Fix host docker.sock shadowed by systemd /run tmpfs

Workspace runs systemd as PID 1; systemd remounts /run as a fresh tmpfs at
boot, which shadows the host docker.sock bind mount placed at
/var/run/docker.sock.

Bind the host socket to /host-docker.sock (outside /run) and re-bind it
onto /var/run/docker.sock via a systemd .mount unit after
systemd-tmpfiles-setup creates the target file. coder-agent and web-shell
now order After= and Require= the mount unit.

Author: chapterjason

main.tf

@@ -560,8 +560,12 @@ resource "docker_container" "workspace" {
     read_only      = false
   }
 
+  # Stash the host socket outside /run, which systemd remounts as a fresh
+  # tmpfs at boot and would shadow a bind mount placed there. A systemd
+  # .mount unit in the image re-binds /host-docker.sock onto
+  # /var/run/docker.sock after /run is set up.
   volumes {
-    container_path = "/var/run/docker.sock"
+    container_path = "/host-docker.sock"
     host_path      = "/var/run/docker.sock"
     read_only      = false
   }

src/base/Dockerfile

@@ -128,10 +128,12 @@ RUN printf '\nif [ -d /etc/profile.d ]; then\n  for i in /etc/profile.d/*.sh; do
 RUN mkdir -p /etc/coder
 COPY src/base/coder-agent.service /etc/systemd/system/coder-agent.service
 COPY src/base/web-shell.service /etc/systemd/system/web-shell.service
+COPY src/base/var-run-docker.sock.mount /etc/systemd/system/var-run-docker.sock.mount
+COPY src/base/docker-sock.tmpfiles.conf /etc/tmpfiles.d/docker-sock.conf
 COPY --chmod=0755 src/base/web-shell-launch.sh /usr/local/bin/web-shell-launch
 RUN install -m 0644 /dev/null /var/log/web-shell.log && \
     chown coder:coder /var/log/web-shell.log && \
-    systemctl enable coder-agent.service web-shell.service
+    systemctl enable coder-agent.service web-shell.service var-run-docker.sock.mount
 
 # Entrypoint claims fresh-volume mountpoints for the workspace user before
 # systemd starts. See entrypoint.sh for rationale.

src/base/coder-agent.service

@@ -1,7 +1,8 @@
 [Unit]
 Description=Coder Agent
-After=network-online.target
+After=network-online.target var-run-docker.sock.mount
 Wants=network-online.target
+Requires=var-run-docker.sock.mount
 ConditionPathExists=/etc/coder/agent-init.sh
 
 [Service]

src/base/docker-sock.tmpfiles.conf

@@ -0,0 +1 @@
+f /var/run/docker.sock 0660 root docker -

src/base/entrypoint.sh

@@ -26,8 +26,8 @@ fi
 # DooD: align the in-image `docker` group GID with the host socket's GID so
 # the workspace user (member of `docker` in the image) can talk to the
 # bind-mounted host daemon without a chmod 666 on the socket.
-if [ -S /var/run/docker.sock ]; then
-  sock_gid=$(stat -c '%g' /var/run/docker.sock)
+if [ -S /host-docker.sock ]; then
+  sock_gid=$(stat -c '%g' /host-docker.sock)
   cur_gid=$(getent group docker | cut -d: -f3 || true)
   if [ -n "$sock_gid" ] && [ "$sock_gid" != "$cur_gid" ]; then
     # If another group already owns the target GID, rename it out of the way

src/base/var-run-docker.sock.mount

@@ -0,0 +1,17 @@
+[Unit]
+Description=Bind-mount host Docker socket into /var/run
+DefaultDependencies=no
+After=systemd-tmpfiles-setup.service
+Requires=systemd-tmpfiles-setup.service
+ConditionPathExists=/host-docker.sock
+Before=sysinit.target shutdown.target
+Conflicts=shutdown.target
+
+[Mount]
+What=/host-docker.sock
+Where=/var/run/docker.sock
+Type=none
+Options=bind
+
+[Install]
+WantedBy=sysinit.target

src/base/web-shell.service

@@ -1,7 +1,8 @@
 [Unit]
 Description=web-shell
-After=network-online.target
+After=network-online.target var-run-docker.sock.mount
 Wants=network-online.target
+Requires=var-run-docker.sock.mount
 
 [Service]
 Type=simple