disinto-admin/disinto
1
0
Fork 0
Code Issues 14 Pull requests 2 Projects Releases Packages Wiki Activity Actions

fix: address review — move LOGFILE to tmpfs, add CapDrop check (#706)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source 
LOGFILE=/var/chat/chat.log is unwritable on read-only rootfs; move to
/tmp/chat.log (tmpfs-backed). Add CapDrop=ALL assertion to verify script
so removing cap_drop from compose is caught.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude 2026-04-12 01:19:42 +00:00
parent e74fc29b82
commit 0c5bb09e16
2 changed files with 9 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docker/chat/entrypoint-chat.sh
View file

@ -6,7 +6,7 @@ set -euo pipefail
# Exec-replace pattern: this script is the container entrypoint and runs
# the server directly (no wrapper needed). Logs to stdout for docker logs.
LOGFILE="/var/chat/chat.log"
LOGFILE="/tmp/chat.log"
log() {
printf '[%s] %s\n' "$(date -u '+%Y-%m-%d %H:%M:%S UTC')" "$*" | tee -a "$LOGFILE"

8
tools/edge-control/verify-chat-sandbox.sh
View file

@ -39,6 +39,14 @@ else
fail "CapAdd expected null, got $cap_add"
fi
# CapDrop — should contain ALL
cap_drop=$(echo "$inspect_json" | python3 -c "import sys,json; caps=json.load(sys.stdin)[0]['HostConfig']['CapDrop'] or []; print(' '.join(caps))")
if echo "$cap_drop" | grep -q "ALL"; then
pass "CapDrop contains ALL"
else
fail "CapDrop expected ALL, got: $cap_drop"
fi
# PidsLimit
pids_limit=$(echo "$inspect_json" | python3 -c "import sys,json; print(json.load(sys.stdin)[0]['HostConfig']['PidsLimit'])")
if [ "$pids_limit" = "128" ]; then