Category: Programming

Migrating from Docker Desktop to Colima: When Hardened Images Break

By 10:25 AM, I’d entered what Mystery Science Theater 3000 fans call “Deep Hurting.” The migration plan was solid. The backup discipline was comprehensive. The execution? Chaos.

I run a containerized production Mastodon instance on an 8 GB Mac mini. (Yes, I know what the cloud people say, and FYI it’s Cloudflare Tunneled for protection.) My Docker Desktop installation’s half-gig RAM footprint was eating precious resources. Colima promised the same Docker experience without the GUI overhead. I budgeted a 1.5 hour migration plan for what should’ve been a straightforward runtime swap.

Two and a half hours and seven critical issues later, I’d discovered that Docker Hardened Images and Colima don’t play nicely together. And that discovery matters to anyone running hardened containers in virtualized environments.

The Plan (That Didn’t Survive Contact with Reality)

The strategy was textbook: maintenance window approach, comprehensive backups (database dumps, volume archives, configuration snapshots), explicit rollback procedures. I’d stop Docker Desktop, switch the Docker context to Colima, update one path in the Makefile I use to automate tasks, and restart services. Everything uses bind mounts, so data stays on the host file system. What could go wrong?

Everything. Everything could go wrong.

Obsolete Makefile references

First backup try:

service "db" is not running

Wait–what’s db? I migrated from version 14 to version 17 of the PostgreSQL relational database system weeks ago. Switched and even switched from the default PostgreSQL image to a Docker Hardened Image (DHI), even. My compose files reference db-pg17. But the Makefile’s backup targets? Still calling the old db service. The PostgreSQL migration documentation lived in the README file that I keep. The Makefile lived in… a different mental context apparently.

Lesson: When you migrate infrastructure components, grep for references everywhere. Compose files, Makefiles, scripts, documentation. “It’s working” means “it’s working right now,” not “the migration completed.”

The empty `postgres17/` directory

After resolving the database restore issues (we’ll get there), containers started successfully. Then I ran a restart test. PostgreSQL came up empty–no data, no tables, fresh initialization.

% ls -la postgres17/
total 0
drwxr-xr-x@ 2 markandsharon staff 64 Jan 7 16:31 .

64 bytes. An empty directory. That December PostgreSQL 14 → 17 “migration”? Created the directory, never populated it. PostgreSQL 14 data stayed in postgres14/. Docker Desktop must’ve been using cached or internal storage.

Lesson: Don’t trust that migrations succeeded because services are healthy. Check the actual data files. Persistence isn’t persistence if nothing’s persisting.

Wrong database target

After fixing the Makefile, services started… and instantly crash-looped:

PG::UndefinedTable: ERROR:  relation "users" does not exist

PostgreSQL was healthy. The application disagreed. Turns out I’d restored the dump to the wrong database:

# What I did (wrong):
psql -U mastodon postgres < dump.sql
# What I should have done:
psql -U mastodon mastodon_production < dump.sql

The mastodon_production database existed–it was just empty. All my data went into the postgres database that nothing was reading. The psql command-line client defaults to the database matching your username or postgres if unspecified. Explicit is better than implicit, especially when you’re in a hurry.

Version-specific `PGDATA` paths

Once data landed in the right database, I hit a new problem: data didn’t persist across restarts. The bind mount directory stayed empty even though PostgreSQL was running and accepting writes.

It turns out that my PostgreSQL DHI uses version-specific paths:

# My bind mount:
- ./postgres17:/var/lib/postgresql/data
# Actual DHI PostgreSQL data directory:
# PGDATA=/var/lib/postgresql/17/data

The mount shadowed the wrong directory. PostgreSQL wrote data to /var/lib/postgresql/17/data, which wasn’t mounted. Data lived in ephemeral container storage. Restart? Data gone.

$ docker compose exec db-pg17 psql -U mastodon postgres -c "SHOW data_directory;"
       data_directory
-----------------------------
 /var/lib/postgresql/17/data

Lesson: Verify assumptions. Every single one. Check SHOW data_directory; immediately after container start. Test a restart before celebrating success.

