fix(updater): add --privileged to helper container to bypass user namespace restrictions

app/services/update_service.py

@@ -232,21 +232,110 @@ def trigger_update(config: Any, db_path: str) -> dict:
         build_env.get("GIT_BRANCH", "?"),
     )
 
-    # 5. Fire-and-forget docker compose rebuild — the container will restart itself
+    # 5. Two-phase rebuild: Build image first, then swap container.
-    compose_cmd = [
+    #    The swap will kill this process (we ARE the container), so we must
-        "docker", "compose",
+    #    ensure the compose-up runs detached on the Docker host via a wrapper.
-        "-f", f"{SOURCE_DIR}/docker-compose.yml",
-        "up", "--build", "-d",
-    ]
     log_path = Path(BACKUP_DIR) / "update_rebuild.log"
-    log_file = open(log_path, "w")
+
-    subprocess.Popen(
+    # Phase A — build the new image (does NOT stop anything)
-        compose_cmd,
+    build_cmd = [
-        stdout=log_file,
+        "docker", "compose",
-        stderr=log_file,
+        "-p", "netbirdmsp-appliance",
-        env=build_env,
+        "-f", f"{SOURCE_DIR}/docker-compose.yml",
-    )
+        "build", "--no-cache",
-    logger.info("docker compose up --build -d triggered — container will restart shortly.")
+        "netbird-msp-appliance",
+    ]
+    logger.info("Phase A: building new image …")
+    try:
+        build_result = subprocess.run(
+            build_cmd,
+            capture_output=True, text=True,
+            timeout=600,
+            env=build_env,
+        )
+        with open(log_path, "w") as f:
+            f.write(build_result.stdout)
+            f.write(build_result.stderr)
+        if build_result.returncode != 0:
+            logger.error("Image build failed: %s", build_result.stderr[:500])
+            return {
+                "ok": False,
+                "message": f"Image build failed: {build_result.stderr[:300]}",
+                "backup": backup_path,
+            }
+    except subprocess.TimeoutExpired:
+        return {"ok": False, "message": "Image build timed out after 600s.", "backup": backup_path}
+
+    logger.info("Phase A complete — image built successfully.")
+
+    # Phase B — swap the container using a helper container.
+    #    When compose recreates our container, ALL processes inside die (PID namespace
+    #    is destroyed). So we launch a *separate* helper container via 'docker run -d'
+    #    that has access to the Docker socket and runs 'docker compose up -d'.
+    #    This helper lives outside our container and survives our restart.
+
+    # Discover the host-side path of /app-source (docker volumes use host paths)
+    try:
+        inspect_result = subprocess.run(
+            ["docker", "inspect", "netbird-msp-appliance",
+             "--format", '{{range .Mounts}}{{if eq .Destination "/app-source"}}{{.Source}}{{end}}{{end}}'],
+            capture_output=True, text=True, timeout=10,
+        )
+        host_source_dir = inspect_result.stdout.strip()
+        if not host_source_dir:
+            raise ValueError("Could not find /app-source mount")
+    except Exception as exc:
+        logger.error("Failed to discover host source path: %s", exc)
+        return {"ok": False, "message": f"Could not find host source path: {exc}", "backup": backup_path}
+
+    logger.info("Host source directory: %s", host_source_dir)
+
+    env_flags = []
+    for key in ("GIT_TAG", "GIT_COMMIT", "GIT_BRANCH", "GIT_COMMIT_DATE"):
+        val = build_env.get(key, "unknown")
+        env_flags.extend(["-e", f"{key}={val}"])
+
+    # Use the same image we're already running (it has docker CLI + compose plugin)
+    own_image = "netbirdmsp-appliance-netbird-msp-appliance:latest"
+
+    helper_cmd = [
+        "docker", "run", "-d", "--privileged",
+        "--name", "msp-updater",
+        "-v", "/var/run/docker.sock:/var/run/docker.sock:z",
+        "-v", f"{host_source_dir}:{host_source_dir}:ro,z",
+        *env_flags,
+        own_image,
+        "sh", "-c",
+        (
+            "sleep 3 && "
+            "docker compose -p netbirdmsp-appliance "
+            f"-f {host_source_dir}/docker-compose.yml "
+            "up --force-recreate --no-deps -d netbird-msp-appliance"
+        ),
+    ]
+    try:
+        # Remove stale updater container if any
+        subprocess.run(
+            ["docker", "rm", "-f", "msp-updater"],
+            capture_output=True, timeout=10,
+        )
+        result = subprocess.run(
+            helper_cmd,
+            capture_output=True, text=True,
+            timeout=30,
+            env=build_env,
+        )
+        if result.returncode != 0:
+            logger.error("Failed to start updater container: %s", result.stderr.strip())
+            return {
+                "ok": False,
+                "message": f"Update-Container konnte nicht gestartet werden: {result.stderr.strip()[:200]}",
+                "backup": backup_path,
+            }
+        logger.info("Phase B: updater container started — this container will restart in ~5s.")
+    except Exception as exc:
+        logger.error("Failed to launch updater: %s", exc)
+        return {"ok": False, "message": f"Updater launch failed: {exc}", "backup": backup_path}
 
