feat: implement docker permission fixer tool (#449) #460

murataslan1 · 2026-01-03T08:55:29Z

This PR resolves issue #449 by adding a new CLI command cortex fix-docker. The tool:

Diagnoses container User/Group settings.
Scans bind mounts for permission mismatches (UID/GID validation).
Suggests actionable fixes (chown commands or docker-compose.yml 'user' config).
Uses project's existing Rich branding for a consistent UI.

Tested locally with various container configurations.

AI Disclosure

Please indicate if you used AI tools during development:

AI/IDE/Agents used (please describe below)

Used Antigravity agent to implement the Docker permission fixer and address review comments.

Summary by CodeRabbit

New Features
- Added a fix-docker CLI command (alias docker-fix) to diagnose and address Docker permission issues.
- Interactive tool lists running containers, inspects selected containers, and detects bind-mount ownership mismatches between host and container users.
- Provides clear, actionable recommendations to resolve permission problems by mapping UID/GID or adjusting host permissions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

coderabbitai · 2026-01-03T08:55:39Z

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds a new DockerPermissionFixer utility and a CLI command (fix-docker / docker-fix) that lists containers, inspects a chosen container, compares host UID/GID to container user mappings, and prints diagnostics and recommendations.

Changes

Cohort / File(s)	Summary
CLI Integration `cortex/cli.py`	Added `CortexCLI.fix_docker(self) -> int`, registered `fix-docker` and `docker-fix` subcommands, and dispatches those commands to call `CortexCLI.fix_docker()` in main
Docker Permission Fixer Module `cortex/docker_fixer.py`	New module adding `DockerPermissionFixer` with `__init__`, `_run_docker_command`, `list_containers`, `inspect_container`, `diagnose`, `run`, and a `if __name__ == "__main__"` entry point; implements listing, inspection, diagnosis, interactive selection, and recommendation output

Sequence Diagram

sequenceDiagram
    participant User as User
    participant CLI as CortexCLI
    participant Fixer as DockerPermissionFixer
    participant Docker as Docker Daemon

    rect rgb(235,245,255)
    User->>CLI: run `fix-docker` / `docker-fix`
    CLI->>Fixer: instantiate and call run()
    end

    rect rgb(255,250,235)
    Fixer->>Docker: `docker ps` (list_containers)
    Docker-->>Fixer: container list
    Fixer->>User: display containers & prompt selection
    User->>Fixer: select container ID
    end

    rect rgb(235,255,240)
    Fixer->>Docker: `docker inspect <id>` (inspect_container)
    Docker-->>Fixer: container JSON
    Fixer->>Fixer: diagnose() — parse user, mounts, compare host UID/GID
    Fixer->>User: print diagnostics and recommendations
    end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 I hop through mounts and take a look,

I list the docks and read the book,
I match your UID, I sniff the gid,
I print the notes to fix what’s hid,
A tiny hop — permissions unhooked.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely describes the main change: implementing a Docker permission fixer tool, and includes the issue number for reference.
Description check	✅ Passed	The description follows the template structure with Related Issue, Summary, and AI Disclosure sections, but the Checklist section is incomplete with required items unchecked.
Docstring Coverage	✅ Passed	Docstring coverage is 88.89% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

📝 Generate docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

github-actions · 2026-01-03T08:55:42Z

CLA Verification Passed

All contributors have signed the CLA.

Contributor	Signed As
@murataslan1	@murataslan1

coderabbitai

Actionable comments posted: 5

🧹 Nitpick comments (3)

cortex/docker_fixer.py (3)
86-87: Add space after # in comment (PEP 8).
🔎 Proposed fix
-# Default to root if not specified
+# Default to root if not specified
 effective_uid = 0
Based on coding guidelines, follow PEP 8 style guide.

167-174: Remove extra leading space and verify container_name handling.

Line 167 has an extra leading space. Additionally, verify that container_name (from line 79) handles the case where details.get("Name", "") returns an empty string.
🔎 Proposed fix for spacing
-     console.print("\n[bold yellow]Option 1: Run as current host user[/bold yellow]")
+console.print("\n[bold yellow]Option 1: Run as current host user[/bold yellow]")
Based on coding guidelines, follow PEP 8 style guide.

182-184: Fix indentation in comment.