I corrected the mount path to match DHI’s expected location. That’s when I found the real problem.

The DHI + Colima Incompatibility Discovery: VirtioFS bind mount ownership failures

After correcting the mount path, PostgreSQL entered an immediate crash-loop:

FATAL: data directory "/var/lib/postgresql/17/data" has wrong ownership
HINT: The server must be started by the user that owns the data directory.

Inside the container, the mounted directory appeared owned by the root user (user ID 0). But PostgreSQL runs as the postgres user. Permission denied.

% docker compose run --rm --entrypoint sh db-pg17 -c "ls -ld /var/lib/postgresql/17/data"
drwxr-xr-x 2 0 0 4096 Jan 10 16:22 /var/lib/postgresql/17/data
# Owner: UID 0 (root), but PostgreSQL requires postgres user ownership

Colima uses the VirtioFS system for file sharing. VirtioFS handles UID mapping differently than Docker Desktop’s virtual machine (VM) implementation. Bind mounts that work perfectly on Docker Desktop fail on Colima because the ownership mapping doesn’t translate.

Fine. This is a known issue with Colima and some images. I’ll switch to a named volume–Docker manages those internally, so host filesystem permissions shouldn’t matter.

Named volumes still failed:

FATAL: data directory "/var/lib/postgresql/17/data" has wrong ownership

Wait. Named volumes are supposed to be isolated from host file system issues. They’re managed entirely by Docker. Fresh named volume, Docker creates it, Docker populates it–and it still shows wrong ownership inside the DHI container.

# Fresh named volume:
% docker compose run --rm --entrypoint sh db-pg17 -c "ls -ld /var/lib/postgresql/17/data"
drwxr-xr-x 2 0 0 4096 Jan 10 16:22 /var/lib/postgresql/17/data

DHI PostgreSQL’s entrypoint has environmental assumptions that Colima’s VM doesn’t satisfy. The image’s security hardening includes stricter ownership validation. That validation doesn’t account for Colima’s volume handling.

The pragmatic trade-off

So I had to make a decision:

Debug DHI + Colima compatibility (unknown time investment, might be unsolvable), or
Switch to the standard postgres:17-alpine image (known working, immediate resolution)

Production system. Already 1.5 hours into debugging. Swap the image:

# Before (DHI):
image: dhi.io/postgres:17-alpine3.22
volumes:
  - postgres17-data:/var/lib/postgresql/17/data
# After (Standard):
image: postgres:17-alpine
volumes:
  - postgres17-data:/var/lib/postgresql/data

PostgreSQL initialized successfully. Data persisted across restarts. Services came up healthy.

The trade-off:

✓ Gained: Colima compatibility, reliable data persistence, onward progress
❌ Lost (temporarily): DHI security hardening–documented for future investigation

Docker Hardened Images offer security features through stricter defaults and entrypoint validation. Those same strict requirements reduce the compatibility surface. When you introduce a different virtualization environment (Colima’s VirtioFS instead of Docker Desktop’s VM), the hardening becomes brittleness.

This isn’t DHI’s fault–it’s the expected consequence of defense-in-depth. But if you’re migrating from Docker Desktop to Colima, test your image compatibility in isolation first. This is crucial if you are using Docker Hardened Images. Carry out these tests before migration day.

The Outcome

Migration completed at 11:30 AM. Zero data loss. All services healthy. Automation restored. RAM reclaimed (Docker Desktop’s overhead vs. Colima’s negligible footprint).

The real outcome was discovering–systematically, through elimination–that DHI PostgreSQL and Colima are incompatible without further investigation. I’ve documented this as a known issue. Future work: test DHI with different volume strategies, check whether newer DHI versions resolve the issue, evaluate whether the security delta matters for a single-user instance.

For now, I’m running standard postgres:17-alpine. The migration is successful. The security regression is documented and scheduled for future investigation. Forward progress beats perfectionism.

Key Takeaways

Backups are your safety net–use them. I restored the database once during this migration. That restore took 30 seconds because I’d verified the backup existed and was recent.

