mirror of
https://github.com/KeygraphHQ/shannon.git
synced 2026-07-02 11:35:38 +02:00
fix: resolve Docker bind mount permission errors on Linux
Use entrypoint-based UID remapping instead of --user flag so the container's pentest user matches the host UID/GID, keeping bind-mounted volumes writable. Git config moved to --system level to survive remapping.
This commit is contained in:
+9
-8
@@ -123,10 +123,15 @@ RUN gem install addressable
|
||||
COPY --from=builder /usr/lib/python3.*/site-packages /usr/lib/python3.12/site-packages
|
||||
COPY --from=builder /usr/bin/schemathesis /usr/bin/
|
||||
|
||||
# Create non-root user for security
|
||||
# Create non-root user
|
||||
RUN addgroup -g 1001 pentest && \
|
||||
adduser -u 1001 -G pentest -s /bin/bash -D pentest
|
||||
|
||||
# System-level git config (survives UID remapping in entrypoint)
|
||||
RUN git config --system user.email "agent@localhost" && \
|
||||
git config --system user.name "Pentest Agent" && \
|
||||
git config --system --add safe.directory '*'
|
||||
|
||||
# Set working directory
|
||||
WORKDIR /app
|
||||
|
||||
@@ -148,8 +153,8 @@ RUN mkdir -p /app/sessions /app/deliverables /app/repos /app/workspaces && \
|
||||
chmod 777 /tmp/.npm && \
|
||||
chown -R pentest:pentest /app
|
||||
|
||||
# Switch to non-root user
|
||||
USER pentest
|
||||
COPY entrypoint.sh /app/entrypoint.sh
|
||||
RUN chmod +x /app/entrypoint.sh
|
||||
|
||||
# Set environment variables
|
||||
ENV NODE_ENV=production
|
||||
@@ -162,9 +167,5 @@ ENV HOME=/tmp
|
||||
ENV XDG_CACHE_HOME=/tmp/.cache
|
||||
ENV XDG_CONFIG_HOME=/tmp/.config
|
||||
|
||||
# Configure Git identity and trust all directories
|
||||
RUN git config --global user.email "agent@localhost" && \
|
||||
git config --global user.name "Pentest Agent" && \
|
||||
git config --global --add safe.directory '*'
|
||||
|
||||
ENTRYPOINT ["/app/entrypoint.sh"]
|
||||
CMD ["node", "apps/worker/dist/temporal/worker.js"]
|
||||
|
||||
@@ -3,6 +3,7 @@
|
||||
*/
|
||||
|
||||
import { execFileSync } from 'node:child_process';
|
||||
import os from 'node:os';
|
||||
import { getWorkerImage } from '../docker.js';
|
||||
import { getWorkspacesDir } from '../home.js';
|
||||
|
||||
@@ -24,7 +25,7 @@ export function workspaces(version: string): void {
|
||||
'node',
|
||||
'apps/worker/dist/temporal/workspaces.js',
|
||||
],
|
||||
{ stdio: 'inherit' },
|
||||
{ stdio: 'inherit', ...(os.platform() === 'win32' && { env: { ...process.env, MSYS_NO_PATHCONV: '1' } }) },
|
||||
);
|
||||
} catch {
|
||||
console.error('ERROR: Failed to list workspaces. Is the Docker image available?');
|
||||
|
||||
@@ -207,6 +207,11 @@ export function spawnWorker(opts: WorkerOptions): ChildProcess {
|
||||
// Add host flag for Linux
|
||||
args.push(...addHostFlag());
|
||||
|
||||
// UID remapping for Linux bind mounts
|
||||
if (os.platform() === 'linux' && process.getuid && process.getgid) {
|
||||
args.push('-e', `SHANNON_HOST_UID=${process.getuid()}`, '-e', `SHANNON_HOST_GID=${process.getgid()}`);
|
||||
}
|
||||
|
||||
// Volume mounts
|
||||
args.push('-v', `${opts.workspacesDir}:/app/workspaces`);
|
||||
args.push('-v', `${opts.repo.hostPath}:${opts.repo.containerPath}`);
|
||||
@@ -257,7 +262,8 @@ export function spawnWorker(opts: WorkerOptions): ChildProcess {
|
||||
args.push('--pipeline-testing');
|
||||
}
|
||||
|
||||
return spawn('docker', args, { stdio: 'pipe' });
|
||||
// Prevent MSYS/Git Bash from converting Unix paths (e.g. /repos/my-repo) to Windows paths
|
||||
return spawn('docker', args, { stdio: 'pipe', ...(os.platform() === 'win32' && { env: { ...process.env, MSYS_NO_PATHCONV: '1' } }) });
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Executable
+18
@@ -0,0 +1,18 @@
|
||||
#!/bin/bash
|
||||
set -euo pipefail
|
||||
|
||||
TARGET_UID="${SHANNON_HOST_UID:-}"
|
||||
TARGET_GID="${SHANNON_HOST_GID:-}"
|
||||
CURRENT_UID=$(id -u pentest 2>/dev/null || echo "")
|
||||
|
||||
if [ -n "$TARGET_UID" ] && [ "$TARGET_UID" != "$CURRENT_UID" ]; then
|
||||
deluser pentest 2>/dev/null || true
|
||||
delgroup pentest 2>/dev/null || true
|
||||
|
||||
addgroup -g "$TARGET_GID" pentest
|
||||
adduser -u "$TARGET_UID" -G pentest -s /bin/bash -D pentest
|
||||
|
||||
chown -R pentest:pentest /app/sessions /app/deliverables /app/workspaces
|
||||
fi
|
||||
|
||||
exec su pentest -c "exec $*"
|
||||
Reference in New Issue
Block a user