From 3ed20cdf08def4257520e145df35ead6e94d2ec7 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 26 Feb 2026 18:11:44 -0800 Subject: [PATCH] refactor: clean up agent SSH setup after fixing host-local routing - Remove iproute2/NET_ADMIN (no longer needed) - Remove ip route hack from entrypoint.sh - rwa-colocation-2 server record updated to use Docker gateway IP since 14.215.128.96 is a host-local NIC on the IT0 server Co-Authored-By: Claude Opus 4.6 --- Dockerfile.service | 2 +- deploy/docker/docker-compose.yml | 2 -- entrypoint.sh | 7 ------- 3 files changed, 1 insertion(+), 10 deletions(-) diff --git a/Dockerfile.service b/Dockerfile.service index 872c072..fbcf475 100644 --- a/Dockerfile.service +++ b/Dockerfile.service @@ -40,7 +40,7 @@ RUN pnpm turbo build --filter='./packages/shared/*' --filter=@it0/${SERVICE_NAME FROM node:18-alpine # Install bash (required by Claude Agent SDK Bash tool) + openssh-client (for SSH to managed servers) + su-exec (for privilege drop) -RUN apk add --no-cache bash openssh-client su-exec iproute2 +RUN apk add --no-cache bash openssh-client su-exec RUN corepack enable diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml index f80ab83..60127c2 100644 --- a/deploy/docker/docker-compose.yml +++ b/deploy/docker/docker-compose.yml @@ -116,8 +116,6 @@ services: SERVICE_PORT: 3002 container_name: it0-agent-service restart: unless-stopped - cap_add: - - NET_ADMIN ports: - "13002:3002" volumes: diff --git a/entrypoint.sh b/entrypoint.sh index 07ef9f2..773f73d 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,12 +6,5 @@ if [ -f /tmp/host-ssh-key ]; then chown appuser:appuser /home/appuser/.ssh/id_ed25519 fi -# Route host-local IPs through Docker gateway (for IPs bound to host NICs) -# 14.215.128.96 is on the host's enp5s0 NIC, unreachable via default Docker NAT -GATEWAY=$(ip route | awk '/default/ {print $3}') -if [ -n "$GATEWAY" ]; then - ip route add 14.215.128.96/32 via "$GATEWAY" 2>/dev/null || true -fi - # Drop privileges and start the service exec su-exec appuser node dist/services/${SERVICE_NAME}/src/main