ directory as it's explicitly chowned to netalertx:www-data in the Dockerfile, so setup.sh can write to nginx log files without sudo.

Applied to files:

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

📚 Learning: 2025-10-26T15:39:36.707Z

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1235
File: install/production-filesystem/services/scripts/check-first-run-config.sh:0-0
Timestamp: 2025-10-26T15:39:36.707Z
Learning: In NetAlertX startup scripts, critical initialization failures (e.g., unable to create config directory or copy default config files) should exit with non-zero status to fail fast and provide clear error messages, rather than continuing in a broken state.

Applied to files:

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

📚 Learning: 2025-10-26T16:45:41.247Z

Learnt from: adamoutler
Repo: jokob-sk/NetAlertX PR: 1235
File: install/production-filesystem/services/scripts/check-ramdisk.sh:0-0
Timestamp: 2025-10-26T16:45:41.247Z
Learning: In NetAlertX check scripts (install/production-filesystem/services/scripts/check-*.sh), not all checks should exit with non-zero status. Some checks, like check-ramdisk.sh, are warning-only and exit 0 even when issues are detected, allowing the application to start despite suboptimal configuration.

Applied to files:

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: docker_dev

🔇 Additional comments (1)

install/production-filesystem/entrypoint.d/15-first-run-config.sh (1)

10-13: Verify that netalertx user and group are created before this entrypoint script executes.

The install command with -o netalertx -g netalertx requires the netalertx user and group to exist. Confirm these are created during Dockerfile construction or in an earlier entrypoint.d script (scripts numbered before 15).

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

install/production-filesystem/entrypoint.d/20-first-run-db.sh (1)

100-102: Fix indentation inconsistency in the new column definition.

Line 101 uses tabs while the surrounding column definitions use spaces, creating inconsistent formatting within the Devices table schema.

              devSourcePlugin TEXT,
-			  devFQDN TEXT,
+              devFQDN TEXT,
              "devCustomProps" TEXT);

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c83bfbd and ecb5c14.

📒 Files selected for processing (2)

• install/production-filesystem/entrypoint.d/15-first-run-config.sh (1 hunks)
• install/production-filesystem/entrypoint.d/20-first-run-db.sh (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• install/production-filesystem/entrypoint.d/15-first-run-config.sh

🧰 Additional context used

🧠 Learnings (1)

📚 Learning: 2025-11-29T23:18:27.559Z

Learnt from: CR
Repo: jokob-sk/NetAlertX PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-11-29T23:18:27.559Z
Learning: Applies to front/plugins/*/script.py : Plugin device imports must define `database_column_definitions` when creating/updating devices; watched fields trigger notifications

Applied to files:

• install/production-filesystem/entrypoint.d/20-first-run-db.sh

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: docker_dev

🔇 Additional comments (3)

install/production-filesystem/entrypoint.d/20-first-run-db.sh (3)

266-266: Update view column definitions to include devFQDN.

The view comments at lines 266, 282, and 284 enumerate the columns returned by each view. These hardcoded lists do not include the newly added devFQDN column from the Devices table, and should be updated for accuracy. Confirm whether these comments are auto-generated or manually maintained—if auto-generated, they will need regeneration.

Also applies to: 282-282, 284-284

---

100-102: Verify database column definition metadata for the new devFQDN column.

Per the retrieved learnings, plugin device imports must define database_column_definitions when creating or updating devices. Confirm that devFQDN has been registered in the appropriate plugin or backend configuration.

---

1-468: Verify migration strategy for existing deployed databases.

This file only executes on first-run initialization. If NetAlertX is already deployed with existing databases, they will not automatically receive the new devFQDN column. Confirm that a migration script exists to add this column to existing Devices tables, or document the upgrade path clearly.