Skip to content

feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding#10933

Closed
drakeshnag-rjo wants to merge 1 commit into
coollabsio:nextfrom
drakeshnag-rjo:feat/macos-docker-desktop-support
Closed

feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding#10933
drakeshnag-rjo wants to merge 1 commit into
coollabsio:nextfrom
drakeshnag-rjo:feat/macos-docker-desktop-support

Conversation

@drakeshnag-rjo

@drakeshnag-rjo drakeshnag-rjo commented Jul 14, 2026

Copy link
Copy Markdown

Changes

  • macOS compose file mirroring the Windows Docker Desktop variant: POSIX socket path, secrets from .env, healthcheck start_period for slow first-boot postgres init.
  • Native macOS installer (install.sh cannot run on Macs: no os-release, no systemd, read-only root, no root SSH). Verifies Docker 24+ and Compose v2, prepares data dirs and .env with generated secrets, starts the stack, waits for health.
  • IS_DOCKER_DESKTOP added as platform-neutral alias for the old Windows-named variable (which still works and takes precedence).
  • Seeder fix: the generic self-hosted block created server 0 with the wrong ip before the Docker Desktop block ran, so server and key never matched and onboarding said unreachable. Added the flag guard already used earlier in the seeder.

Issues

Category

  • Bug fix
  • Improvement
  • New feature
  • Adding new one click service
  • Fixing or updating existing one click service

Preview

Onboarding reaches Setup Complete with the localhost server validated; deployment log shows Finished/Running. Screenshots on request.

AI Assistance

  • AI was NOT used to create this PR
  • AI was used (please describe below)

If AI was used:

  • Tools used: Claude Code (Anthropic)
  • How extensively: drafted with AI under my direction; all changes exercised against a live install as described below.

Testing

End-to-end on macOS 12.7.6 (Intel), Colima 0.8.1 / Engine 27.4.0: installer run from a checkout, five containers healthy, root user registered, onboarding validated the localhost server, proxy and Sentinel healthy after the seeder fix (both failed before it), deployed nginx alpine with a port mapping, HTTP 200 from the host. Pest suite left to CI; only PHP changes are the seeder guard and constants alias.

Contributor Agreement

Important

  • I have read and understood the contributor guidelines. If I have failed to follow any guideline, I understand that this PR may be closed without review.
  • I have searched existing issues and pull requests (including closed ones) to ensure this isn't a duplicate.
  • I have tested all the changes thoroughly with a local development instance of Coolify and I am confident that they will work as expected when a maintainer tests them.

- Add docker-compose.mac.yml and .env.mac-docker-desktop.example, a macOS
  counterpart of the Windows Docker Desktop variant (POSIX docker.sock path,
  generated secrets instead of static dev credentials, healthcheck
  start_period for slower VMs).
- Add scripts/install-mac.sh: native macOS installer (no systemd, no root,
  no /etc/os-release, BSD sed) that validates Docker Desktop/OrbStack/Colima,
  prepares the data directories and .env, and boots the stack.
- Add IS_DOCKER_DESKTOP as a platform-neutral alias for
  IS_WINDOWS_DOCKER_DESKTOP in config/constants.php (old name still works).
- Fix ProductionSeeder: when Docker Desktop mode is enabled, the generic
  self-hosted block seeded Server 0 with ip host.docker.internal before the
  Docker Desktop block could create it with ip coolify-testing-host, leaving
  a localhost server whose IP and private key did not match and an
  unreachable server during onboarding.

Tested end-to-end on macOS 12.7 (Intel) with Colima: install script, root
user onboarding, localhost server validation via coolify-testing-host,
Traefik proxy + Sentinel startup, and deployment of a Docker image
application reachable on a mapped host port.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

This PR did not pass quality checks so it will be closed. If you believe this is a mistake please let us know.

@andrezani

Copy link
Copy Markdown

Review of #10933

We pointed PR Quorum's review panel at 1 already-merged pull request across 1 public repository and recorded what it flagged. These reviews were read-only: nothing was posted to any repository, and every pull request was already merged. This measures review signal without affecting the projects involved.