Systematic debugging beats panic every time. Bind mounts failed → tried named volumes → still failed → isolated to image-specific behavior. That progression ruled out host file system issues and pointed directly at image compatibility.

Pragmatic trade-offs beat perfectionism. I could’ve spent hours debugging DHI compatibility. Instead, I documented the incompatibility, switched to standard images, and moved on. The security regression is tracked. The production system is running.

Document failures honestly; they’re learning opportunities. This post exists because the migration didn’t go smoothly. The DHI + Colima incompatibility is now documented for anyone else hitting the same issue. That’s more valuable than a “here’s how I moved from X to Y” success story.

Migration duration	2.5 hours actual vs. 1.5 hours planned
Issues encountered	7 critical
Data loss	0 bytes
Services	All healthy
Memory reclaimed	~500 MB
Novel discoveries	1 (DHI + Colima incompatibility)
Trade-offs documented	1 (security hardening vs. compatibility

Running production infrastructure on an 8 GB Mac mini teaches you to value both resources and reliability. Colima delivers on the resources. This migration delivered on the reliability… eventually.

January 20, 2026

10 Lines to Better Docker Compose Secrets
This is a practical pattern I use when containerized apps expect environment variables but I want the security benefits of file-mounted secrets. Drop the shell script below next to your Docker Compose files and you can do the same.

Quick overview

Secrets like passwords and API keys belong outside your repository and application image layers. Docker Compose can mount such secrets in your containers as files under /run/secrets, which keeps them out of images and version control. But many apps still expect configuration via environment variables. Rather than changing app code, I use a tiny wrapper script that:
- reads every file in /run/secrets
- exports each file’s contents as an environment variable
- then execs the original command
It’s small, predictable, portable, and keeps secrets from mixing with your versioned .env environment files and out of your Compose files.

How it works
- Location: Docker Compose mounts secrets into the container at /run/secrets/<NAME>.
- Mapping rule: The wrapper uses those file names as environment variable names; the file contents become the values. Secret names in your Compose file must be valid shell identifiers (they become both the file names in /run/secrets and the exported variable names).
- Execution: After exporting variables, the script uses exec "$@" so that the wrapped process replaces the shell and inherits the exported environment.
- Security model: Secrets remain files you can permission appropriately on the host; they’re not baked into images or stored in your Compose YAML as plain text.
The script

Let’s call it with-secrets.sh:
```
#!/bin/sh
set -eu

for secret_file in /run/secrets/*; do
  [ -e "$secret_file" ] || continue
  if [ -f "$secret_file" ]; then
    name=$(basename "$secret_file")
    export "$name=$(cat "$secret_file")"
  fi
done

exec "$@"
```
Notes about the script
- set -eu fails fast on unset variables or errors.
- Since it exports each secret using the file name as the variable name, sanitize the file name if you need different environment variable names.
- The final exec hands control to your app without leaving an extra shell process.
Example Compose snippet
```
services:
  app:
    image: your-app:latest
    secrets:
      - DB_PASS
      - API_KEY
    volumes:
      - ./with-secrets.sh:/with-secrets.sh:ro
    command: ["/with-secrets.sh", "your-original-command", "--with-args"]

secrets:
  DB_PASS:
    file: ./secrets/db_password.txt
  API_KEY:
    file: ./secrets/api_key.txt
```
Behavior: DB_PASS and API_KEY above appear as files (/run/secrets/DB_PASS, /run/secrets/API_KEY); the mounted with-secrets.sh wrapper script exports them as DB_PASS and API_KEY environment variables for your-original-command --with-args.

