molecule-ai/molecule-core
41
0
Fork 2
Code Issues 54 Pull Requests 22 Actions 13 Packages Projects Releases Wiki Activity

fix(dockerfile-tenant): chown /org-templates to canvas user (!external resolver mkdir EACCES) #223

Merged
core-lead merged 4 commits from fix/dockerfile-tenant-org-templates-chown into main 2026-05-10 02:48:07 +00:00
Conversation 1 Commits 4 Files Changed 1 +9 -1

4 Commits

Author SHA1 Message Date
Molecule AI Core Platform Lead
e3cc4474ee Merge remote-tracking branch 'origin/main' into trig-223
All checks were successful
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
audit-force-merge / audit (pull_request) Successful in 4s
Details
sop-tier-check / tier-check (pull_request) Successful in 5s
Details
2026-05-10 02:47:59 +00:00
Molecule AI Core Platform Lead
550711596e trigger
All checks were successful
sop-tier-check / tier-check (pull_request) Successful in 4s
Details
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 5s
Details
2026-05-10 02:47:46 +00:00
Molecule AI Core Platform Lead
3f738e6ab5 Merge remote-tracking branch 'origin/main' into trig-223 2026-05-10 02:47:46 +00:00
cp-lead
12bb73d000 fix(dockerfile-tenant): chown /org-templates to canvas user so !external resolver can mkdir cache
Some checks failed
Secret scan / Scan diff for credential-shaped strings (pull_request) Successful in 4s
Details
sop-tier-check / tier-check (pull_request) Failing after 4s
Details 
Root cause:
  Dockerfile.tenant chowns /canvas /platform /memory-plugin /migrations
  to canvas:canvas (line ~119) but not /org-templates. The image is
  built as root, COPY-ed templates inherit root:root 0755. The platform
  binary then runs as the canvas user (uid 1000) because of the USER
  directive on line ~124, so when the !external resolver
  (org_external.go, internal#77 / task #222) tries
  os.MkdirAll("/org-templates/<tmpl>/.external-cache/<repo>") on first
  import, mkdir(2) returns EACCES and the import handler returns 400
  "org template expansion failed" (org.go:592). The user-facing error
  is generic; only the server log carries:

    Org import: refusing import: !include expansion failed:
    !external at line 156: fetch git.moleculesai.app/molecule-ai/molecule-dev-department@v1.0.0:
    mkdir cache root: mkdir /org-templates/molecule-dev/.external-cache: permission denied

Repro:
  Tenant staging-cplead-2 (canary AWS 004947743811, image SHA
  a93c4ce17725...). POST /org/import {"dir":"molecule-dev"} returns 400
  while POST /org/import {"dir":"free-beats-all"} returns 201 — only
  templates with !external trip the bug.

Fix:
  Add /org-templates to the chown -R argv. One-line change. Same
  ownership shape as the other writable platform-state dirs.

Why this is safe for prod:
  * The platform binary already needs read access to /org-templates,
    so canvas:canvas owning it doesn't widen any attack surface.
  * /org-templates is image-resident, not bind-mounted; chown applies
    inside the image layers and prod tenants get the fix on next
    image rebuild + redeploy. Live prod tenants are unaffected until
    the next deploy (no orgs currently using !external in prod —
    molecule-dev consumers are all internal staging).

Verification:
  After hand-applying the chown live (docker exec --user 0 ... chown -R
  canvas:canvas /org-templates/molecule-dev), POST /org/import
  {"dir":"molecule-dev"} returns 201 with 39 workspaces; cp-lead +
  CP-BE + CP-QA + CP-Security all reach status=online within ~2 min.

Refs:
  internal#77 — !external RFC (Phase 3a)
  task #222 — resolver PR (introduced the unflagged-permission
              dependency this fixes)
  Live incident 2026-05-10 — staging-cplead-2 import failed,
              chown-on-host workaround in place pending image rebuild
 2026-05-09 19:40:52 -07:00