The indentation appears inconsistent in the comment section.
🔎 Proposed fix
-                    # If we knew the target UID strictly, we'd use that. 
-                    # For now, warn user to check container docs.
-                     console.print(f"  sudo chown -R <container_uid>:<container_gid> {source}")
+                    # If we knew the target UID strictly, we'd use that.
+                    # For now, warn user to check container docs.
+                    console.print(f"  sudo chown -R <container_uid>:<container_gid> {source}")
Based on coding guidelines, follow PEP 8 style guide.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c0a256b and e3517c6.

📒 Files selected for processing (2)

cortex/cli.py
cortex/docker_fixer.py

🧰 Additional context used

📓 Path-based instructions (1)

**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

**/*.py: Follow PEP 8 style guide
Type hints required in Python code
Docstrings required for all public APIs

Files:

cortex/docker_fixer.py
cortex/cli.py

🧬 Code graph analysis (2)

cortex/docker_fixer.py (1)

cortex/branding.py (1)

cx_header (82-88)

cortex/cli.py (1)

cortex/docker_fixer.py (2)

DockerPermissionFixer (13-212)

run (186-212)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

GitHub Check: Agent

🔇 Additional comments (8)

cortex/cli.py (3)

26-26: LGTM!

The import follows the existing pattern and correctly brings in the new DockerPermissionFixer class.

1867-1873: LGTM!

The CLI parser setup follows the existing patterns and correctly registers both the main command and alias.

1920-1921: LGTM!

The command routing correctly handles both the main command and its alias.

cortex/docker_fixer.py (5)

1-17: LGTM!

The imports are well-organized and the class docstring clearly describes the purpose of the diagnostic tool.

23-36: LGTM!

The method correctly handles docker command execution with appropriate error handling for missing docker executable.

38-59: LGTM!

The container listing logic correctly parses docker output and handles error cases appropriately.

61-71: LGTM!

The container inspection logic appropriately handles JSON parsing errors and returns None for failed inspections.

214-216: LGTM!

The main entry point follows the standard Python pattern and enables standalone execution of the diagnostic tool.

cortex/cli.py

cortex/docker_fixer.py

Copilot

Pull request overview

This PR adds a new cortex fix-docker CLI command (with alias docker-fix) that helps diagnose and fix Docker container permission issues. The tool analyzes running containers to identify UID/GID mismatches between the host and container environments, which commonly cause permission problems with bind mounts. It provides actionable recommendations including user mapping configurations and chown commands.

Key Changes

Implemented DockerPermissionFixer class with interactive diagnostics for container permission issues
Integrated the tool into the CLI with the fix-docker command and docker-fix alias
Added analysis of bind mounts, container user settings, and host file ownership

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 13 comments.

File	Description
cortex/docker_fixer.py	New module implementing the Docker permission diagnostics and fix suggestion tool
cortex/cli.py	Added CLI command registration for `fix-docker` and handler method `fix_docker()`

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Copilot · 2026-01-03T08:59:58Z

cortex/docker_fixer.py

+import json
+import os
+import subprocess
+import sys


The 'sys' module is imported but never used in this file. Remove this unused import to keep the code clean and follow best practices.

Suggested change

import sys

cortex/docker_fixer.py

Copilot · 2026-01-03T08:59:58Z

cortex/docker_fixer.py

+                owner_gid = stat.st_gid
+
+                status_icon = "✅"
+                status_msg = "[green]OK[/green]"


The variable 'status_msg' is assigned but never used. Remove this unused variable to clean up the code.

Suggested change

status_msg = "[green]OK[/green]"

Copilot · 2026-01-03T08:59:59Z

cortex/docker_fixer.py

+                # If container runs as non-root (e.g. 1000), it needs host files to be 1000 or readable/writable by 1000.
+
+                is_root_container = (effective_uid == 0)
+                is_host_owner_match = (owner_uid == self.host_uid)


The variable 'is_host_owner_match' is assigned but never used. Remove this unused variable to clean up the code.

Suggested change

is_host_owner_match = (owner_uid == self.host_uid)

Copilot · 2026-01-03T08:59:59Z

cortex/docker_fixer.py

+        self.host_uid = os.getuid()
+        self.host_gid = os.getgid()


The use of os.getuid() and os.getgid() without checking for POSIX system compatibility could cause AttributeError on non-POSIX systems (e.g., Windows). Consider adding a POSIX check similar to config_manager.py lines 79-80 before instantiating this class, or add the check in init and provide appropriate error handling or warnings for non-POSIX systems.

