fix: use root entrypoint to copy SSH key then drop to appuser
The bind-mounted SSH key is owned by host uid (1000/node) but the service runs as appuser (uid 1001). Use su-exec in entrypoint.sh to copy the key as root, fix ownership, then drop privileges. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
329916e1f6
commit
bad7f4802d
|
|
@ -39,8 +39,8 @@ RUN pnpm turbo build --filter='./packages/shared/*' --filter=@it0/${SERVICE_NAME
|
||||||
# ===== Production Stage =====
|
# ===== Production Stage =====
|
||||||
FROM node:18-alpine
|
FROM node:18-alpine
|
||||||
|
|
||||||
# Install bash (required by Claude Agent SDK Bash tool) + openssh-client (for SSH to managed servers)
|
# Install bash (required by Claude Agent SDK Bash tool) + openssh-client (for SSH to managed servers) + su-exec (for privilege drop)
|
||||||
RUN apk add --no-cache bash openssh-client
|
RUN apk add --no-cache bash openssh-client su-exec
|
||||||
|
|
||||||
RUN corepack enable
|
RUN corepack enable
|
||||||
|
|
||||||
|
|
@ -79,12 +79,15 @@ COPY --from=builder /app/packages/shared/database/src/migrations packages/servic
|
||||||
|
|
||||||
WORKDIR /app/packages/services/${SERVICE_NAME}
|
WORKDIR /app/packages/services/${SERVICE_NAME}
|
||||||
|
|
||||||
# Run as non-root user (required for SDK bypassPermissions mode)
|
# Create non-root user for service runtime
|
||||||
RUN adduser -D -h /home/appuser appuser && \
|
RUN adduser -D -h /home/appuser appuser && \
|
||||||
mkdir -p /data/claude-tenants && \
|
mkdir -p /data/claude-tenants && \
|
||||||
mkdir -p /home/appuser/.ssh && chmod 700 /home/appuser/.ssh && \
|
mkdir -p /home/appuser/.ssh && chmod 700 /home/appuser/.ssh && \
|
||||||
chown -R appuser:appuser /app /data/claude-tenants /home/appuser/.ssh
|
chown -R appuser:appuser /app /data/claude-tenants /home/appuser/.ssh
|
||||||
USER appuser
|
|
||||||
|
# Copy entrypoint script (runs as root to fix SSH key permissions, then drops to appuser)
|
||||||
|
COPY deploy/docker/entrypoint.sh /entrypoint.sh
|
||||||
|
RUN chmod +x /entrypoint.sh
|
||||||
|
|
||||||
ARG SERVICE_PORT=3000
|
ARG SERVICE_PORT=3000
|
||||||
EXPOSE ${SERVICE_PORT}
|
EXPOSE ${SERVICE_PORT}
|
||||||
|
|
@ -93,5 +96,4 @@ ENV SERVICE_NAME=${SERVICE_NAME}
|
||||||
ENV NODE_OPTIONS="--experimental-global-webcrypto"
|
ENV NODE_OPTIONS="--experimental-global-webcrypto"
|
||||||
ENV SHELL=/bin/bash
|
ENV SHELL=/bin/bash
|
||||||
|
|
||||||
# Entrypoint: copy host-mounted SSH key with correct ownership, then start service
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
CMD sh -c 'if [ -f /tmp/host-ssh-key ]; then cp /tmp/host-ssh-key /home/appuser/.ssh/id_ed25519 && chmod 600 /home/appuser/.ssh/id_ed25519; fi && node dist/services/${SERVICE_NAME}/src/main'
|
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,10 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# Copy host-mounted SSH key with correct ownership before dropping to appuser
|
||||||
|
if [ -f /tmp/host-ssh-key ]; then
|
||||||
|
cp /tmp/host-ssh-key /home/appuser/.ssh/id_ed25519
|
||||||
|
chmod 600 /home/appuser/.ssh/id_ed25519
|
||||||
|
chown appuser:appuser /home/appuser/.ssh/id_ed25519
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Drop privileges and start the service
|
||||||
|
exec su-exec appuser node dist/services/${SERVICE_NAME}/src/main
|
||||||
Loading…
Reference in New Issue