From ae7d9251ec168aefea1dbb7bdaf0d3beacdb8cb4 Mon Sep 17 00:00:00 2001 From: hailin Date: Thu, 26 Feb 2026 18:05:30 -0800 Subject: [PATCH] fix: add route for host-local IP (14.215.128.96) in agent container 14.215.128.96 is bound to a host NIC (enp5s0) and unreachable from Docker bridge via default NAT. Add NET_ADMIN + ip route via gateway. Co-Authored-By: Claude Opus 4.6 --- deploy/docker/docker-compose.yml | 2 ++ entrypoint.sh | 7 +++++++ 2 files changed, 9 insertions(+) diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml index 60127c2..f80ab83 100644 --- a/deploy/docker/docker-compose.yml +++ b/deploy/docker/docker-compose.yml @@ -116,6 +116,8 @@ services: SERVICE_PORT: 3002 container_name: it0-agent-service restart: unless-stopped + cap_add: + - NET_ADMIN ports: - "13002:3002" volumes: diff --git a/entrypoint.sh b/entrypoint.sh index 773f73d..07ef9f2 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,5 +6,12 @@ if [ -f /tmp/host-ssh-key ]; then chown appuser:appuser /home/appuser/.ssh/id_ed25519 fi +# Route host-local IPs through Docker gateway (for IPs bound to host NICs) +# 14.215.128.96 is on the host's enp5s0 NIC, unreachable via default Docker NAT +GATEWAY=$(ip route | awk '/default/ {print $3}') +if [ -n "$GATEWAY" ]; then + ip route add 14.215.128.96/32 via "$GATEWAY" 2>/dev/null || true +fi + # Drop privileges and start the service exec su-exec appuser node dist/services/${SERVICE_NAME}/src/main