From 8fe712cda7712cfbd643c23c84c80cfd579a59a2 Mon Sep 17 00:00:00 2001 From: Conan Scott Date: Sat, 7 Mar 2026 23:29:56 +1100 Subject: [PATCH] gemini changes --- Dockerfile | 55 +++++++++++++++++++++++++++------------ manifests/deployment.yaml | 42 ++++++++++++------------------ manifests/rbac.yaml | 19 ++++++++++++++ manifests/route.yaml | 8 +++--- 4 files changed, 78 insertions(+), 46 deletions(-) create mode 100644 manifests/rbac.yaml diff --git a/Dockerfile b/Dockerfile index 296051f..414fbb2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,24 +4,24 @@ FROM debian:bookworm-slim ENV DEBIAN_FRONTEND=noninteractive # Update and install Swiss Army Knife tools -RUN apt-get update && apt-get install -y \ +RUN apt-get update && apt-get install -y --no-install-recommends \ + ca-certificates \ curl \ wget \ git \ jq \ unzip \ tar \ - vim \ + vim-nox \ nano \ python3 \ python3-pip \ python3-venv \ + python3-full \ build-essential \ iputils-ping \ dnsutils \ net-tools \ - nodejs \ - npm \ ffmpeg \ openssh-server \ openssh-client \ @@ -29,14 +29,20 @@ RUN apt-get update && apt-get install -y \ ripgrep \ ncdu \ sudo \ + && curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \ + && apt-get install -y nodejs \ && rm -rf /var/lib/apt/lists/* -# Install yq (binary release for latest version) -RUN wget https://github.com/mikefarah/yq/releases/latest/download/yq_linux_amd64 -O /usr/bin/yq && \ +# Install yq (v4.x) +RUN YQ_VERSION="v4.40.5" && \ + wget https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_amd64 -O /usr/bin/yq && \ chmod +x /usr/bin/yq -RUN wget https://downloads-openshift-console.apps.lab.apilab.us/amd64/linux/oc.tar -O /tmp/oc.tar && \ - tar -xvf /tmp/oc.tar -C /usr/bin/ && \ - rm /tmp/oc.tar && chmod +x /usr/bin/oc + +# Install OpenShift CLI (oc) +RUN OC_VERSION="stable" && \ + wget https://mirror.openshift.com/pub/openshift-v4/clients/ocp/${OC_VERSION}/openshift-client-linux.tar.gz -O /tmp/oc.tar.gz && \ + tar -xvf /tmp/oc.tar.gz -C /usr/bin/ oc && \ + rm /tmp/oc.tar.gz && chmod +x /usr/bin/oc # Setup SSH directory & Config for OpenShift (Random UID support) RUN mkdir -p /var/run/sshd && \ @@ -45,7 +51,19 @@ RUN mkdir -p /var/run/sshd && \ # Custom sshd_config for non-root usage # StrictModes no: Required for non-root / random UID environments # PidFile: Point to /tmp for guaranteed write access -RUN echo "Port 2222\nPermitRootLogin no\nPasswordAuthentication no\nPubkeyAuthentication yes\nStrictModes no\nPidFile /tmp/sshd.pid\nHostKey /data/ssh/ssh_host_rsa_key\nHostKey /data/ssh/ssh_host_ecdsa_key\nHostKey /data/ssh/ssh_host_ed25519_key\nAuthorizedKeysFile .ssh/authorized_keys\nChallengeResponseAuthentication no\nUsePAM yes\nSubsystem sftp /usr/lib/openssh/sftp-server" > /etc/ssh/sshd_config +RUN printf "Port 2222\n\ +PermitRootLogin no\n\ +PasswordAuthentication no\n\ +PubkeyAuthentication yes\n\ +StrictModes no\n\ +PidFile /tmp/sshd.pid\n\ +HostKey /data/ssh/ssh_host_rsa_key\n\ +HostKey /data/ssh/ssh_host_ecdsa_key\n\ +HostKey /data/ssh/ssh_host_ed25519_key\n\ +AuthorizedKeysFile .ssh/authorized_keys\n\ +ChallengeResponseAuthentication no\n\ +UsePAM no\n\ +Subsystem sftp /usr/lib/openssh/sftp-server\n" > /etc/ssh/sshd_config # Create a user 'claw' (UID 1000) with sudo access RUN useradd -m -s /bin/bash -u 1000 claw && \ @@ -69,9 +87,14 @@ EXPOSE 2222 USER claw # Start SSH daemon -# Fix: StrictModes no handles permissions, but chmod 600 helps sanity. -CMD ["/bin/bash", "-c", "mkdir -p /data/ssh && if [ ! -f /data/ssh/ssh_host_rsa_key ]; then \ - echo 'Generating persistent host keys...'; \ - ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa; \ - ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa; \ - ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519; fi && chmod 600 /data/ssh/ssh_host_*_key && /usr/sbin/sshd -D -f /etc/ssh/sshd_config"] +# The keys are generated if they don't exist on the persistent volume +CMD ["/bin/bash", "-c", "\ +mkdir -p /data/ssh && \ +for keytype in rsa ecdsa ed25519; do \ + if [ ! -f /data/ssh/ssh_host_${keytype}_key ]; then \ + echo \"Generating persistent host ${keytype} key...