Use canonical /run/docker.sock path for mount unit

chapterjason · chapterjason · commit 9538680c9223 · 2026-05-15T13:45:05.000Z
systemd rejects mount unit Where= paths containing symlinks. On Debian,
/var/run is a symlink to /run, so Where=/var/run/docker.sock fails with a
resources error and coder-agent.service never starts (Requires= fails).

Rename the mount unit to run-docker.sock.mount and bind to /run/docker.sock.
Clients hitting /var/run/docker.sock still resolve via the symlink.
diff --git a/main.tf b/main.tf
@@ -563,7 +563,8 @@ resource "docker_container" "workspace" {
   # Stash the host socket outside /run, which systemd remounts as a fresh
   # tmpfs at boot and would shadow a bind mount placed there. A systemd
   # .mount unit in the image re-binds /host-docker.sock onto
-  # /var/run/docker.sock after /run is set up.
+  # /run/docker.sock after /run is set up. (/var/run is a symlink to /run on
+  # Debian; systemd rejects non-canonical mount unit paths.)
   volumes {
     container_path = "/host-docker.sock"
     host_path      = "/var/run/docker.sock"
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
@@ -128,12 +128,12 @@ RUN printf '\nif [ -d /etc/profile.d ]; then\n  for i in /etc/profile.d/*.sh; do
 RUN mkdir -p /etc/coder
 COPY src/base/coder-agent.service /etc/systemd/system/coder-agent.service
 COPY src/base/web-shell.service /etc/systemd/system/web-shell.service
-COPY src/base/var-run-docker.sock.mount /etc/systemd/system/var-run-docker.sock.mount
+COPY src/base/run-docker.sock.mount /etc/systemd/system/run-docker.sock.mount
 COPY src/base/docker-sock.tmpfiles.conf /etc/tmpfiles.d/docker-sock.conf
 COPY --chmod=0755 src/base/web-shell-launch.sh /usr/local/bin/web-shell-launch
 RUN install -m 0644 /dev/null /var/log/web-shell.log && \
     chown coder:coder /var/log/web-shell.log && \
-    systemctl enable coder-agent.service web-shell.service var-run-docker.sock.mount
+    systemctl enable coder-agent.service web-shell.service run-docker.sock.mount
 
 # Entrypoint claims fresh-volume mountpoints for the workspace user before
 # systemd starts. See entrypoint.sh for rationale.
diff --git a/src/base/coder-agent.service b/src/base/coder-agent.service
@@ -1,8 +1,8 @@
 [Unit]
 Description=Coder Agent
-After=network-online.target var-run-docker.sock.mount
+After=network-online.target run-docker.sock.mount
 Wants=network-online.target
-Requires=var-run-docker.sock.mount
+Requires=run-docker.sock.mount
 ConditionPathExists=/etc/coder/agent-init.sh
 
 [Service]
diff --git a/src/base/docker-sock.tmpfiles.conf b/src/base/docker-sock.tmpfiles.conf
@@ -1 +1 @@
-f /var/run/docker.sock 0660 root docker -
+f /run/docker.sock 0660 root docker -
diff --git a/src/base/run-docker.sock.mount b/src/base/run-docker.sock.mount
@@ -1,5 +1,5 @@
 [Unit]
-Description=Bind-mount host Docker socket into /var/run
+Description=Bind-mount host Docker socket into /run
 DefaultDependencies=no
 After=systemd-tmpfiles-setup.service
 Requires=systemd-tmpfiles-setup.service
@@ -9,7 +9,7 @@ Conflicts=shutdown.target
 
 [Mount]
 What=/host-docker.sock
-Where=/var/run/docker.sock
+Where=/run/docker.sock
 Type=none
 Options=bind
 
diff --git a/src/base/web-shell.service b/src/base/web-shell.service
@@ -1,8 +1,8 @@
 [Unit]
 Description=web-shell
-After=network-online.target var-run-docker.sock.mount
+After=network-online.target run-docker.sock.mount
 Wants=network-online.target
-Requires=var-run-docker.sock.mount
+Requires=run-docker.sock.mount
 
 [Service]
 Type=simple

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-f /var/run/docker.sock 0660 root docker -`
	`1`	`+f /run/docker.sock 0660 root docker -`