Suggested change

self.host_uid = os.getuid()

self.host_gid = os.getgid()

# Ensure compatibility with non-POSIX systems where os.getuid/os.getgid

# may not be available (e.g., Windows).

if hasattr(os, "getuid") and hasattr(os, "getgid"):

self.host_uid = os.getuid()

self.host_gid = os.getgid()

else:

console.print(

"[yellow]Warning: DockerPermissionFixer requires POSIX "

"os.getuid/os.getgid for accurate UID/GID detection. "

"Host UID/GID will be shown as 'N/A'.[/yellow]"

)

self.host_uid = "N/A"

self.host_gid = "N/A"

Copilot · 2026-01-03T09:00:00Z

cortex/docker_fixer.py

+    def diagnose(self, container_id: str):
+        """Diagnose permission issues for a specific container."""
+        details = self.inspect_container(container_id)
+        if not details:
+            return
+
+        container_name = details.get("Name", "").lstrip("/")
+        config = details.get("Config", {})
+        container_user = config.get("User", "")
+
+        console.print(f"\n[bold cyan]Diagnosing Container: {container_name}[/bold cyan] ({container_id[:12]})")
+
+        # 1. Check Container User
+        effective_uid = 0 # Default to root if not specified
+        effective_gid = 0
+
+        if container_user:
+            console.print(f"  Existing User Config: [yellow]{container_user}[/yellow]")
+            # Try to parse UID:GID
+            parts = container_user.split(":")
+            try:
+                effective_uid = int(parts[0])
+                if len(parts) > 1:
+                    effective_gid = int(parts[1])
+            except ValueError:
+                console.print(f"  [dim]User '{container_user}' is a name, assuming mapped to UID inside image.[/dim]")
+                # In a real tool, we might exec into container to check 'id', but let's keep it simple/safe
+        else:
+            console.print("  Existing User Config: [red]Root (0:0)[/red] (Default)")
+
+        # 2. Check Bind Mounts
+        mounts = details.get("Mounts", [])
+        bind_mounts = [m for m in mounts if m["Type"] == "bind"]
+
+        if not bind_mounts:
+            console.print("  [green]No bind mounts detected. Permission issues unlikely.[/green]")
+            return
+
+        console.print(f"  [bold]Found {len(bind_mounts)} bind mounts:[/bold]")
+
+        issues_found = False
+
+        for mount in bind_mounts:
+            source = mount["Source"]
+            destination = mount["Destination"]
+            rw = mount["RW"]
+
+            if not os.path.exists(source):
+                console.print(f"    [dim]{source} -> {destination} (Site not found)[/dim]")
+                continue
+
+            try:
+                stat = os.stat(source)
+                owner_uid = stat.st_uid
+                owner_gid = stat.st_gid
+
+                status_icon = "✅"
+                status_msg = "[green]OK[/green]"
+
+                # Logic: If container runs as root (0), it can access host files (usually).
+                # But files created by container will be root-owned on host, causing issues for host user.
+                # If container runs as non-root (e.g. 1000), it needs host files to be 1000 or readable/writable by 1000.
+
+                is_root_container = (effective_uid == 0)
+                is_host_owner_match = (owner_uid == self.host_uid)
+
+                issues = []
+
+                if is_root_container:
+                    if rw:
+                        issues.append("[yellow]Writes will be owned by root on host[/yellow]")
+                        status_icon = "⚠️"
+                else:
+                    # Non-root container
+                    if owner_uid != effective_uid:
+                        # Mismatched UID. Can we write?
+                        # This is a simplification. Group permissions matter too.
+                        issues.append(f"[red]UID mismatch[/red] (Host: {owner_uid}, Container: {effective_uid})")
+                        status_icon = "❌"
+                        issues_found = True
+
+                issue_str = f" - {', '.join(issues)}" if issues else ""
+
+                console.print(f"    {status_icon} [bold]{source}[/bold]")
+                console.print(f"       -> {destination}")
+                console.print(f"       Host Owner: UID={owner_uid}, GID={owner_gid} {issue_str}")
+
+            except Exception as e:
+                console.print(f"    ❓ {source}: {e}")
+
+        # 3. Recommendations
+        console.print("\n[bold]Recommendations:[/bold]")
+
+        if effective_uid == 0:
+             console.print("\n[bold yellow]Option 1: Run as current host user[/bold yellow]")
+             console.print("To avoid root-owned files on your host machine, perform user mapping:")
+             console.print(f"\n  [dim]# docker run command[/dim]")
+             console.print(f"  docker run [green]--user {self.host_uid}:{self.host_gid}[/green] ...")
+             console.print(f"\n  [dim]# docker-compose.yml[/dim]")
+             console.print(f"  services:")
+             console.print(f"    {container_name}:")
+             console.print(f"      [green]user: \"{self.host_uid}:{self.host_gid}\"[/green]")
+
+        if issues_found:
+             console.print("\n[bold red]Option 2: Fix Host Permissions[/bold red]")
+             console.print("If the container *must* run as a specific user (e.g. postgres=999), change host ownership:")
+             for mount in bind_mounts:
+                 source = mount["Source"]
+                 if os.path.exists(source):
+                     # If we knew the target UID strictly, we'd use that. 
+                     # For now, warn user to check container docs.
+                      console.print(f"  sudo chown -R <container_uid>:<container_gid> {source}")
+
+    def run(self):