\"; \ + ssh-keygen -q -f /data/ssh/ssh_host_${keytype}_key -N '' -t ${keytype}; \ + fi; \ +done && \ +chmod 600 /data/ssh/ssh_host_*_key && \ +/usr/sbin/sshd -D -e -f /etc/ssh/sshd_config"] diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index caaf332..5965248 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -20,19 +20,21 @@ spec: serviceAccountName: clawd-sa securityContext: fsGroup: 1000 + runAsNonRoot: true initContainers: - name: setup-ssh - image: docker.io/alpine:latest + image: busybox:latest command: - sh - -c - | - # 1. Fix data volume permissions - chown -R 1000:0 /data && chmod -R 775 /data - - # 2. Setup writable SSH tirectory from Secret + # Fix data volume permissions if needed + # Note: On some systems this requires root in the init container + # but often fsGroup handles this. + mkdir -p /data/ssh && chmod 775 /data + + # Setup writable SSH directory from Secret cp /mnt/keys/authorized_keys /working-ssh/ - chown 1000:0 /working-ssh/authorized_keys chmod 600 /working-ssh/authorized_keys volumeMounts: - name: data-volume @@ -45,20 +47,7 @@ spec: - name: clawdbox image: default-route-openshift-image-registry.apps.lab.apilab.us/clawdbox/clawdbox:latest imagePullPolicy: Always - command: - - /bin/bash - - "-c" - - | - mkdir -p /data/ssh - if [ ! -f /data/ssh/ssh_host_rsa_key ]; then - echo 'Generating persistent host keys...' - ssh-keygen -f /data/ssh/ssh_host_rsa_key -N '' -t rsa - ssh-keygen -f /data/ssh/ssh_host_ecdsa_key -N '' -t ecdsa - ssh-keygen -f /data/ssh/ssh_host_ed25519_key -N '' -t ed25519 - fi - chmod 600 /data/ssh/ssh_host_*_key - # Run sshd with PAM disabled and logging to stderr - /usr/sbin/sshd -D -e -f /etc/ssh/sshd_config -o UsePAM=no + # CMD is defined in Dockerfile, no need to override unless changing behavior ports: - containerPort: 2222 name: ssh @@ -90,17 +79,18 @@ spec: name: kubeconfig-secret resources: limits: - memory: "1Gi" - cpu: "1000m" + memory: "2Gi" + cpu: "2000m" requests: - memory: "128Mi" - cpu: "250m" + memory: "256Mi" + cpu: "500m" securityContext: runAsUser: 1000 runAsGroup: 1000 - allowPrivilegeEscalation: true + allowPrivilegeEscalation: false capabilities: - add: ["CAP_AUDIT_WRITE"] + drop: ["ALL"] + add: ["NET_BIND_SERVICE"] volumes: - name: data-volume persistentVolumeClaim: diff --git a/manifests/rbac.yaml b/manifests/rbac.yaml new file mode 100644 index 0000000..72505cb --- /dev/null +++ b/manifests/rbac.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: clawd-sa + namespace: clawdbox +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: clawd-sa-edit + namespace: clawdbox +subjects: + - kind: ServiceAccount + name: clawd-sa + namespace: clawdbox +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: edit diff --git a/manifests/route.yaml b/manifests/route.yaml index b6516ae..1d5af95 100644 --- a/manifests/route.yaml +++ b/manifests/route.yaml @@ -1,16 +1,16 @@ apiVersion: route.openshift.io/v1 kind: Route metadata: - name: openclaw - namespace: openclaw + name: clawdbox + namespace: clawdbox spec: host: clawdbox.apps.lab.apilab.us to: kind: Service - name: clawrganizer + name: clawdbox weight: 100 port: - targetPort: http + targetPort: ssh tls: termination: edge insecureEdgeTerminationPolicy: Redirect