     return {
         "ok": True,

containers.txt

@@ -0,0 +1,9 @@
+CONTAINER ID   IMAGE                                               COMMAND                  CREATED          STATUS                     PORTS                                                                 NAMES
+b25f16030139   netbirdmsp-appliance-netbird-msp-appliance:latest   "sh -c 'sleep 3 && d…"   2 minutes ago    Exited (1) 2 minutes ago                                                                         msp-updater
+c7acab75017f   f4446ac34896                                        "uvicorn app.main:ap…"   11 minutes ago   Up 11 minutes (healthy)    0.0.0.0:8000->8000/tcp, [::]:8000->8000/tcp                           netbird-msp-appliance
+878efa979680   caddy:2-alpine                                      "caddy run --config …"   3 hours ago      Up 2 hours                 443/tcp, 2019/tcp, 443/udp, 0.0.0.0:9001->80/tcp, [::]:9001->80/tcp   netbird-kunde1-caddy
+564c613f112a   netbirdio/signal:latest                             "/go/bin/netbird-sig…"   3 hours ago      Up 2 hours                                                                                       netbird-kunde1-signal
+a98852970815   netbirdio/dashboard:latest                          "/usr/bin/supervisor…"   3 hours ago      Up 2 hours                 80/tcp, 443/tcp                                                       netbird-kunde1-dashboard
+11e100e21d81   netbirdio/relay:latest                              "/go/bin/netbird-rel…"   3 hours ago      Up 2 hours                 0.0.0.0:3478->3478/udp, [::]:3478->3478/udp                           netbird-kunde1-relay
+aeae96bf691e   netbirdio/management:latest                         "/go/bin/netbird-mgm…"   3 hours ago      Up 2 hours                                                                                       netbird-kunde1-management
+9cdda4d58e36   tecnativa/docker-socket-proxy:latest                "docker-entrypoint.s…"   3 days ago       Up 2 hours                 2375/tcp                                                              docker-socket-proxy

dockerlogs.txt

@@ -1,50 +0,0 @@
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:27:28,812 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:28,818 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:27:29,463 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:29,473 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:27:33,352 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:33,358 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:27:34,899 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:34,905 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/settings/system HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/auth/mfa/status HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/monitoring/resources HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/monitoring/customers HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/monitoring/customers HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/monitoring/resources HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/settings/system HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/auth/mfa/status HTTP/1.1" 200 OK
-2026-02-22 13:27:49,427 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:49,433 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET / HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/settings/branding HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/auth/azure/config HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/auth/me HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/monitoring/status HTTP/1.1" 200 OK
-INFO:     172.18.0.1:45440 - "GET /api/customers?page=1&per_page=25 HTTP/1.1" 200 OK
-INFO:     127.0.0.1:35528 - "GET /api/health HTTP/1.1" 200 OK
-INFO:     172.18.0.1:33288 - "GET /api/settings/system HTTP/1.1" 200 OK
-INFO:     172.18.0.1:38946 - "GET /api/auth/mfa/status HTTP/1.1" 200 OK
-2026-02-22 13:27:56,795 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:56,802 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:27:59,507 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:27:59,514 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:33288 - "GET /api/settings/version HTTP/1.1" 200 OK
-2026-02-22 13:28:09,172 [INFO] app.services.update_service: Database backed up to /app/backups/netbird_msp_20260222_132809.db
-2026-02-22 13:28:09,264 [INFO] app.services.update_service: git pull succeeded: Already up to date.
-2026-02-22 13:28:09,265 [INFO] app.services.update_service: docker compose up --build -d triggered — container will restart shortly.
-2026-02-22 13:28:09,265 [INFO] app.routers.settings: Update triggered by admin.
-INFO:     172.18.0.1:57990 - "POST /api/settings/update HTTP/1.1" 200 OK
-INFO:     127.0.0.1:51474 - "GET /api/health HTTP/1.1" 200 OK
-2026-02-22 13:28:49,056 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
-2026-02-22 13:28:49,062 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
-INFO:     172.18.0.1:44506 - "GET /api/settings/version HTTP/1.1" 200 OK
-INFO:     127.0.0.1:53966 - "GET /api/health HTTP/1.1" 200 OK
-INFO:     127.0.0.1:35452 - "GET /api/health HTTP/1.1" 200 OK

