From 7241869a9e90028df070ff02caf19703b26dee4b Mon Sep 17 00:00:00 2001 From: William Mahoney Date: Fri, 20 Feb 2026 21:24:40 -0700 Subject: [PATCH] Fix silent config corruption in 50-ipv6.sh on NFS volumes Replace unsafe `echo "$(sed ...)" > $FILE` with atomic temp-file write. The current pattern reads a file with sed inside a command substitution, then writes the result back via echo redirection. If sed reads an empty or momentarily unreadable file (e.g., NFS transient issue during container recreation by Watchtower or similar tools), it produces no output. The echo then writes exactly 1 byte (a newline) to the config file, silently destroying its contents. The fix writes sed output to a temp file first, checks it's non-empty with `[ -s ]`, then atomically replaces the original via `mv`. If sed produces empty output, the original file is preserved and a warning is logged to stderr. --- docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh index 2ae61ae5..5d33cde4 100755 --- a/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh +++ b/docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh @@ -25,7 +25,13 @@ process_folder () { for FILE in $FILES do echo "- ${FILE}" - echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE + TMPFILE="${FILE}.tmp" + if sed -E "$SED_REGEX" "$FILE" > "$TMPFILE" && [ -s "$TMPFILE" ]; then + mv "$TMPFILE" "$FILE" + else + echo "WARNING: skipping ${FILE} — sed produced empty output" >&2 + rm -f "$TMPFILE" + fi done # ensure the files are still owned by the npm user