gemini changes

Dockerfile

@@ -4,24 +4,24 @@ FROM debian:bookworm-slim
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Update and install Swiss Army Knife tools
-RUN apt-get update && apt-get install -y \
+RUN apt-get update && apt-get install -y --no-install-recommends \
+    ca-certificates \
     curl \
     wget \
     git \
     jq \
     unzip \
     tar \
-    vim \
+    vim-nox \
     nano \
     python3 \
     python3-pip \
     python3-venv \
+    python3-full \
     build-essential \
     iputils-ping \
     dnsutils \
     net-tools \
-    nodejs \
-    npm \
     ffmpeg \
     openssh-server \
     openssh-client \
@@ -29,14 +29,20 @@ RUN apt-get update && apt-get install -y \
     ripgrep \
     ncdu \
     sudo \
+    && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && apt-get install -y nodejs \
     && rm -rf /var/lib/apt/lists/*
 
-# Install yq (binary release for latest version)
-RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && \
+# Install yq (v4.x)
+RUN YQ_VERSION="v4.40.5" && \
+    wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -O /usr/bin/yq && \
     chmod +x /usr/bin/yq
-RUN wget https://downloads-openshift-console.apps.lab.apilab.us/amd64/linux/oc.tar -O /tmp/oc.tar && \
-    tar -xvf /tmp/oc.tar -C /usr/bin/ && \
-    rm /tmp/oc.tar && chmod +x /usr/bin/oc
+
+# Install OpenShift CLI (oc)
+RUN OC_VERSION="stable" && \
+    wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz -O /tmp/oc.tar.gz && \
+    tar -xvf /tmp/oc.tar.gz -C /usr/bin/ oc && \
+    rm /tmp/oc.tar.gz && chmod +x /usr/bin/oc
 
 # Setup SSH directory & Config for OpenShift (Random UID support)
 RUN mkdir -p /var/run/sshd && \
@@ -45,7 +51,19 @@ RUN mkdir -p /var/run/sshd && \
 # Custom sshd_config for non-root usage
 # StrictModes no: Required for non-root / random UID environments
 # PidFile: Point to /tmp for guaranteed write access
-RUN echo "Port 2222\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nStrictModes no\nPidFile /tmp/sshd.pid\nHostKey /data/ssh/ssh_host_rsa_key\nHostKey /data/ssh/ssh_host_ecdsa_key\nHostKey /data/ssh/ssh_host_ed25519_key\nAuthorizedKeysFile .ssh/authorized_keys\nChallengeResponseAuthentication no\nUsePAM yes\nSubsystem sftp /usr/lib/openssh/sftp-server" > /etc/ssh/sshd_config
+RUN printf "Port 2222\n\
+PermitRootLogin no\n\
+PasswordAuthentication no\n\
+PubkeyAuthentication yes\n\
+StrictModes no\n\
+PidFile /tmp/sshd.pid\n\
+HostKey /data/ssh/ssh_host_rsa_key\n\
+HostKey /data/ssh/ssh_host_ecdsa_key\n\
+HostKey /data/ssh/ssh_host_ed25519_key\n\
+AuthorizedKeysFile .ssh/authorized_keys\n\
+ChallengeResponseAuthentication no\n\
+UsePAM no\n\
+Subsystem sftp /usr/lib/openssh/sftp-server\n" > /etc/ssh/sshd_config
 
 # Create a user 'claw' (UID 1000) with sudo access
 RUN useradd -m -s /bin/bash -u 1000 claw && \
@@ -69,9 +87,14 @@ EXPOSE 2222
 USER claw
 
