fix: correct SSH key permissions in agent-service container

Mount host key to /tmp/host-ssh-key (read-only), then copy to appuser's .ssh directory with correct ownership at container start. Fixes "Permission denied" due to uid mismatch on bind mount. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-26 12:00:02 -08:00 · 2026-02-26 12:00:02 -08:00 · 329916e1f6
parent 795e8a11c5
commit 329916e1f6
2 changed files with 4 additions and 2 deletions
--- a/Dockerfile.service
+++ b/Dockerfile.service
@ -92,4 +92,6 @@ EXPOSE ${SERVICE_PORT}
 ENV SERVICE_NAME=${SERVICE_NAME}
 ENV NODE_OPTIONS="--experimental-global-webcrypto"
 ENV SHELL=/bin/bash
-CMD node dist/services/${SERVICE_NAME}/src/main
+
+# Entrypoint: copy host-mounted SSH key with correct ownership, then start service
+CMD sh -c 'if [ -f /tmp/host-ssh-key ]; then cp /tmp/host-ssh-key /home/appuser/.ssh/id_ed25519 && chmod 600 /home/appuser/.ssh/id_ed25519; fi && node dist/services/${SERVICE_NAME}/src/main'
--- a/deploy/docker/docker-compose.yml
+++ b/deploy/docker/docker-compose.yml
@ -122,7 +122,7 @@ services:
      - ${HOME}/.claude:/home/appuser/.claude
      - ${HOME}/.claude.json:/home/appuser/.claude.json
      - claude_tenants:/data/claude-tenants
-      - ${HOME}/.ssh/id_ed25519:/home/appuser/.ssh/id_ed25519:ro
+      - ${HOME}/.ssh/id_ed25519:/tmp/host-ssh-key:ro
    environment:
      - DB_HOST=postgres
      - DB_PORT=5432