From 66737596b88ab567452a54040a5c30107949286e Mon Sep 17 00:00:00 2001 From: yiekheng Date: Sun, 3 May 2026 10:39:59 +0800 Subject: [PATCH] fix(scripts): publish.sh routes docker through sudo by default Mirrors the SUDO=/NO_SUDO=1 pattern from scripts/dev.sh so the script works on hosts where the user isn't in the docker group (the default on this dev box). Without this, 'docker info' fails immediately even though 'docker login' (which needs no daemon socket) succeeds, and publish.sh aborts before doing anything. Reminder text updated to tell operators to 'sudo docker login' (or to opt into rootless docker via NO_SUDO=1). --- scripts/publish.sh | 42 +++++++++++++++++++++++++++++++----------- 1 file changed, 31 insertions(+), 11 deletions(-) diff --git a/scripts/publish.sh b/scripts/publish.sh index 266cbdd..41ae26f 100755 --- a/scripts/publish.sh +++ b/scripts/publish.sh @@ -14,11 +14,16 @@ Arguments: tag Optional tag to publish (default: latest). Override with DOCKER_IMAGE_TAG. Environment: - DOCKER_IMAGE_TAG Alternative way to set the tag (overrides CLI argument). - BUILD_ARGS Extra arguments passed to each docker build command. + DOCKER_IMAGE_TAG Alternative way to set the tag (overrides CLI argument). + BUILD_ARGS Extra arguments passed to each docker build command. + CM_IMAGE_PLATFORMS Buildx platforms (default: linux/amd64). + NO_SUDO=1 Skip the 'sudo' prefix (use if your user is in the docker group). -Make sure you are authenticated first: - docker login gitea.04080616.xyz +Authentication: + The script invokes docker via sudo by default (matching scripts/dev.sh). + Authenticate as the same user that runs the build: + sudo docker login gitea.04080616.xyz # default (sudo path) + docker login gitea.04080616.xyz # only with NO_SUDO=1 EOF } @@ -27,14 +32,29 @@ if [[ "${1:-}" == "-h" || "${1:-}" == "--help" ]]; then exit 0 fi -if ! docker info >/dev/null 2>&1; then - echo "Docker daemon is not reachable. Please start Docker and retry." >&2 +# Match scripts/dev.sh: prefix docker calls with sudo unless the user opts +# out via NO_SUDO=1 (typically because they're in the docker group). +SUDO="sudo" +[[ "${NO_SUDO:-0}" == "1" ]] && SUDO="" +DOCKER=(${SUDO} docker) + +if ! "${DOCKER[@]}" info >/dev/null 2>&1; then + cat <&2 +Docker daemon is not reachable as the current effective user. + +If you usually run docker via sudo (matching scripts/dev.sh), make sure +your password is cached / interactive — try 'sudo -v' first, then rerun. + +If you've added yourself to the docker group, set NO_SUDO=1: + NO_SUDO=1 bash scripts/publish.sh ${1:-latest} +EOF exit 1 fi -if ! docker system info --format '{{json .IndexServerAddress}}' | grep -q "gitea.04080616.xyz" 2>/dev/null; then - cat <<'EOF' >&2 -Reminder: run 'docker login gitea.04080616.xyz' before publishing so pushes succeed. +if ! "${DOCKER[@]}" system info --format '{{json .IndexServerAddress}}' 2>/dev/null | grep -q "gitea.04080616.xyz"; then + cat <&2 +Reminder: authenticate first as the same user that runs the build: + ${SUDO:+sudo }docker login gitea.04080616.xyz EOF fi @@ -42,7 +62,7 @@ IMAGE_TAG="${1:-${DOCKER_IMAGE_TAG:-latest}}" ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)" PLATFORMS="${CM_IMAGE_PLATFORMS:-linux/amd64}" -if ! docker buildx version >/dev/null 2>&1; then +if ! "${DOCKER[@]}" buildx version >/dev/null 2>&1; then cat <<'EOF' >&2 Docker Buildx is required for producing registry-compatible images. Install/enable buildx and rerun, for example: @@ -71,7 +91,7 @@ for ENTRY in "${SERVICES[@]}"; do IMAGE_NAME="${REGISTRY_PREFIX}/cm-${SERVICE}:${IMAGE_TAG}" echo "==> Building and pushing ${IMAGE_NAME} (${DOCKERFILE})" - docker buildx build ${BUILD_ARGS:-} \ + "${DOCKER[@]}" buildx build ${BUILD_ARGS:-} \ --platform "${PLATFORMS}" \ -f "${ROOT_DIR}/${DOCKERFILE}" \ -t "${IMAGE_NAME}" \