helper.txt

@@ -0,0 +1 @@
+Error response from daemon: No such container: msp-updater

logs.txt

@@ -0,0 +1,30 @@
+INFO:     172.18.0.1:34414 - "GET /lang/de.json HTTP/1.1" 304 Not Modified
+INFO:     172.18.0.1:34414 - "GET /favicon.ico HTTP/1.1" 404 Not Found
+INFO:     172.18.0.1:34424 - "GET /api/settings/branding HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34424 - "GET /api/auth/azure/config HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34424 - "GET /api/auth/me HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34424 - "GET /api/monitoring/status HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34414 - "GET /api/customers?page=1&per_page=25 HTTP/1.1" 200 OK
+INFO:     127.0.0.1:34422 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34042 - "GET /api/settings/system HTTP/1.1" 200 OK
+INFO:     172.18.0.1:34042 - "GET /api/auth/mfa/status HTTP/1.1" 200 OK
+2026-02-22 14:40:01,292 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/branches/unstable "HTTP/1.1 200 OK"
+2026-02-22 14:40:01,301 [INFO] httpx: HTTP Request: GET https://git.0x26.ch/api/v1/repos/BurgerGames/NetBirdMSP-Appliance/tags?limit=1 "HTTP/1.1 200 OK"
+INFO:     172.18.0.1:49812 - "GET /api/settings/version HTTP/1.1" 200 OK
+INFO:     127.0.0.1:54492 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:36052 - "GET /api/health HTTP/1.1" 200 OK
+2026-02-22 14:40:57,656 [INFO] app.services.update_service: Database backed up to /app/backups/netbird_msp_20260222_144057.db
+2026-02-22 14:40:57,971 [INFO] app.services.update_service: git pull succeeded: Already up to date.
+2026-02-22 14:40:57,988 [INFO] app.services.update_service: Rebuilding with GIT_TAG=alpha-1.7 GIT_COMMIT=c40b7d3 GIT_BRANCH=unstable
+2026-02-22 14:40:57,988 [INFO] app.services.update_service: Phase A: building new image …
+2026-02-22 14:42:44,434 [INFO] app.services.update_service: Phase A complete — image built successfully.
+2026-02-22 14:42:44,461 [INFO] app.services.update_service: Host source directory: /home/sascha/NetBirdMSP-Appliance
+2026-02-22 14:42:44,973 [INFO] app.services.update_service: Phase B: updater container started — this container will restart in ~5s.
+2026-02-22 14:42:44,973 [INFO] app.routers.settings: Update triggered by admin.
+INFO:     172.18.0.1:46292 - "POST /api/settings/update HTTP/1.1" 200 OK
+INFO:     127.0.0.1:54584 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:33600 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:35272 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:44226 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:48574 - "GET /api/health HTTP/1.1" 200 OK
+INFO:     127.0.0.1:53686 - "GET /api/health HTTP/1.1" 200 OK

out.txt

@@ -0,0 +1,10 @@
+[unstable c40b7d3] alpha-1.7: final test
+remote: 
+remote: Create a new pull request for 'unstable':        
+remote:   https://git.0x26.ch/BurgerGames/NetBirdMSP-Appliance/pulls/new/unstable        
+remote: 
+remote: .. Processing 2 references        
+remote: Processed 2 references in total        
+To https://git.0x26.ch/BurgerGames/NetBirdMSP-Appliance.git
+   525b056..c40b7d3  unstable -> unstable
+ * [new tag]         alpha-1.7 -> alpha-1.7

port.txt

@@ -0,0 +1,2 @@
+8000/tcp -> 0.0.0.0:8000
+8000/tcp -> [::]:8000

update_helper.txt

@@ -0,0 +1 @@
+unable to get image 'netbirdmsp-appliance-netbird-msp-appliance': permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.51/images/netbirdmsp-appliance-netbird-msp-appliance/json": dial unix /var/run/docker.sock: connect: permission denied