fix(docker): skip gosu when running as non-root#2618
Open
ArtificialXai wants to merge 1 commit intoopentensor:devnet-readyfrom
Open
fix(docker): skip gosu when running as non-root#2618ArtificialXai wants to merge 1 commit intoopentensor:devnet-readyfrom
ArtificialXai wants to merge 1 commit intoopentensor:devnet-readyfrom
Conversation
When the entrypoint detects it is already running as a non-root UID (e.g. a Kubernetes pod with runAsUser: 10001 and externally managed filesystem permissions), chown -R and gosu subtensor both fail with "operation not permitted" and the container exits before node-subtensor is ever executed. Wrap the existing privilege-changing branch in an id -u check. Root operators see no behavior change; non-root operators get a clean exec without any chown/gosu calls. This makes gosu effectively optional via auto-detection rather than a new container flag, so existing deployments that mount /data as root continue to work unchanged. Closes opentensor#2475.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
scripts/docker_entrypoint.shunconditionally runschown -Randexec gosu subtensor ..., which fails when the container itself is already running as a non-root user (e.g. a Kubernetes pod withsecurityContext.runAsUser: 10001and externally-managed filesystem permissions). The container exits withoperation not permittedbeforenode-subtensorever starts.This PR wraps the privilege-changing branch in an
id -ucheck:chownthe data dir + chain spec +/tmp/blockchain, thenexec gosu subtensor node-subtensor "$@".exec node-subtensor "$@"directly.This makes
gosueffectively optional via auto-detection — no new flag or env var, no API surface change. Existing deployments that mount/dataas root keep working bit-for-bit.Closes #2475.
Diff size
scripts/docker_entrypoint.shonly —+27 / -15. No code changes anywhere else, no Cargo/runtime impact, no spec_version bump.Test plan
sh -n scripts/docker_entrypoint.sh— clean.--user 10001to confirm behavior end-to-end.