The numbers

Metric Value
Pull requests reviewed 1
Repositories 1
Total findings 5
Critical + high severity 2
Pull requests with at least one finding 1 (100%)
Pull requests with a high/critical finding 1 (100%)
Total API cost for the whole run $0.0027
Average cost per pull request $0.0027

Findings by severity

Severity Count
🔴 Critical 0
🟠 High 2
🟡 Medium 0
⚪️ Low 3

Which reviewer caught what

Reviewer Findings
Architecture 2
Correctness 1
Security 2

The catches worth showing

🟠 Seeder guard uses loose comparison that treats string 'false' as truthy

High · confidence 0.95 · Correctness reviewer

database/seeders/ProductionSeeder.php:112coollabsio/coolify · feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding

The new guard config('constants.coolify.is_windows_docker_desktop') == false uses loose comparison (==). If the env var is set to the string "false" (e.g., IS_WINDOWS_DOCKER_DESKTOP=false), PHP's loose comparison will treat the non-empty string "false" as truthy, so "false" == false evaluates to false, and the guard does NOT skip the server-0 creation — the exact opposite of what was intended. The same issue applies to IS_DOCKER_DESKTOP=false. This is a realistic scenario: a user who explicitly sets the variable to false to disable Docker Desktop mode will get the wrong behavior. Use strict comparison (=== false) or cast to boolean first.

Suggested fix: if (! isCloud() && config('constants.coolify.is_windows_docker_desktop') === false) {

🟠 Command injection via unsanitized APP_PORT environment variable

High · confidence 0.95 · Security reviewer

scripts/install-mac.sh:155coollabsio/coolify · feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding

The APP_PORT environment variable is used directly in a curl command without validation. An attacker who can set this variable (e.g., via a malicious environment) can inject arbitrary shell commands by including double quotes or other metacharacters. The variable is not sanitized or validated as numeric. Example: if APP_PORT is set to '8000" && id', the command becomes 'curl -fsSL "http://localhost:8000" && id/api/health"' which executes the injected command.

Suggested fix: if [[ ! "$APP_PORT" =~ ^[0-9]+$ ]]; then echo "Invalid APP_PORT"; exit 1; fi

⚪️ Fallback chain creates silent config mismatch when both env vars are set to false

Low · confidence 0.95 · Architecture reviewer

config/constants.php:18coollabsio/coolify · feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding

The fallback env('IS_WINDOWS_DOCKER_DESKTOP', env('IS_DOCKER_DESKTOP', false)) means that if IS_WINDOWS_DOCKER_DESKTOP is explicitly set to false (e.g., IS_WINDOWS_DOCKER_DESKTOP=false), the fallback is never evaluated, so IS_DOCKER_DESKTOP=true would be ignored. Conversely, if IS_WINDOWS_DOCKER_DESKTOP is unset and IS_DOCKER_DESKTOP is set to false, the config becomes false. This is likely intentional for backward compatibility, but the asymmetry means the two variables are not truly equivalent aliases — one shadows the other. Consider using a single config key with a helper that checks both env vars, or document the precedence in the comment.

⚪️ Strict comparison with false is fragile for string env values

Low · confidence 0.90 · Architecture reviewer

database/seeders/ProductionSeeder.php:112coollabsio/coolify · feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding

The guard config('constants.coolify.is_windows_docker_desktop') == false uses loose comparison (==), which works for false vs 'false' (string) because PHP's 'false' == false is true. However, the config value comes from env() which returns 'true' or 'false' as strings when set, or false (boolean) when unset. The loose comparison == false treats 'false' (string) as falsy, which is correct, but 'true' (string) also evaluates as falsy in some edge cases? Actually 'true' == false is false, so this works. The real risk is that if someone sets IS_WINDOWS_DOCKER_DESKTOP=0 or IS_DOCKER_DESKTOP=0, the string '0' == false is true in PHP, which would incorrectly skip the server seeding. Consider using filter_var() or strict === with a cast to boolean for robustness.

⚪️ Sensitive .env file has default permissions

Low · confidence 0.80 · Security reviewer

scripts/install-mac.shcoollabsio/coolify · feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding

The installer creates the .env file (via cp or update_env_var) without setting restrictive permissions. On multi-user systems, other users on the same machine could read the file containing database passwords, app keys, and other secrets. Consider setting the file to 600 (owner read/write only) after creation.

Suggested fix: chmod 600 "$ENV_FILE"

Results by pull request

Pull request Verdict Findings Cost
coollabsio/coolify#10933 Needs attention 5 $0.0027

How this was run

  • Every pull request here was already merged. The panel ran against the historical diff in read-only mode.
  • Nothing was posted to any repository — no comments, no reviews, no checks.
  • These are unedited model outputs from the default panel (Correctness, Security, Architecture) on the default model. Some findings will be wrong — that's the honest state of AI review, and exactly the signal/noise we publish rather than hide.
  • Want this on your pull requests before they merge? Install the PR Quorum GitHub App: https://prquorum.com.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants