Skip to content

better handling of non-root and in-container ssh #126

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
otakup0pe wants to merge 1 commit into
base: mainline
Choose a base branch
from
Open

better handling of non-root and in-container ssh #126

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,4 +19,12 @@ RUN uv venv /opt/avakas && \
uv pip install --python /opt/avakas/bin/python /tmp/avakas && \
rm -rf /tmp/avakas

# Support non-root usage: create writable home at /avakas-home.
# When run with -u UID:GID, the user has no /etc/passwd entry and
# HOME defaults to /. This gives a predictable writable HOME.
RUN mkdir -p /avakas-home/.ssh && \
chmod a+rwx /avakas-home && \
chmod a+rwx /avakas-home/.ssh
ENV HOME=/avakas-home

ENTRYPOINT ["docker-entrypoint"]
26 changes: 23 additions & 3 deletions scripts/docker-entrypoint
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,15 @@ fi

ARGS="$*"
if [ "$ACTION" = "bump" ] || [ "$ACTION" = "set" ] ; then
mkdir -p "${HOME}/.ssh"
# Ensure writable SSH config directory
SSH_DIR="${HOME}/.ssh"
mkdir -p "${SSH_DIR}" 2>/dev/null || {
# HOME may be unwritable (e.g., /root when running as non-root)
SSH_DIR="/tmp/.ssh"
mkdir -p "${SSH_DIR}"
export HOME="/tmp"
}

if [ -z "$SSH_AUTH_SOCK" ] ; then
if [ ! -e "$SSH_KEY" ] ; then
problems "SSH private key not found"
Expand All @@ -28,10 +36,22 @@ if [ "$ACTION" = "bump" ] || [ "$ACTION" = "set" ] ; then
fi
fi
fi
ssh-keyscan "$SSH_SCAN_HOST" 2> /dev/null 1> "${HOME}/.ssh/known_hosts" || problems "Unable to load git host key"
chmod -R og-rwx "${HOME}/.ssh"

if [ -n "$SSH_SCAN_HOST" ] ; then
ssh-keyscan "$SSH_SCAN_HOST" 2>/dev/null 1>"${SSH_DIR}/known_hosts" || problems "Unable to load git host key"
fi
chmod -R og-rwx "${SSH_DIR}" 2>/dev/null || true

# Tell SSH/git to use our known_hosts location explicitly.
# OpenSSH reads config from /etc/passwd home, not $HOME.
export GIT_SSH_COMMAND="ssh -o UserKnownHostsFile=${SSH_DIR}/known_hosts"
fi

# Mark mounted directories as safe for git (ownership mismatch in containers).
# Use --system so it lands in /etc/gitconfig, which git always reads
# regardless of HOME or /etc/passwd mismatches.
git config --system --add safe.directory '*'

if [ -e "/etc/avakas/avakasrc" ] ; then
# shellcheck disable=SC1091
. /etc/avakas/avakasrc
Expand Down
Loading