psa-systems/bunyip
8
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

fix(web): make bun/bunx runnable by the host user in the dev image (BUNYIP-54) #68

Merged
nrupard merged 1 commit from fix/bunyip-54-web-bun-permission into main 2026-06-05 21:45:59 +02:00
Conversation 0 Commits 1 Files changed 1 +13 -5
nrupard commented 2026-06-05 21:35:26 +02:00
Owner
Copy link

Problem

The dev web container (dev-bunyip-${USER}) crash-looped: first sh: 1: bun: Permission denied, then bunx: command not found.

In the pinned base image ghcr.io/niceguyit/rust-builder-glibc:v1.0.0-rust1.94-trixie, /usr/local/bin/bun is a symlink into /root/.bun/bin/bun and bunx is absent. The container runs as the unprivileged host user (USER ${HOST_UID}:${HOST_GID}), which cannot traverse /root (mode 0700), so the bun exec fails; the package.json css scripts also call bunx, which does not exist. Both are a regression of BUNYIP-37, despite the prior Dockerfile comment asserting the base image had been fixed.

Verified: docker run --user 1000:1000 <base> bun --version -> bun: Permission denied (as root it prints 1.3.13).

Fix

In bunyip-web/Dockerfile, while still root (before the USER switch), materialize the real bun binary into a world-readable path outside /root and recreate bunx as a symlink to it (bun runs bun x when invoked as argv0 bunx). Corrected the stale comment.

Verification

Local just dev-detach:

  • dev-bunyip-web-${USER} is Up (no restart loop); logs show build:css "Done" and bunyip-web listening on 0.0.0.0:4400.
  • GET / -> 200; GET /assets/styles.css -> 200 (52 KB, Tailwind built).
  • bun --version and bunx --version both report 1.3.13 as uid 1000 inside the container.

Out of scope

Canonical fix belongs in the niceguyit/rust-builder base image (ship bun as a real 755 file + a bunx symlink). Flagged in BUNYIP-54 for a follow-up there.

Refs BUNYIP-54.

## Problem The dev `web` container (`dev-bunyip-${USER}`) crash-looped: first `sh: 1: bun: Permission denied`, then `bunx: command not found`. In the pinned base image `ghcr.io/niceguyit/rust-builder-glibc:v1.0.0-rust1.94-trixie`, `/usr/local/bin/bun` is a symlink into `/root/.bun/bin/bun` and `bunx` is absent. The container runs as the unprivileged host user (`USER ${HOST_UID}:${HOST_GID}`), which cannot traverse `/root` (mode 0700), so the `bun` exec fails; the `package.json` css scripts also call `bunx`, which does not exist. Both are a regression of BUNYIP-37, despite the prior Dockerfile comment asserting the base image had been fixed. Verified: `docker run --user 1000:1000 <base> bun --version` -> `bun: Permission denied` (as root it prints `1.3.13`). ## Fix In `bunyip-web/Dockerfile`, while still root (before the `USER` switch), materialize the real `bun` binary into a world-readable path outside `/root` and recreate `bunx` as a symlink to it (`bun` runs `bun x` when invoked as argv0 `bunx`). Corrected the stale comment. ## Verification Local `just dev-detach`: - `dev-bunyip-web-${USER}` is `Up` (no restart loop); logs show `build:css` "Done" and `bunyip-web listening on 0.0.0.0:4400`. - `GET /` -> 200; `GET /assets/styles.css` -> 200 (52 KB, Tailwind built). - `bun --version` and `bunx --version` both report `1.3.13` as uid 1000 inside the container. ## Out of scope Canonical fix belongs in the `niceguyit/rust-builder` base image (ship `bun` as a real 755 file + a `bunx` symlink). Flagged in BUNYIP-54 for a follow-up there. Refs BUNYIP-54.
fix(web): make bun/bunx runnable by the host user in the dev image
All checks were successful
Check / fmt / clippy / build / test (pull_request) Successful in 1m2s
Details
Create release / Create release from merged PR (pull_request) Has been skipped
Details
c992899afb 
The dev web container crash-looped with "bun: Permission denied" and then "bunx: command not found". In the pinned base image (rust-builder-glibc:v1.0.0-rust1.94-trixie) /usr/local/bin/bun is a symlink into /root/.bun/bin/bun and bunx is absent. The container runs as the unprivileged host user, which cannot traverse /root (mode 0700), so the bun exec fails; the package.json css scripts also call bunx, which does not exist. Both are a regression of BUNYIP-37, despite the prior comment asserting the base image had been fixed.

While still root, materialize the real bun binary into a world-readable path outside /root and recreate bunx as a symlink to it (bun runs `bun x` when invoked as argv0 bunx). The host user can now run both: the container starts, build:css produces assets/styles.css, and bunyip-web serves on :4400.

Verified locally: just dev-detach brings dev-bunyip-web up (no restart loop); GET / -> 200, GET /assets/styles.css -> 200; bun --version and bunx --version both report 1.3.13 as uid 1000. The canonical fix belongs in the rust-builder base image and is noted in the issue.

#BUNYIP-54

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
nrupard deleted branch fix/bunyip-54-web-bun-permission 2026-06-05 21:45:59 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
psa-systems/bunyip!68
No description provided.