blax-software
/
docker-bastion
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(start-container): forward args + X-Deploy-Bump to FORCE_COMMAND 

Back-fills into git what is already live in blaxsoftware/bastion:latest
(the deployed image was built 2026-05-29 from this then-uncommitted working
tree; git HEAD was behind it).

- ForceCommand wrapper forwards positional args: exec sh -c "..." sh "$@"
- CGI maps X-Deploy-Bump: patch|minor|major -> --patch|--minor|--major and
  passes it as one positional arg to the FORCE_COMMAND.

This is the server side of the learn-atc deploy '"$@"' passthrough and the
/<service>/minor-style URL-suffix version bump.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Fabian @ Blax Software 2026-06-01 12:18:49 +02:00
parent c90206045f
commit 3ec02cea7b
1 changed files with 18 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
scripts/start-container
View File

@ -137,7 +137,11 @@ if [ -f /home/agent/.ssh/id_rsa ]; then
export GIT_SSH_COMMAND="ssh -o IdentityFile=/home/agent/.ssh/id_rsa -o UserKnownHostsFile=/home/agent/.ssh/known_hosts -o StrictHostKeyChecking=accept-new" export GIT_SSH_COMMAND="ssh -o IdentityFile=/home/agent/.ssh/id_rsa -o UserKnownHostsFile=/home/agent/.ssh/known_hosts -o StrictHostKeyChecking=accept-new"
fi fi
exec sh -c "$(cat /etc/bastion/force-command.cmd)" # Forward args from the caller (CGI passes one optional --patch|--minor|
# --major arg; SSH ForceCommand passes none). The user's FORCE_COMMAND in
# compose can reference "$@" to thread these through to deploy.sh. With
# no args, "$@" expands to nothing and behavior is identical to before.
exec sh -c "$(cat /etc/bastion/force-command.cmd)" sh "$@"
WRAPPER WRAPPER
chmod 0755 /etc/bastion/force-command chmod 0755 /etc/bastion/force-command
echo " $FORCE_COMMAND_VALUE" echo " $FORCE_COMMAND_VALUE"
@ -210,8 +214,20 @@ if [ -n "${HTTP_BASIC_AUTH:-}" ]; then
#!/bin/sh #!/bin/sh
# Auto-generated. Auth was validated by busybox httpd via httpd.conf # Auto-generated. Auth was validated by busybox httpd via httpd.conf
# before this script ran — REMOTE_USER holds the authenticated username. # before this script ran — REMOTE_USER holds the authenticated username.
#
# Optional X-Deploy-Bump header (set by upstream nginx capturing the URL
# suffix /patch|/minor|/major) is validated here and forwarded to the
# FORCE_COMMAND wrapper as a single positional arg. Anything else
# (missing header, unknown value) passes through with no arg, leaving
# the caller's deploy.sh to apply its own default.
BUMP_ARG=""
case "${HTTP_X_DEPLOY_BUMP:-}" in
patch) BUMP_ARG="--patch" ;;
minor) BUMP_ARG="--minor" ;;
major) BUMP_ARG="--major" ;;
esac
printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n' printf 'Content-Type: text/plain\r\nCache-Control: no-cache\r\nX-Accel-Buffering: no\r\n\r\n'
exec /etc/bastion/force-command 2>&1 exec /etc/bastion/force-command $BUMP_ARG 2>&1
CGI CGI
chmod 0755 /var/www/cgi-bin/run chmod 0755 /var/www/cgi-bin/run
# -c CONFFILE = auth + content-type rules; httpd reads it as root before # -c CONFFILE = auth + content-type rules; httpd reads it as root before