Decision points and alternatives
- Prefer native *_FILE support if your app supports it (e.g., PostgreSQL’s PGPASSFILE). That avoids the wrapper entirely.
- For multi-host or high-compliance deployments, use an external secrets manager (e.g., Hashicorp Vault, cloud KMS, SOPS) rather than Compose secrets.
- Build-time secrets are a separate concern; use BuildKit or dedicated build secret mechanisms to avoid leaking credentials into your image layers.
Risks and mitigations
- Risk: Accidentally logging or dumping environment variables
  Mitigation: Never print environment variables in logs and restrict debug output
- Risk: Secret file names that are not valid shell identifiers
  Mitigation: Normalize or map file names to safe environment variable names before exporting
- Risk: Secrets checked into git or other version control
  Mitigation: Keep secret files out of repos, add strict .gitignore rules, and inject secrets via CI/CD or runtime provisioning
Final notes

This pattern is intentionally pragmatic: it preserves the security advantage of file-mounted secrets while letting unmodified apps keep using environment variables. It’s not a silver bullet for every environment–use it where Compose secrets are appropriate and pair it with stronger secret stores for production-grade, multi-host deployments.
December 22, 2025
Claude Code CLI over SSH on macOS: Fixing Keychain Access
Claude Code is a powerful command-line tool for agentic software development. However, if you try to use it over an SSH secure shell session on macOS, you may see a confusing mix of “Login successful” and “Missing API key” messages. The root cause: Claude Code’s OAuth token lives in the macOS Keychain, which SSH sessions can’t access by default.

Here’s a quick fix that took about 10 minutes to build — with Claude Code’s help. (Meta, but effective.)

The Fix

Add this to your ~/.zshrc:
```
# Wrapper function to unlock keychain before running claude
claude() {
  if [ -n "$SSH_CONNECTION" ] && [ -z "$KEYCHAIN_UNLOCKED" ]
  then
    security unlock-keychain ~/Library/Keychains/login.keychain-db
    export KEYCHAIN_UNLOCKED=true
  fi
  command claude "$@"
}
```
Reload your shell (source ~/.zshrc), then run claude over SSH. It will prompt for your keychain password once per session, then work normally.

How It Works
1. Detects SSH sessions via $SSH_CONNECTION
2. Unlock the keychain once per session, using $KEYCHAIN_UNLOCKED to guard against multiple attempts
3. Delegate to the real claude command with all arguments passed
The keychain stays unlocked for the duration of your SSH session, so you only enter the password once.

Security note: This doesn’t bypass macOS Keychain security. It just prompts you once per SSH session, the same as if you’d unlocked it locally.

With this wrapper in place, I can get Claude Code to behave over SSH exactly as it does locally. There are no surprises and no API keys, and my Claude Pro login works as expected.

The broader lesson

Command line tools that rely on the macOS Keychain often break over SSH. Wrapping those tools with the security unlock-keychain command generally fixes those issues.
October 26, 2025
Treating My Résumé Like Infrastructure
Applying Platform Thinking to the Job Hunt

Most job applications today are screened by AI-driven applicant tracking systems (ATS) before a human ever sees them. That means formatting consistency, keyword alignment, and clarity aren’t just nice to have — they’re survival traits. Manually tailoring each version is slow and error-prone.

I’ve been building production systems for thirty years, from backend services to release automation. When I saw myself maintaining multiple Word documents for different job contexts, I did what any software engineer would do: I built a system instead.

The problem and solution

Job hunting requires multiple résumé versions for different roles like platform vs backend. It also demands multiple formats like PDF, HTML, and plain text for ATS filters. Additionally, you need to manage the content selectively by hiding old projects, limiting bullets, and emphasizing different skills. Manually maintaining these variations leads to copy-paste errors, outdated information, and hours spent reformatting.

Instead of managing variants manually, I treat my résumé as data flowing through a configurable transformation pipeline. One YAML file adhering to the JSON Resume schema serves as the source of truth. Pandoc with custom Lua filters transforms it based on YAML config files.

The filters hide entries marked x-hidden: true, filter by date ranges, limit bullet points, and format dates consistently. They also adjust section titles automatically. The system outputs PDF (via WeasyPrint), HTML, Markdown, or plain text. Git branches track versions per company/role.

The architecture separates content (YAML), presentation (templates), and transformation logic (Lua filters). Configuration over duplication. Infrastructure as code.