Missing return type annotation. Methods diagnose and run should have explicit return type annotations (-> None) for consistency with the codebase style. See doctor.py line 105 for an example: '_print_section(self, title: str) -> None'.

cortex/docker_fixer.py

Copilot · 2026-01-03T09:00:00Z

cortex/docker_fixer.py

+import sys
+from typing import Dict, List, Optional, Tuple
+
+from rich.prompt import Confirm, Prompt


The Confirm import from rich.prompt is imported but never used in this file. Remove this unused import to keep the code clean and follow best practices.

Suggested change

from rich.prompt import Confirm, Prompt

from rich.prompt import Prompt

Copilot · 2026-01-03T09:00:01Z

cortex/docker_fixer.py

+            try:
+                effective_uid = int(parts[0])
+                if len(parts) > 1:
+                    effective_gid = int(parts[1])


Variable effective_gid is not used.

Suggested change

effective_gid = int(parts[1])

effective_gid = int(parts[1])

console.print(f" Parsed numeric user: UID={effective_uid}, GID={effective_gid}")

else:

console.print(f" Parsed numeric user: UID={effective_uid}")

Anshgrover23

@murataslan1 Please follow the updated contribution guidelines. We’ve added new rules around AI usage in CONTRIBUTING.md. 2e68b29
Kindly Update in all of your PRs.

…ring

coderabbitai

Actionable comments posted: 1

♻️ Duplicate comments (3)

cortex/docker_fixer.py (3)

132-132: Fix typo: "Site" should be "Source".

The commit message indicates this was fixed, but the typo remains. "Site not found" should read "Source not found" for clarity.

🔎 Proposed fix

-                console.print(f"    [dim]{source} -> {destination} (Site not found)[/dim]")
+                console.print(f"    [dim]{source} -> {destination} (Source not found)[/dim]")

Flagged in past review comments but not yet addressed despite commit message claiming "fix: address PR review feedback".

176-193: Fix indentation errors throughout recommendations section.

Multiple lines have incorrect indentation (one extra space), which will cause IndentationError at runtime. Lines 176-177, 181-183, 186-187, and 189-193 all have 13 spaces where 12 are expected (or 22 spaces where 21 are expected for line 193).

🔎 Proposed fix

         if effective_uid == 0:
-             console.print("\n[bold yellow]Option 1: Run as current host user[/bold yellow]")
-             console.print("To avoid root-owned files on your host machine, perform user mapping:")
-             console.print(f"\n  [dim]# docker run command[/dim]")
-             console.print(f"  docker run [green]--user {self.host_uid}:{self.host_gid}[/green] ...")
-             console.print(f"\n  [dim]# docker-compose.yml[/dim]")
-             console.print(f"  services:")
-             console.print(f"    {container_name}:")
-             console.print(f"      [green]user: \"{self.host_uid}:{self.host_gid}\"[/green]")
+            console.print("\n[bold yellow]Option 1: Run as current host user[/bold yellow]")
+            console.print("To avoid root-owned files on your host machine, perform user mapping:")
+            console.print(f"\n  [dim]# docker run command[/dim]")
+            console.print(f"  docker run [green]--user {self.host_uid}:{self.host_gid}[/green] ...")
+            console.print(f"\n  [dim]# docker-compose.yml[/dim]")
+            console.print(f"  services:")
+            console.print(f"    {container_name}:")
+            console.print(f"      [green]user: \"{self.host_uid}:{self.host_gid}\"[/green]")
         
