From e4efc35db1090bf9737379a7b72d4cc4e24b6ece Mon Sep 17 00:00:00 2001 From: devops-engineer Date: Mon, 15 Jun 2026 20:07:50 -0700 Subject: [PATCH] fix(image): COPY --chmod instead of RUN chmod in Dockerfile.platform-agent (build failed on non-root tenant base) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit After #2982 repointed the concierge image to FROM platform-tenant (the live base), the build failed at `RUN chmod +x` with "Operation not permitted": platform-tenant runs as a non-root user, so a build-time RUN chmod can't set the +x bit (the dead molecule-ai/platform base was root, which masked this). Replace both `COPY + RUN chmod +x` pairs (identity-fallback.sh and the /entrypoint-platform-agent.sh heredoc) with buildx-native `COPY --chmod=0755`, which sets the executable bit at copy time regardless of the base USER. Empirically verified: with this change the platform-agent image builds cleanly FROM platform-tenant:staging-latest (manual buildx run completed all layers; only the push was denied due to cross-account ECR perms on the build host — the CI publish runner has the correct prod-account principal). Co-Authored-By: Claude Opus 4.8 (1M context) --- workspace-server/Dockerfile.platform-agent | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/workspace-server/Dockerfile.platform-agent b/workspace-server/Dockerfile.platform-agent index 71f10fbbd..368af1bac 100644 --- a/workspace-server/Dockerfile.platform-agent +++ b/workspace-server/Dockerfile.platform-agent @@ -109,8 +109,11 @@ COPY ${PLATFORM_AGENT_TEMPLATE_DIR}/prompts/ /opt/molecule-platform-agent-templa # in the template-platform-agent repo (PR-side, merged to template # main) is unconditional: always writes /configs/system-prompt.md # from prompts/concierge.md + {{CONCIERGE_NAME}} substitution. -COPY ${PLATFORM_AGENT_TEMPLATE_DIR}/identity-fallback.sh /opt/molecule-platform-agent-template/identity-fallback.sh -RUN chmod +x /opt/molecule-platform-agent-template/identity-fallback.sh +# COPY --chmod sets +x at copy time (buildx-native). A `RUN chmod` fails with +# "Operation not permitted" when the base image runs as a non-root user — the +# live platform-tenant base does, whereas the dead molecule-ai/platform base was +# root, which masked this. --chmod works regardless of base USER. +COPY --chmod=0755 ${PLATFORM_AGENT_TEMPLATE_DIR}/identity-fallback.sh /opt/molecule-platform-agent-template/identity-fallback.sh # PLATFORM-AGENT ENTRYPOINT — runs identity-fallback.sh FIRST (fills # absent /configs/ files from the image-baked /opt path; the @@ -128,7 +131,7 @@ RUN chmod +x /opt/molecule-platform-agent-template/identity-fallback.sh # so a missing-script failure bubbles up cleanly (su-exec will still # run /platform; the runtime's MISSING_MODEL fail-closed surfaces # the operator-visible error in that case). -COPY <<'ENTRY' /entrypoint-platform-agent.sh +COPY --chmod=0755 <<'ENTRY' /entrypoint-platform-agent.sh #!/bin/sh # /opt/molecule-platform-agent-template/identity-fallback.sh: per- # file copy of ABSENT files from the image-baked SSOT path to @@ -150,5 +153,4 @@ fi # needed; this entrypoint is transparent to the args). exec /entrypoint.sh "$@" ENTRY -RUN chmod +x /entrypoint-platform-agent.sh ENTRYPOINT ["/entrypoint-platform-agent.sh"] -- 2.52.0