hailin
/
it0
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(bridge): remove user= from supervisord.conf to fix non-root startup 

Container runs as 'node' user (USER node in Dockerfile). Setting user=root
in [supervisord] causes "Can't drop privilege as nonroot user" error.
Remove all user= directives — user is managed at the Docker/container level.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
hailin 2026-03-08 05:07:25 -07:00
parent 90f11fc572
commit 688219ab74
1 changed files with 21 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
packages/openclaw-bridge/supervisord.conf
View File

@ -1,6 +1,7 @@
[supervisord] [supervisord]
nodaemon=true nodaemon=true
user=root ; No user= here: container already runs as 'node' (USER node in Dockerfile).
; Setting user=root when running as non-root causes "Can't drop privilege" error.
logfile=/dev/stdout logfile=/dev/stdout
logfile_maxbytes=0 logfile_maxbytes=0
pidfile=/tmp/supervisord.pid pidfile=/tmp/supervisord.pid
@ -9,7 +10,7 @@ pidfile=/tmp/supervisord.pid
[program:openclaw] [program:openclaw]
command=node /app/openclaw/dist/openclaw.mjs command=node /app/openclaw/dist/openclaw.mjs
directory=/app/openclaw directory=/app/openclaw
user=node ; No user= — inherited from container user
autostart=true autostart=true
autorestart=true autorestart=true
startretries=5 startretries=5
@ -23,7 +24,7 @@ environment=HOME="/home/node",NODE_ENV="production",OPENCLAW_GATEWAY_TOKEN="%(EN
[program:it0-bridge] [program:it0-bridge]
command=node /app/bridge/dist/index.js command=node /app/bridge/dist/index.js
directory=/app/bridge directory=/app/bridge
user=node ; No user= — inherited from container user
autostart=true autostart=true
autorestart=true autorestart=true
startretries=10 startretries=10
@ -33,3 +34,20 @@ stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0 stderr_logfile_maxbytes=0
environment=HOME="/home/node",BRIDGE_PORT="3000",OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789",OPENCLAW_GATEWAY_TOKEN="%(ENV_OPENCLAW_GATEWAY_TOKEN)s",IT0_INSTANCE_ID="%(ENV_IT0_INSTANCE_ID)s",IT0_AGENT_SERVICE_URL="%(ENV_IT0_AGENT_SERVICE_URL)s" environment=HOME="/home/node",BRIDGE_PORT="3000",OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789",OPENCLAW_GATEWAY_TOKEN="%(ENV_OPENCLAW_GATEWAY_TOKEN)s",IT0_INSTANCE_ID="%(ENV_IT0_INSTANCE_ID)s",IT0_AGENT_SERVICE_URL="%(ENV_IT0_AGENT_SERVICE_URL)s"
; DingTalk Channel — stays running only if DINGTALK_CLIENT_ID is set.
; Clean exit (code 0) = not configured → supervisord leaves it EXITED, no restart loop.
[program:dingtalk-channel]
command=/app/bridge/start-dingtalk.sh
directory=/app/bridge
; No user= — inherited from container user
autostart=true
autorestart=unexpected
exitcodes=0
startretries=5
startsecs=10
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
environment=HOME="/home/node",OPENCLAW_GATEWAY_URL="ws://127.0.0.1:18789",OPENCLAW_GATEWAY_TOKEN="%(ENV_OPENCLAW_GATEWAY_TOKEN)s",DINGTALK_CLIENT_ID="%(ENV_DINGTALK_CLIENT_ID)s",DINGTALK_CLIENT_SECRET="%(ENV_DINGTALK_CLIENT_SECRET)s"