CyberCoveLLC/Triple-C
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 128 Wiki Activity

Fix UID/GID mismatch and SSH key permissions in container
All checks were successful
Build Container / build-container (push) Successful in 3m42s
Details

Browse Source 
- Entrypoint now runs as root to remap the container's claude user
  UID/GID to match the host user, fixing bind mount permission errors
  on WSL
- SSH keys are mounted read-only to a staging path (/tmp/.host-ssh)
  and copied to ~/.ssh with correct permissions by the entrypoint
- Exec sessions explicitly run as the claude user
- Host UID/GID detected automatically and passed as env vars

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Josh Knapp
2026-02-27 04:36:01 +00:00
parent 97a0745ead
commit 625260b060
4 changed files with 64 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/src-tauri/src/docker/container.rs
View File

@@ -49,6 +49,21 @@ pub async fn create_container(
let mut env_vars: Vec<String> = Vec::new(); let mut env_vars: Vec<String> = Vec::new();
// Pass host UID/GID so the entrypoint can remap the container user
#[cfg(unix)]
{
let uid = std::process::Command::new("id").arg("-u").output();
let gid = std::process::Command::new("id").arg("-g").output();
if let Ok(out) = uid {
let val = String::from_utf8_lossy(&out.stdout).trim().to_string();
env_vars.push(format!("HOST_UID={}", val));
}
if let Ok(out) = gid {
let val = String::from_utf8_lossy(&out.stdout).trim().to_string();
env_vars.push(format!("HOST_GID={}", val));
}
}
if let Some(key) = api_key { if let Some(key) = api_key {
env_vars.push(format!("ANTHROPIC_API_KEY={}", key)); env_vars.push(format!("ANTHROPIC_API_KEY={}", key));
} }
@@ -82,10 +97,10 @@ pub async fn create_container(
}, },
]; ];
// SSH keys mount (read-only) // SSH keys mount (read-only staging; entrypoint copies to ~/.ssh with correct perms)
if let Some(ref ssh_path) = project.ssh_key_path { if let Some(ref ssh_path) = project.ssh_key_path {
mounts.push(Mount { mounts.push(Mount {
target: Some("/home/claude/.ssh".to_string()), target: Some("/tmp/.host-ssh".to_string()),
source: Some(ssh_path.clone()), source: Some(ssh_path.clone()),
typ: Some(MountTypeEnum::BIND), typ: Some(MountTypeEnum::BIND),
read_only: Some(true), read_only: Some(true),

1
app/src-tauri/src/docker/exec.rs
View File

@@ -72,6 +72,7 @@ impl ExecSessionManager {
attach_stderr: Some(true), attach_stderr: Some(true),
tty: Some(true), tty: Some(true),
cmd: Some(cmd), cmd: Some(cmd),
user: Some("claude".to_string()),
working_dir: Some("/workspace".to_string()), working_dir: Some("/workspace".to_string()),
..Default::default() ..Default::default()
}, },

8
container/Dockerfile
View File

@@ -88,7 +88,9 @@ RUN mkdir -p /home/claude/.claude /home/claude/.ssh
WORKDIR /workspace WORKDIR /workspace
COPY --chown=claude:claude entrypoint.sh /home/claude/entrypoint.sh # ── Switch back to root for entrypoint (handles UID/GID remapping) ─────────
RUN chmod +x /home/claude/entrypoint.sh USER root
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
RUN chmod +x /usr/local/bin/entrypoint.sh
ENTRYPOINT ["/home/claude/entrypoint.sh"] ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

