Fix mosquitto chown noise

[Apehaenger]

Will suppress some early container bootup warnings... for next release

Summary by CodeRabbit

• Chores
  • Security hardening: The MQTT broker now runs as a non-root user inside its container, improving isolation and reducing risk.
  • No action required: Ports, volumes, and behavior are unchanged; deployment and operation remain fully backward-compatible.
  • Aligns the stack with least-privilege best practices for safer operation without impacting existing workflows.

[coderabbitai]

Walkthrough

Updated the OpenMower Docker Compose to run the Mosquitto service as user mosquitto:mosquitto by adding a user directive. No other changes to ports, volumes, or services.

Changes

Cohort / File(s)	Summary
OpenMower Docker Compose stage-openmower/40-openmower/files/opt/stacks/openmower/compose.yaml	Mosquitto service: added user: mosquitto:mosquitto to run as non-root; no other modifications.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Poem

A nibble of config, hop-hop, I go,
Switching root to a safer burrow below.
Mosquitto hums, least-privilege in play,
Carrots secure, packets on their way.
Ears up, logs clean—what a tidy show! 🥕🐇

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "Fix mosquitto chown noise" succinctly and accurately summarizes the primary change—suppressing mosquitto chown startup warnings by adjusting the Mosquitto service user—and directly reflects the changes in the compose file. It is concise, specific, and clear enough for teammates scanning PR history to understand the main intent.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/mosquitto-chown-noise

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 1a93df5 and 53b066b.

📒 Files selected for processing (1)

• stage-openmower/40-openmower/files/opt/stacks/openmower/compose.yaml (1 hunks)

🔇 Additional comments (3)

stage-openmower/40-openmower/files/opt/stacks/openmower/compose.yaml (3)

36-36: Good hardening and fixes the noisy chown.

Running Mosquitto as a non-root user will skip entrypoint chown and silence the early warnings while improving least-privilege. Looks good.

---

36-36: No action required — mosquitto.conf is world-readable (0644).
Found /home/jailuser/git/stage-openmower/40-openmower/files/opt/stacks/openmower/mosquitto.conf with permissions -rw-r--r-- (0644); the container user mosquitto:mosquitto can read it.

---

36-36: Optional: prefer numeric UID:GID for portability — manual verification required

File: stage-openmower/40-openmower/files/opt/stacks/openmower/compose.yaml — currently:
user: mosquitto:mosquitto

Verification couldn't be performed here (docker not available). Run locally:
docker run --rm --entrypoint sh eclipse-mosquitto:2 -lc 'id -u mosquitto; id -g mosquitto'

If the image prints:
1883
1883

Apply:

-    user: mosquitto:mosquitto
+    user: "1883:1883"

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Apehaenger]

Merged into #27