mitmdump crashed at boot with PermissionError on
~/.mitmproxy/mitmproxy-ca.pem. Cause: `docker cp` preserves the
host file's mode AND uid. The CA files were 0600 owned by the host
user (uid 501 on macOS), so inside the container the mitmproxy
user (uid 1000, set by USER directive in Dockerfile) couldn't read
them.
Fix:
- `egress_proxy_tls_init`: chmod 644 the cert-only + the cert+key
concat on the host stage dir.
- `DockerEgressProxy.start`: chmod 644 routes.yaml and the
pipelock CA before `docker cp` into the egress-proxy container
(pipelock itself runs as root so its in-pipelock copy is
unaffected).
The host stage_dir is mode 700 — other host users still can't
traverse in, so the cert+key concat isn't actually exposed despite
the 644 mode. The container side gets world-readable, which is
fine inside the per-bottle container.
Reproduces against today's main: bottle's egress-proxy sidecar
crashes with PermissionError; after this patch mitmdump boots and
listens on :9099.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
didericis
57a9707e1c