         if issues_found:
-             console.print("\n[bold red]Option 2: Fix Host Permissions[/bold red]")
-             console.print("If the container *must* run as a specific user (e.g. postgres=999), change host ownership:")
-             for mount in bind_mounts:
-                 source = mount["Source"]
-                 if os.path.exists(source):
-                     # If we knew the target UID strictly, we'd use that. 
-                     # For now, warn user to check container docs.
-                      console.print(f"  sudo chown -R <container_uid>:<container_gid> {source}")
+            console.print("\n[bold red]Option 2: Fix Host Permissions[/bold red]")
+            console.print("If the container *must* run as a specific user (e.g. postgres=999), change host ownership:")
+            for mount in bind_mounts:
+                source = mount["Source"]
+                if os.path.exists(source):
+                    # If we knew the target UID strictly, we'd use that. 
+                    # For now, warn user to check container docs.
+                    console.print(f"  sudo chown -R <container_uid>:<container_gid> {source}")

Based on coding guidelines (PEP 8). Flagged in past review comments but not addressed.

97-97: Fix inline comment spacing per PEP 8.

The inline comment needs at least two spaces before the # character.

🔎 Proposed fix

-        effective_uid = 0 # Default to root if not specified
+        effective_uid = 0  # Default to root if not specified

Based on coding guidelines (PEP 8). Flagged in past review comments.

🧹 Nitpick comments (1)

cortex/docker_fixer.py (1)
107-107: Remove or utilize the unused variable.

effective_gid is assigned but never used afterward. Either remove it or incorporate it into the permission checks.
🔎 Proposed fix

If the variable is not needed:
                 effective_uid = int(parts[0])
-                if len(parts) > 1:
-                    effective_gid = int(parts[1])
Or if GID checking should be added:
                effective_uid = int(parts[0])
                if len(parts) > 1:
                    effective_gid = int(parts[1])
                # Later in the code, add GID mismatch checks similar to UID checks
Flagged in past review comments.

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e3517c6 and a979892.

📒 Files selected for processing (2)

cortex/cli.py
cortex/docker_fixer.py

🚧 Files skipped from review as they are similar to previous changes (1)

cortex/cli.py

🧰 Additional context used

📓 Path-based instructions (1)

**/*.py

📄 CodeRabbit inference engine (AGENTS.md)

**/*.py: Follow PEP 8 style guide
Type hints required in Python code
Docstrings required for all public APIs

Files:

cortex/docker_fixer.py

🧠 Learnings (2)

📚 Learning: 2025-12-11T12:03:24.071Z

Learnt from: CR
Repo: cortexlinux/cortex PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-11T12:03:24.071Z
Learning: Applies to **/*.py : Follow PEP 8 style guide

Applied to files:

cortex/docker_fixer.py

📚 Learning: 2025-12-11T12:03:24.071Z

Learnt from: CR
Repo: cortexlinux/cortex PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-11T12:03:24.071Z
Learning: Applies to **/*.py : Type hints required in Python code

Applied to files:

cortex/docker_fixer.py

🧬 Code graph analysis (1)

cortex/docker_fixer.py (1)

cortex/branding.py (1)

cx_header (82-88)

🪛 GitHub Check: lint

cortex/docker_fixer.py

[failure] 72-72: Ruff (UP045)
cortex/docker_fixer.py:72:55: UP045 Use X | None for type annotations

[failure] 49-49: Ruff (UP006)
cortex/docker_fixer.py:49:39: UP006 Use dict instead of Dict for type annotation

[failure] 49-49: Ruff (UP006)
cortex/docker_fixer.py:49:34: UP006 Use list instead of List for type annotation

[failure] 34-34: Ruff (UP006)
cortex/docker_fixer.py:34:55: UP006 Use tuple instead of Tuple for type annotation

[failure] 34-34: Ruff (UP006)
cortex/docker_fixer.py:34:41: UP006 Use list instead of List for type annotation

[failure] 5-5: Ruff (UP035)
cortex/docker_fixer.py:5:1: UP035 typing.Tuple is deprecated, use tuple instead

[failure] 5-5: Ruff (UP035)
cortex/docker_fixer.py:5:1: UP035 typing.List is deprecated, use list instead

[failure] 5-5: Ruff (UP035)
cortex/docker_fixer.py:5:1: UP035 typing.Dict is deprecated, use dict instead

[failure] 1-10: Ruff (I001)
cortex/docker_fixer.py:1:1: I001 Import block is un-sorted or un-formatted

🪛 GitHub Check: Lint