The résumé rendering pipeline

Example: Platform engineering résumé

Here’s how that thinking plays out in practice. For a platform engineering role, I want to:
1. Hide CPAN projects older than 10 years (too Perl-focused)
2. Limit work highlights to 3 per job (keep it concise)
3. Emphasize containerization and automation experience
Example commands
```
# Adjust configuration
vim share/pandoc/metadata/date_past.yaml        # Set project age limit
vim share/pandoc/metadata/highlights_limit.yaml # Set bullet limits

# Generate
./scripts/save_pdf.sh eg/mjgardner_resume.yaml

# Or with Docker
docker compose run --rm resume-remixer \
  ./scripts/save_pdf.sh eg/mjgardner_resume.yaml
```
The pipeline automatically:
- Filters out old projects
- Trims bullet points to the first 3 per job
- Updates section titles (“Projects” → “Selected Recent Projects”)
- Generates clean, professional PDF output
No manual editing. No copy-paste. Reproducible every time.

Infrastructure thinking in practice

Platform engineering isn’t just specific tools — it’s an approach. When you see a repetitive manual process, you automate. When data needs multiple representations, you build transformation pipelines. When reproducibility matters, you containerize.

This résumé generator uses the same principles I apply to release pipelines and build automation. One source of truth, configurable transformations, reproducible output. The tools here are Pandoc, Lua, and Docker, but the approach works regardless of stack.

Using JSON Resume schema makes the data portable. Dockerizing the pipeline ensures reproducibility across platforms. Version control enables branching per application. The right abstractions (YAML config files instead of code) make it usable.

The code

Full source, documentation, and examples: codeberg.org/mjgardner/resume-remixer

Licensed open source. If you’re maintaining multiple résumé versions manually, give it a try. Let me know how you adapt it for your own workflow.
October 14, 2025
Porting from Perl to Go: Simplifying for Platform Engineering
Rewriting a script for the Homebrew package manager taught me how the Go programming language’s design choices align with platform-ready tools.

The problem with brew upgrade

By default, the brew upgrade command updates every formula (terminal utility or library). It also updates every cask (GUI application) it manages. All are upgraded to the latest version — major, minor, and patch. That’s convenient when you want the newest features, but disruptive when you only want quiet patch-level fixes.

Last week I solved this in Perl with brew-patch-upgrade.pl, a script that parsed brew upgrade’s JSON output, compared semantic versions, and upgraded only when the patch number changed. It worked, but it also reminded me how much Perl leans on implicit structures and runtime flexibility.

This week I ported the script to Go, the lingua franca of DevOps. The goal wasn’t feature parity — it was to see how Go’s design choices map onto platform engineering concerns.

Why port to Go?
- Portfolio practice: I’m building a body of work that demonstrates platform engineering skills.
- Operational focus: Go is widely used for tooling in infrastructure and cloud environments.
- Learning by contrast: Rewriting a working Perl script in Go forces me to confront differences in error handling, type safety, and distribution.
The journey

Error handling philosophy

Perl gave me try/catch (experimental in the Perl v5.34.1 that ships with macOS, but since accepted into the language in v5.40). Go, famously, does not. Instead, every function returns an error explicitly.

Perl:
```
use v5.34;
use warnings;
use experimental qw(try);
use Carp;
use autodie;

...

try {
  system 'brew', 'upgrade', $name;
  $result = 'upgraded';
}
catch ($e) {
  $result = 'failed';
  carp $e;
}
```
Go:
```
package main

import (
  "os/exec"
  "log"
)

...

cmd := exec.Command("brew", "upgrade", name)
if output, err := cmd.CombinedOutput(); err != nil {
  log.Printf("failed to upgrade %s: %v\n%s",
    name,
    err,
    output)
}
```
The Go version is noisier, but it forces explicit decisions. That’s a feature in production tooling: no silent failures.

Dependency management
- Perl: cpanfile + CPAN modules. Distribution means “install Perl (if it’s not already), install modules, run script.” Tools like carton and the cpan or cpanm commands help automate this. Additionally, one can use further tooling like fatpack and pp to build more self-contained packages. But those are neither common nor (except for cpan) distributed with Perl.
- Go: go.mod + go build. Distribution is a single (platform-specific) binary.
For operational tools, that’s a massive simplification. No runtime interpreter, no dependency dance.

