Caught while wiring up an HTTP-driven deploy that runs the user's
canonical deploy.sh from a CGI:
- HTTP_AS_ROOT=1 — opt out of busybox httpd's `-u USER` drop so the
CGI (and the deploy.sh it runs) keep root supplementary groups.
Required because busybox httpd does setuid/setgid but not
setgroups; dropping to agent loses the dockerhost group and the
CGI can't reach /var/run/docker.sock. Bastion already has the
socket = host root, so this doesn't widen the envelope.
- chown -R …/.ssh — make it best-effort. With ssh creds mounted
read-only (id_rsa, known_hosts), the chown -R failed under
`set -e` and killed boot. The dir + the file we wrote are what
matter; anything bind-mounted in is the caller's business.
- git config --system --add safe.directory '*' — silence
'detected dubious ownership' when the CGI runs as root over a
host-uid-owned repo (standard bind-mount-into-bastion case).
- GIT_SSH_COMMAND auto-export — when a key is mounted at
/home/agent/.ssh/id_rsa, the wrapper sets git's ssh invocation
to point at it explicitly. Required because setting HOME alone
doesn't make root-uid ssh follow ~/.ssh/{id_rsa,known_hosts}.
Fabian @ Blax Software
c90206045f