feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding#10933
feat: macOS support via Docker Desktop mode + fix Docker Desktop localhost seeding#10933drakeshnag-rjo wants to merge 1 commit into
Conversation
- Add docker-compose.mac.yml and .env.mac-docker-desktop.example, a macOS counterpart of the Windows Docker Desktop variant (POSIX docker.sock path, generated secrets instead of static dev credentials, healthcheck start_period for slower VMs). - Add scripts/install-mac.sh: native macOS installer (no systemd, no root, no /etc/os-release, BSD sed) that validates Docker Desktop/OrbStack/Colima, prepares the data directories and .env, and boots the stack. - Add IS_DOCKER_DESKTOP as a platform-neutral alias for IS_WINDOWS_DOCKER_DESKTOP in config/constants.php (old name still works). - Fix ProductionSeeder: when Docker Desktop mode is enabled, the generic self-hosted block seeded Server 0 with ip host.docker.internal before the Docker Desktop block could create it with ip coolify-testing-host, leaving a localhost server whose IP and private key did not match and an unreachable server during onboarding. Tested end-to-end on macOS 12.7 (Intel) with Colima: install script, root user onboarding, localhost server validation via coolify-testing-host, Traefik proxy + Sentinel startup, and deployment of a Docker image application reachable on a mapped host port. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
This PR did not pass quality checks so it will be closed. If you believe this is a mistake please let us know. |
Review of #10933We pointed PR Quorum's review panel at 1 already-merged pull request across 1 public repository and recorded what it flagged. These reviews were read-only: nothing was posted to any repository, and every pull request was already merged. This measures review signal without affecting the projects involved. The numbers
Findings by severity
Which reviewer caught what
The catches worth showing🟠 Seeder guard uses loose comparison that treats string 'false' as truthyHigh · confidence 0.95 · Correctness reviewer
The new guard
🟠 Command injection via unsanitized APP_PORT environment variableHigh · confidence 0.95 · Security reviewer
The APP_PORT environment variable is used directly in a curl command without validation. An attacker who can set this variable (e.g., via a malicious environment) can inject arbitrary shell commands by including double quotes or other metacharacters. The variable is not sanitized or validated as numeric. Example: if APP_PORT is set to '8000" && id', the command becomes 'curl -fsSL "http://localhost:8000" && id/api/health"' which executes the injected command.
⚪️ Fallback chain creates silent config mismatch when both env vars are set to falseLow · confidence 0.95 · Architecture reviewer
The fallback ⚪️ Strict comparison with false is fragile for string env valuesLow · confidence 0.90 · Architecture reviewer
The guard ⚪️ Sensitive .env file has default permissionsLow · confidence 0.80 · Security reviewer
The installer creates the .env file (via cp or update_env_var) without setting restrictive permissions. On multi-user systems, other users on the same machine could read the file containing database passwords, app keys, and other secrets. Consider setting the file to 600 (owner read/write only) after creation.
Results by pull request
How this was run
|
Changes
Issues
Category
Preview
Onboarding reaches Setup Complete with the localhost server validated; deployment log shows Finished/Running. Screenshots on request.
AI Assistance
If AI was used:
Testing
End-to-end on macOS 12.7.6 (Intel), Colima 0.8.1 / Engine 27.4.0: installer run from a checkout, five containers healthy, root user registered, onboarding validated the localhost server, proxy and Sentinel healthy after the seeder fix (both failed before it), deployed nginx alpine with a port mapping, HTTP 200 from the host. Pest suite left to CI; only PHP changes are the seeder guard and constants alias.
Contributor Agreement
Important