diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-09 11:16:18 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-09 11:16:18 +0200 |
| commit | 856af9ac9e42a088ca65e70026ad7390f00fe8d4 (patch) | |
| tree | f81cbc6edff3e637b3ed6ba95f79b0f712773d36 /f3s/git-server | |
| parent | 48a8499a2b919e28045c896cd8553d90bb3b875b (diff) | |
Run containers as root and use emptyDir for writeable dirs
- Mount emptyDir for /etc/ssh to allow SSH host key generation
- Mount emptyDir for /var/cache/cgit to allow cache initialization
- Run both containers as root with proper capabilities
- Copy sshd_config at runtime from /tmp to /etc/ssh
- Add imagePullPolicy: Always to force image refresh
Diffstat (limited to 'f3s/git-server')
| -rw-r--r-- | f3s/git-server/docker-image/Dockerfile | 11 | ||||
| -rw-r--r-- | f3s/git-server/helm-chart/templates/deployment.yaml | 10 |
2 files changed, 16 insertions, 5 deletions
diff --git a/f3s/git-server/docker-image/Dockerfile b/f3s/git-server/docker-image/Dockerfile index 574a94b..f721fab 100644 --- a/f3s/git-server/docker-image/Dockerfile +++ b/f3s/git-server/docker-image/Dockerfile @@ -9,11 +9,16 @@ RUN adduser -D -u 1000 -s /usr/bin/git-shell git && \ mkdir -p /home/git/.ssh /repos && \ chown -R git:git /home/git /repos -# Copy sshd configuration -COPY sshd_config /etc/ssh/sshd_config +# Copy sshd configuration to /tmp (will be copied to /etc/ssh by entrypoint) +COPY sshd_config /tmp/sshd_config -# Create entrypoint script to generate host keys at runtime +# Create entrypoint script to setup SSH and run sshd RUN echo '#!/bin/sh' > /entrypoint.sh && \ + echo '# Copy sshd_config if not exists' >> /entrypoint.sh && \ + echo 'if [ ! -f /etc/ssh/sshd_config ]; then' >> /entrypoint.sh && \ + echo ' cp /tmp/sshd_config /etc/ssh/sshd_config' >> /entrypoint.sh && \ + echo 'fi' >> /entrypoint.sh && \ + echo '# Generate host keys if not exists' >> /entrypoint.sh && \ echo 'if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then' >> /entrypoint.sh && \ echo ' ssh-keygen -A' >> /entrypoint.sh && \ echo 'fi' >> /entrypoint.sh && \ diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index b74a5fc..6f47c36 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -19,6 +19,7 @@ spec: # Container 1: SSH Git Server - name: git-server image: registry.lan.buetow.org:30001/git-server:1.0 + imagePullPolicy: Always ports: - containerPort: 22 name: ssh @@ -30,12 +31,15 @@ spec: mountPath: /home/git/.ssh/authorized_keys subPath: authorized_keys readOnly: true + - name: ssh-host-keys + mountPath: /etc/ssh securityContext: - runAsUser: 1000 - runAsGroup: 1000 + runAsUser: 0 + runAsGroup: 0 allowPrivilegeEscalation: false capabilities: drop: ["ALL"] + add: ["CHOWN", "DAC_OVERRIDE"] resources: requests: cpu: 50m @@ -94,3 +98,5 @@ spec: name: cgit-config - name: cgit-cache emptyDir: {} + - name: ssh-host-keys + emptyDir: {} |