tiennm99/goclaw
1
0
Fork 0
mirror of https://github.com/tiennm99/goclaw.git synced 2026-06-10 08:11:23 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
4e9f155a4c8ca9400a50cd4fedc90dfd896f4e54
goclaw/docker-entrypoint.sh
T
viettranx 843b550651 feat: runtime packages UI, pkg-helper, configurable shell deny groups (#244) 
Runtime package management with security hardening:

- pkg-helper: root-privileged daemon for apk install/uninstall via Unix socket
- HTTP API: /v1/packages (list/install/uninstall/runtimes), admin role required for writes
- Shell deny groups: 15 configurable groups (per-agent overrides via context)
- Packages UI: Web page for managing system/pip/npm packages with confirmation dialogs
- Docker: privilege separation (root entrypoint → su-exec drop), init for zombie reaping
- Security: umask socket creation, persist file validation, deny pattern hardening
  (Node.js fetch/http, Python from/import, curl localhost, sensitive env vars)
- Auth: empty gateway token → admin role (dev/single-user mode)
2026-03-17 19:50:26 +07:00

106 lines
3.3 KiB
Bash
Raw Blame History

#!/bin/sh
set -e
# Set up writable runtime directories for agent-installed packages.
# Rootfs is read-only; /app/data is a writable Docker volume.
RUNTIME_DIR="/app/data/.runtime"
mkdir -p "$RUNTIME_DIR/pip" "$RUNTIME_DIR/npm-global/lib"
# Python: allow agent to pip install to writable target dir
export PYTHONPATH="$RUNTIME_DIR/pip:${PYTHONPATH:-}"
export PIP_TARGET="$RUNTIME_DIR/pip"
export PIP_BREAK_SYSTEM_PACKAGES=1
export PIP_CACHE_DIR="$RUNTIME_DIR/pip-cache"
mkdir -p "$RUNTIME_DIR/pip-cache"
# Node.js: allow agent to npm install -g to writable prefix
# NODE_PATH includes both pre-installed system globals and runtime-installed globals.
export NPM_CONFIG_PREFIX="$RUNTIME_DIR/npm-global"
export NODE_PATH="/usr/local/lib/node_modules:$RUNTIME_DIR/npm-global/lib/node_modules:${NODE_PATH:-}"
export PATH="$RUNTIME_DIR/npm-global/bin:$RUNTIME_DIR/pip/bin:$PATH"
# System packages: re-install on-demand packages persisted across recreates.
# In Docker: entrypoint runs as root (then drops via su-exec).
# Outside Docker: may run as non-root — skip privileged operations gracefully.
APK_LIST="$RUNTIME_DIR/apk-packages"
touch "$APK_LIST" 2>/dev/null || true
if [ "$(id -u)" = "0" ]; then
chown root:goclaw "$APK_LIST" 2>/dev/null || true
chmod 0640 "$APK_LIST" 2>/dev/null || true
fi
if [ -f "$APK_LIST" ] && [ -s "$APK_LIST" ]; then
echo "Re-installing persisted system packages..."
VALID_PKGS=""
while IFS= read -r pkg || [ -n "$pkg" ]; do
pkg="$(printf '%s' "$pkg" | tr -d '[:space:]')"
case "$pkg" in
[a-zA-Z0-9@]*) VALID_PKGS="$VALID_PKGS $pkg" ;;
"") ;;
*) echo "WARNING: skipping invalid package: $pkg" ;;
esac
done < "$APK_LIST"
if [ -n "$VALID_PKGS" ]; then
# shellcheck disable=SC2086
apk add --no-cache $VALID_PKGS 2>/dev/null || \
echo "Warning: some packages failed to install"
fi
fi
# Start the root-privileged package helper (listens on /tmp/pkg.sock).
# Only in Docker (running as root). Outside Docker, pkg-helper is not available.
if [ -x /app/pkg-helper ] && [ "$(id -u)" = "0" ]; then
/app/pkg-helper &
PKG_PID=$!
for _i in 1 2 3 4; do
[ -S /tmp/pkg.sock ] && break
sleep 0.5
done
if ! [ -S /tmp/pkg.sock ]; then
echo "ERROR: pkg-helper failed to start (PID $PKG_PID)"
kill "$PKG_PID" 2>/dev/null || true
fi
fi
# Run command with privilege drop (su-exec in Docker, direct otherwise).
run_as_goclaw() {
if command -v su-exec >/dev/null 2>&1 && [ "$(id -u)" = "0" ]; then
exec su-exec goclaw "$@"
else
exec "$@"
fi
}
case "${1:-serve}" in
serve)
# Auto-upgrade (schema migrations + data hooks) before starting.
if [ -n "$GOCLAW_POSTGRES_DSN" ]; then
echo "Running database upgrade..."
if command -v su-exec >/dev/null 2>&1 && [ "$(id -u)" = "0" ]; then
su-exec goclaw /app/goclaw upgrade || \
echo "Upgrade warning (may already be up-to-date)"
else
/app/goclaw upgrade || \
echo "Upgrade warning (may already be up-to-date)"
fi
fi
run_as_goclaw /app/goclaw
;;
upgrade)
shift
run_as_goclaw /app/goclaw upgrade "$@"
;;
migrate)
shift
run_as_goclaw /app/goclaw migrate "$@"
;;
onboard)
run_as_goclaw /app/goclaw onboard
;;
version)
run_as_goclaw /app/goclaw version
;;
*)
run_as_goclaw /app/goclaw "$@"
;;
esac
Reference in New Issue View Git Blame Copy Permalink