Skip to content

fix: treat permission denied as graceful config fallback (distroless nonroot)#53

Open
gandalf-at-lerian wants to merge 1 commit intoLerianStudio:developfrom
gandalf-at-lerian:fix/config-permission-denied
Open

fix: treat permission denied as graceful config fallback (distroless nonroot)#53
gandalf-at-lerian wants to merge 1 commit intoLerianStudio:developfrom
gandalf-at-lerian:fix/config-permission-denied

Conversation

@gandalf-at-lerian
Copy link

@gandalf-at-lerian gandalf-at-lerian commented Mar 18, 2026

Problem

Matcher crashes on startup in distroless containers:

open config/matcher.yaml: permission denied

Root Cause

isConfigFileNotFound() only checked for ENOENT, not EACCES. In distroless:nonroot containers, the root-owned directory returns permission denied instead of file-not-found.

Fix

Added os.IsPermission(err) || errors.Is(err, os.ErrPermission) to isConfigFileNotFound() so both error types trigger graceful fallback to env-only configuration.

Tests added for direct and wrapped permission errors.

Closes #52

@gandalf-at-lerian
fix: treat permission denied as graceful fallback in config file loading
007c00c 
In distroless containers running as nonroot (UID 65534), attempting to read
config/matcher.yaml under a root-owned directory returns EACCES instead of
ENOENT. The app should fall back to env-only configuration in both cases.

Updated isConfigFileNotFound to also handle os.IsPermission and wrapped
permission errors via errors.Is(err, os.ErrPermission).

Closes LerianStudio#52
@coderabbitai
Copy link

coderabbitai bot commented Mar 18, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: becc5be0-b071-4b26-9a6b-d97cfb5b1e03

📥 Commits

Reviewing files that changed from the base of the PR and between 06b236b and 007c00c.

📒 Files selected for processing (2)
  • internal/bootstrap/config_yaml.go
  • internal/bootstrap/config_yaml_test.go

Walkthrough

The changes extend the isConfigFileNotFound function in the configuration loading logic to treat permission errors (including os.ErrPermission and EACCES) as config-file-not-found scenarios, in addition to the existing viper.ConfigFileNotFoundError handling. This allows the system to fall back to environment-only configuration when a config file cannot be accessed due to permission restrictions. Corresponding test cases have been added to verify both direct and wrapped permission error scenarios are handled correctly.

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately describes the main change: treating permission denied errors as config not found to enable graceful fallback in distroless nonroot containers.
Description check ✅ Passed The description provides a clear problem statement, root cause analysis, and implementation details, though it lacks explicit completion of the template checklist items.
Linked Issues check ✅ Passed The code changes fully implement the requirements from issue #52: treating permission errors as config-not-found and enabling graceful fallback.
Out of Scope Changes check ✅ Passed All changes are directly related to fixing the permission denied issue and adding corresponding test coverage; no out-of-scope modifications detected.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@gandalf-at-lerian