 # Start SSH daemon
-# Fix: StrictModes no handles permissions, but chmod 600 helps sanity.
-CMD ["/bin/bash", "-c", "mkdir -p /data/ssh && if [ ! -f /data/ssh/ssh_host_rsa_key ]; then \
-    echo 'Generating persistent host keys...'; \
-    ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa; \
-    ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa; \
-    ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519; fi && chmod 600 /data/ssh/ssh_host_*_key && /usr/sbin/sshd -D -f /etc/ssh/sshd_config"]
+# The keys are generated if they don't exist on the persistent volume
+CMD ["/bin/bash", "-c", "\
+mkdir -p /data/ssh && \
+for keytype in rsa ecdsa ed25519; do \
+    if [ ! -f /data/ssh/ssh_host_${keytype}_key ]; then \
+        echo \"Generating persistent host ${keytype} key...\"; \
+        ssh-keygen -q -f /data/ssh/ssh_host_${keytype}_key -N '' -t ${keytype}; \
+    fi; \
+done && \
+chmod 600 /data/ssh/ssh_host_*_key && \
+/usr/sbin/sshd -D -e -f /etc/ssh/sshd_config"]

manifests/deployment.yaml

@@ -20,19 +20,21 @@ spec:
       serviceAccountName: clawd-sa
       securityContext:
         fsGroup: 1000
+        runAsNonRoot: true
       initContainers:
         - name: setup-ssh
-          image: docker.io/alpine:latest
+          image: busybox:latest
           command:
             - sh
             - -c
             - |
-              # 1. Fix data volume permissions
-              chown -R 1000:0 /data && chmod -R 775 /data
-
-              # 2. Setup writable SSH tirectory from Secret
+              # Fix data volume permissions if needed
+              # Note: On some systems this requires root in the init container
+              # but often fsGroup handles this.
+              mkdir -p /data/ssh && chmod 775 /data
+              
+              # Setup writable SSH directory from Secret
               cp /mnt/keys/authorized_keys /working-ssh/
-              chown 1000:0 /working-ssh/authorized_keys
               chmod 600 /working-ssh/authorized_keys
           volumeMounts:
             - name: data-volume
@@ -45,20 +47,7 @@ spec:
         - name: clawdbox
           image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest
           imagePullPolicy: Always
-          command:
-            - /bin/bash
-            - "-c"
-            - |
-              mkdir -p /data/ssh
-              if [ ! -f /data/ssh/ssh_host_rsa_key ]; then
-                echo 'Generating persistent host keys...'
-                ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa
-                ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa
-                ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519
-              fi
-              chmod 600 /data/ssh/ssh_host_*_key
-              # Run sshd with PAM disabled and logging to stderr
-              /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config -o UsePAM=no
+          # CMD is defined in Dockerfile, no need to override unless changing behavior
           ports:
             - containerPort: 2222
               name: ssh
@@ -90,17 +79,18 @@ spec:
               name: kubeconfig-secret
           resources:
             limits:
-              memory: "1Gi"
-              cpu: "1000m"
+              memory: "2Gi"
+              cpu: "2000m"
             requests:
-              memory: "128Mi"
-              cpu: "250m"
+              memory: "256Mi"
+              cpu: "500m"
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
-            allowPrivilegeEscalation: true
+            allowPrivilegeEscalation: false
             capabilities:
-              add: ["CAP_AUDIT_WRITE"]
+              drop: ["ALL"]
+              add: ["NET_BIND_SERVICE"]
       volumes:
         - name: data-volume
           persistentVolumeClaim:

manifests/rbac.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: clawd-sa
+  namespace: clawdbox
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: clawd-sa-edit
+  namespace: clawdbox
+subjects:
+  - kind: ServiceAccount
+    name: clawd-sa
+    namespace: clawdbox
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: edit

manifests/route.yaml

@@ -1,16 +1,16 @@
 apiVersion: route.openshift.io/v1
 kind: Route
 metadata:
-  name: openclaw
-  namespace: openclaw
+  name: clawdbox
+  namespace: clawdbox
 spec:
   host: clawdbox.apps.lab.apilab.us
   to:
     kind: Service
-    name: clawrganizer
+    name: clawdbox
     weight: 100
   port:
-    targetPort: http
+    targetPort: ssh
   tls:
     termination: edge
     insecureEdgeTerminationPolicy: Redirect