diff options
| author | Paul Buetow <paul@buetow.org> | 2026-01-09 20:57:23 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-01-09 20:57:23 +0200 |
| commit | cf432fa0d4e96f17e0d1e5dd1d4b560f35c00c60 (patch) | |
| tree | 571f7af893f4766403aa5571b855883101c9990a /f3s/git-server | |
| parent | 6c145e34c47c0d2598db34e8edde9f47e5201fc1 (diff) | |
Fix cgit container permissions - use writable /tmp for runtime files
- Mount emptyDir volume at /tmp for cgit runtime files
- Copy nginx.conf to /tmp and modify there (read-only /etc)
- Move nginx PID file to /tmp/nginx.pid
- Move fcgiwrap socket to /tmp/fcgiwrap.sock
- Update cgit.conf to use new socket location
Allows cgit to run as non-root (UID 33) without write access to /etc or /var.
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
Diffstat (limited to 'f3s/git-server')
| -rw-r--r-- | f3s/git-server/helm-chart/templates/deployment.yaml | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/f3s/git-server/helm-chart/templates/deployment.yaml b/f3s/git-server/helm-chart/templates/deployment.yaml index f5ded3a..c029042 100644 --- a/f3s/git-server/helm-chart/templates/deployment.yaml +++ b/f3s/git-server/helm-chart/templates/deployment.yaml @@ -79,13 +79,17 @@ spec: command: ["/bin/sh", "-c"] args: - | - # Remove 'user nginx;' directive to avoid setgid errors - sed -i 's/^user nginx;//' /etc/nginx/nginx.conf - # Start fcgiwrap and set socket permissions - spawn-fcgi -s /var/run/fcgiwrap.sock -n -- /usr/bin/fcgiwrap & + # Copy nginx config to writable location and modify it + cp /etc/nginx/nginx.conf /tmp/nginx.conf + sed -i 's/^user nginx;//' /tmp/nginx.conf + sed -i 's|pid /var/run/nginx.pid;|pid /tmp/nginx.pid;|' /tmp/nginx.conf + # Start fcgiwrap with socket in /tmp + spawn-fcgi -s /tmp/fcgiwrap.sock -n -- /usr/bin/fcgiwrap & sleep 1 - chmod 666 /var/run/fcgiwrap.sock - exec nginx -g 'daemon off;' + chmod 666 /tmp/fcgiwrap.sock + # Update cgit.conf to use /tmp socket + sed -i 's|unix:/var/run/fcgiwrap.sock|unix:/tmp/fcgiwrap.sock|' /etc/nginx/conf.d/cgit.conf || true + exec nginx -c /tmp/nginx.conf -g 'daemon off;' ports: - containerPort: 80 name: http @@ -105,6 +109,8 @@ spec: mountPath: /etc/cgitrc subPath: cgitrc readOnly: true + - name: cgit-runtime + mountPath: /tmp securityContext: runAsUser: 33 runAsGroup: 33 @@ -135,3 +141,5 @@ spec: name: cgit-config - name: ssh-host-keys emptyDir: {} + - name: cgit-runtime + emptyDir: {} |