From 2a50058304445774ee4da8049276af951ca7117b Mon Sep 17 00:00:00 2001
From: Self Hosters <selfhosters@gmail.com>
Date: Thu, 6 Nov 2025 09:00:15 -0500
Subject: [PATCH] Fix Docker socket permission issue with dynamic GID detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The entrypoint now dynamically detects the Docker socket's GID at runtime
and adds the census user to that group. This ensures compatibility across
different hosts where the Docker socket may have different group IDs.

Previously, the container was built with DOCKER_GID=999, but hosts may
have different Docker socket GIDs (e.g., 990). The docker-compose group_add
directive added the GID, but su-exec didn't preserve supplementary groups,
causing permission denied errors when accessing the socket.

This fix:
- Detects Docker socket GID at container startup
- Creates group if needed (named docker_host)
- Adds census user to the socket's group
- Ensures process runs with correct supplementary groups

Tested and verified on host with Docker socket GID 990.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 docker-entrypoint.sh | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 0e2a1c4..28fbb93 100644
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -14,6 +14,26 @@ if [ "$(id -u)" = "0" ]; then
     # This is idempotent - safe to run even if already correct
     chown -R census:census /app/data
 
+    # Detect Docker socket GID and add census user to that group
+    # This handles cases where the host's Docker GID differs from build-time DOCKER_GID
+    if [ -S /var/run/docker.sock ]; then
+        SOCK_GID=$(stat -c '%g' /var/run/docker.sock 2>/dev/null || true)
+        if [ -n "$SOCK_GID" ] && [ "$SOCK_GID" != "0" ]; then
+            echo "Detected Docker socket GID: $SOCK_GID"
+            # Check if group exists, create if not
+            if ! getent group "$SOCK_GID" > /dev/null 2>&1; then
+                echo "Creating group for GID $SOCK_GID..."
+                addgroup -g "$SOCK_GID" "docker_host" 2>/dev/null || true
+            fi
+            # Add census user to the group
+            SOCK_GROUP=$(getent group "$SOCK_GID" | cut -d: -f1)
+            if [ -n "$SOCK_GROUP" ]; then
+                echo "Adding census user to group $SOCK_GROUP (GID $SOCK_GID)..."
+                adduser census "$SOCK_GROUP" 2>/dev/null || true
+            fi
+        fi
+    fi
+
     # Create default config.yaml if it doesn't exist
     if [ ! -f /app/config/config.yaml ]; then
         echo "Creating default config.yaml..."