54
container/entrypoint.sh
View File

@@ -1,49 +1,75 @@
#!/bin/bash #!/bin/bash
set -e set -e
# ── SSH key permissions ────────────────────────────────────────────────────── # ── UID/GID remapping ──────────────────────────────────────────────────────
# If SSH keys were mounted, fix permissions (bind mounts may have wrong perms) # Match the container's claude user to the host user's UID/GID so that
if [ -d /home/claude/.ssh ]; then # bind-mounted files (project dir, docker socket) have correct ownership.
if [ -n "$HOST_UID" ] && [ "$HOST_UID" != "$(id -u claude)" ]; then
usermod -u "$HOST_UID" claude
fi
if [ -n "$HOST_GID" ] && [ "$HOST_GID" != "$(id -g claude)" ]; then
groupmod -g "$HOST_GID" claude
fi
# Fix ownership of home directory after UID/GID change
chown -R claude:claude /home/claude
# ── SSH key setup ──────────────────────────────────────────────────────────
# Host SSH dir is mounted read-only at /tmp/.host-ssh.
# Copy to /home/claude/.ssh so we can fix permissions.
if [ -d /tmp/.host-ssh ]; then
rm -rf /home/claude/.ssh
cp -a /tmp/.host-ssh /home/claude/.ssh
chown -R claude:claude /home/claude/.ssh
chmod 700 /home/claude/.ssh chmod 700 /home/claude/.ssh
find /home/claude/.ssh -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \; find /home/claude/.ssh -type f -name "id_*" ! -name "*.pub" -exec chmod 600 {} \;
find /home/claude/.ssh -type f -name "*.pub" -exec chmod 644 {} \; find /home/claude/.ssh -type f -name "*.pub" -exec chmod 644 {} \;
# Write known_hosts fresh (not append) to avoid duplicates across restarts if [ -f /home/claude/.ssh/known_hosts ]; then
ssh-keyscan -t ed25519,rsa github.com gitlab.com bitbucket.org > /home/claude/.ssh/known_hosts 2>/dev/null || true
chmod 644 /home/claude/.ssh/known_hosts chmod 644 /home/claude/.ssh/known_hosts
fi fi
if [ -f /home/claude/.ssh/config ]; then
chmod 600 /home/claude/.ssh/config
fi
fi
# Append common host keys (avoid duplicates)
su -s /bin/bash claude -c '
mkdir -p /home/claude/.ssh
ssh-keyscan -t ed25519,rsa github.com gitlab.com bitbucket.org >> /home/claude/.ssh/known_hosts 2>/dev/null || true
sort -u -o /home/claude/.ssh/known_hosts /home/claude/.ssh/known_hosts
'
# ── Git credential helper (for HTTPS token) ───────────────────────────────── # ── Git credential helper (for HTTPS token) ─────────────────────────────────
if [ -n "$GIT_TOKEN" ]; then if [ -n "$GIT_TOKEN" ]; then
# Use git credential-store with a protected file instead of embedding in config
CRED_FILE="/home/claude/.git-credentials" CRED_FILE="/home/claude/.git-credentials"
: > "$CRED_FILE" : > "$CRED_FILE"
chmod 600 "$CRED_FILE" chmod 600 "$CRED_FILE"
chown claude:claude "$CRED_FILE"
echo "https://oauth2:${GIT_TOKEN}@github.com" >> "$CRED_FILE" echo "https://oauth2:${GIT_TOKEN}@github.com" >> "$CRED_FILE"
echo "https://oauth2:${GIT_TOKEN}@gitlab.com" >> "$CRED_FILE" echo "https://oauth2:${GIT_TOKEN}@gitlab.com" >> "$CRED_FILE"
echo "https://oauth2:${GIT_TOKEN}@bitbucket.org" >> "$CRED_FILE" echo "https://oauth2:${GIT_TOKEN}@bitbucket.org" >> "$CRED_FILE"
git config --global credential.helper "store --file=$CRED_FILE" su -s /bin/bash claude -c "git config --global credential.helper 'store --file=$CRED_FILE'"
# Clear the env var so it's not visible in /proc/*/environ
unset GIT_TOKEN unset GIT_TOKEN
fi fi
# ── Git user config ────────────────────────────────────────────────────────── # ── Git user config ──────────────────────────────────────────────────────────
if [ -n "$GIT_USER_NAME" ]; then if [ -n "$GIT_USER_NAME" ]; then
git config --global user.name "$GIT_USER_NAME" su -s /bin/bash claude -c "git config --global user.name '$GIT_USER_NAME'"
fi fi
if [ -n "$GIT_USER_EMAIL" ]; then if [ -n "$GIT_USER_EMAIL" ]; then
git config --global user.email "$GIT_USER_EMAIL" su -s /bin/bash claude -c "git config --global user.email '$GIT_USER_EMAIL'"
fi fi
# ── Docker socket permissions ──────────────────────────────────────────────── # ── Docker socket permissions ────────────────────────────────────────────────
if [ -S /var/run/docker.sock ]; then if [ -S /var/run/docker.sock ]; then
DOCKER_GID=$(stat -c '%g' /var/run/docker.sock) DOCKER_GID=$(stat -c '%g' /var/run/docker.sock)
if ! getent group "$DOCKER_GID" > /dev/null 2>&1; then if ! getent group "$DOCKER_GID" > /dev/null 2>&1; then
sudo groupadd -g "$DOCKER_GID" docker-host groupadd -g "$DOCKER_GID" docker-host
fi fi
DOCKER_GROUP=$(getent group "$DOCKER_GID" | cut -d: -f1) DOCKER_GROUP=$(getent group "$DOCKER_GID" | cut -d: -f1)
sudo usermod -aG "$DOCKER_GROUP" claude usermod -aG "$DOCKER_GROUP" claude
fi fi
# ── Stay alive ─────────────────────────────────────────────────────────────── # ── Stay alive as claude ─────────────────────────────────────────────────────
echo "Triple-C container ready." echo "Triple-C container ready."
exec sleep infinity exec su -s /bin/bash claude -c "exec sleep infinity"