From 50decfd326dd4988d016aa12ed47a448b1022dd1 Mon Sep 17 00:00:00 2001 From: Hongming Wang Date: Sun, 26 Apr 2026 10:14:47 -0700 Subject: [PATCH] chore(compose): wire MOLECULE_ENV, GHCR_USER/TOKEN, MOLECULE_IMAGE_PLATFORM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Three env vars the platform now reads: - MOLECULE_ENV=development (default) — activates the WorkspaceAuth / AdminAuth dev fail-open path so the canvas's bearer-less requests pass through. Also unlocks RFC-1918 relaxation in the SSRF guard so docker- bridge IPs work. Override to 'production' for staged deploys. - GHCR_USER + GHCR_TOKEN — feed POST /admin/workspace-images/refresh's ImagePull auth payload. Both empty → endpoint can pull cached/public images only. Set with a fine-grained PAT (read:packages on Molecule-AI org) to pull private GHCR images. - MOLECULE_IMAGE_PLATFORM=linux/amd64 (default) — workspace-template-* images ship single-arch amd64. On Apple Silicon hosts, the daemon's native linux/arm64/v8 request misses the manifest and pulls fail. Forcing amd64 makes Docker Desktop run them under Rosetta — slower (~2-3×) but functional. 🤖 Generated with [Claude Code](https://claude.com/claude-code) --- docker-compose.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docker-compose.yml b/docker-compose.yml index c9c88d7c..2be0d3f6 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -126,6 +126,13 @@ services: REDIS_URL: redis://redis:6379 PORT: "${PLATFORM_PORT:-8080}" PLATFORM_URL: "http://platform:${PLATFORM_PORT:-8080}" + # Default MOLECULE_ENV=development so the WorkspaceAuth / AdminAuth + # middleware fail-open path activates when ADMIN_TOKEN is unset — + # otherwise the canvas (which runs without a bearer in pure local + # dev) gets 401 "missing workspace auth token" on every request. + # Override to "production" for SaaS/staged deploys; in those modes + # ADMIN_TOKEN must also be set or every request rejects. + MOLECULE_ENV: "${MOLECULE_ENV:-development}" CORS_ORIGINS: ${CORS_ORIGINS:-http://localhost:${CANVAS_PUBLISH_PORT:-3000},http://127.0.0.1:${CANVAS_PUBLISH_PORT:-3000},http://localhost:3001} RATE_LIMIT: "${RATE_LIMIT:-1000}" CONFIGS_DIR: /configs @@ -153,6 +160,24 @@ services: HIBERNATION_IDLE_MINUTES: "${HIBERNATION_IDLE_MINUTES:-}" # Plugin supply chain hardening (issue #768 / PR #775). Never set in production. PLUGIN_ALLOW_UNPINNED: "${PLUGIN_ALLOW_UNPINNED:-}" + # Force ImagePull/ContainerCreate to request linux/amd64 manifests + # for the workspace-template-* images. The templates ship single-arch + # amd64 today; without this override, an arm64 host (Apple Silicon) + # asks the daemon for linux/arm64/v8, which doesn't match the manifest + # and the pull fails with "no matching manifest". Apple Silicon will + # run the amd64 image under Rosetta — slower (~2-3×) but functional. + # Override to "" or another platform when the templates start shipping + # multi-arch (then this hardcoded amd64 becomes unnecessary). + MOLECULE_IMAGE_PLATFORM: "${MOLECULE_IMAGE_PLATFORM:-linux/amd64}" + # GHCR auth for the workspace-images refresh endpoint + # (POST /admin/workspace-images/refresh). When set, the platform's + # Docker SDK ImagePull on private workspace-template-* images + # succeeds without per-host `docker login`. GHCR_USER is the GitHub + # username; GHCR_TOKEN is a fine-grained PAT with `read:packages` + # on the Molecule-AI org. Both unset → endpoint can only pull + # public images (current state for all 8 templates). + GHCR_USER: "${GHCR_USER:-}" + GHCR_TOKEN: "${GHCR_TOKEN:-}" volumes: - ./workspace-configs-templates:/configs - ./org-templates:/org-templates:ro