Type safety

Perl let me parse JSON into hashrefs and trust the keys exist. Go required a struct:
```
type Formula struct {
  Name              string   `json:"name"`
  CurrentVersion    string   `json:"current_version"`
  InstalledVersions []string `json:"installed_versions"`
}
```
The compiler enforces assumptions that Perl left implicit. That friction is valuable — it surfaces errors early.

Binary distribution

This is where Go shines. Instead of telling colleagues “install Perl v5.34 and CPAN modules,” I can hand them a binary. No need to worry about scripting runtime environments — just grab the right file for your system.
- homebrew-semver-guard-darwin (Universal Binary for macOS)
- homebrew-semver-guard-linux-amd64 (Intel/AMD 64-bit binary for Linux)
- homebrew-semver-guard-linux-arm64 (Arm 64-bit binary for Linux)
Available on the release page. Download, run, done.

Semantic versioning logic

In Perl, I manually compared arrays of version numbers. In Go, I imported golang.org/x/mod/semver:
```
import (
  golang.org/x/mod/semver
)

...

if semver.MajorMinor(toSemver(formula.InstalledVersions[0])) !=
  semver.MajorMinor(toSemver(formula.CurrentVersion)) {
  log.Printf("%s is not a patch upgrade", formula.Name)
  results.skipped++
  continue
}
```
Cleaner, more legible, and less error-prone. The library encodes the convention, so I don’t have to.

Deliberate simplification

I didn’t port every feature. Logging adapters, signal handlers, and edge-case diagnostics remained in Perl. The Go version focuses on the core logic: parse JSON, compare versions, run upgrades. That restraint was intentional — I wanted to learn Go’s idioms, not replicate every Perl flourish.
Platform engineering insights

Three lessons stood out:
1. Binary distribution matters. Operational tools should be installable with a single copy step. Go makes that trivial.
2. Semantic versioning is an operational practice. It’s not just a convention for library authors — it’s a contract that tooling can enforce.
3. Go’s design aligns with platform needs. Explicit errors, type safety, and static binaries all reduce surprises in production.
Bringing it home

This isn’t a “Perl vs. Go” story. It’s a story about deliberate simplification, taking a working Perl script and recasting it in Go. The aim is to see how the language’s choices shape a solution to the same problem.

The result is homebrew-semver-guard v0.1.0, a small but sturdy tool. It’s not feature-finished, but it’s production-ready in the ways that matter.

Next up: I’m considering more Go tools, maybe even Kubernetes for services on my home server. This port was practice, an artifact demonstrating platform engineering in action.

Links
- Original Perl script: brew-patch-upgrade.pl
- Go release: homebrew-semver-guard v0.1.0
- Last week’s post: Patch-Perfect: Smarter Homebrew Upgrades on macOS
October 5, 2025

Category: Programming

Migrating from Docker Desktop to Colima: When Hardened Images Break

The Plan (That Didn’t Survive Contact with Reality)

Obsolete Makefile references

The empty postgres17/ directory

Wrong database target

Version-​specific PGDATA paths

The DHI + Colima Incompatibility Discovery: VirtioFS bind mount ownership failures

The pragmatic trade-off

The Outcome

Key Takeaways

10 Lines to Better Docker Compose Secrets

Quick overview

How it works

The script

Notes about the script

Example Compose snippet

Decision points and alternatives

Risks and mitigations

Final notes

Claude Code CLI over SSH on macOS: Fixing Keychain Access

The Fix

How It Works

The broader lesson

Treating My Résumé Like Infrastructure

The problem and solution

Example: Platform engineering résumé

Example commands

Infrastructure thinking in practice

The code

Porting from Perl to Go: Simplifying for Platform Engineering

The problem with brew upgrade

Why port to Go?

The journey

Error handling philosophy

Dependency management

Type safety

Binary distribution

Semantic versioning logic

Deliberate simplification

Platform engineering insights

Bringing it home

Links

The empty `postgres17/` directory

Version-specific `PGDATA` paths

The problem with `brew upgrade`