From bde1f562c90856a41f45a318568bedca7333374a Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Wed, 30 Jul 2025 17:19:39 +0200 Subject: [PATCH 01/13] test: implement test isolation for e2e tests --- e2e-tests/Dockerfile | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 e2e-tests/Dockerfile diff --git a/e2e-tests/Dockerfile b/e2e-tests/Dockerfile new file mode 100644 index 00000000..fdc9ea36 --- /dev/null +++ b/e2e-tests/Dockerfile @@ -0,0 +1,5 @@ +FROM docker:25.0-dind-rootless + +COPY ../*/thv /usr/local/bin/ + +CMD ["thv", "serve"] From bfb51b49fb935b00e6612e5489c3be3bc569ec0c Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Thu, 31 Jul 2025 12:15:18 +0200 Subject: [PATCH 02/13] properly add toolhive binary --- .gitignore | 6 +++++- {e2e-tests => bin}/Dockerfile | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) rename {e2e-tests => bin}/Dockerfile (54%) diff --git a/.gitignore b/.gitignore index 3af20a93..48447014 100644 --- a/.gitignore +++ b/.gitignore @@ -91,7 +91,9 @@ typings/ # Electron-Forge out/ -bin/ +bin/*/thv +bin/*/README.md +bin/*/LICENSE # Playwright /test-results/ @@ -99,3 +101,5 @@ bin/ /blob-report/ /playwright/.cache/ /test-videos/ + + diff --git a/e2e-tests/Dockerfile b/bin/Dockerfile similarity index 54% rename from e2e-tests/Dockerfile rename to bin/Dockerfile index fdc9ea36..78f77d89 100644 --- a/e2e-tests/Dockerfile +++ b/bin/Dockerfile @@ -1,5 +1,6 @@ FROM docker:25.0-dind-rootless -COPY ../*/thv /usr/local/bin/ +COPY ./*/thv /usr/local/bin/thv +USER rootless CMD ["thv", "serve"] From 0531973e2bb70a49d369978c525bb393f83728b7 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Thu, 31 Jul 2025 13:28:59 +0200 Subject: [PATCH 03/13] fix entrypoint --- bin/Dockerfile | 11 +++++++---- bin/ephemeral/entrypoint.sh | 7 +++++++ 2 files changed, 14 insertions(+), 4 deletions(-) create mode 100644 bin/ephemeral/entrypoint.sh diff --git a/bin/Dockerfile b/bin/Dockerfile index 78f77d89..bad511e2 100644 --- a/bin/Dockerfile +++ b/bin/Dockerfile @@ -1,6 +1,9 @@ -FROM docker:25.0-dind-rootless +FROM docker:dind +ENV DOCKER_HOST=unix:///var/run/docker.sock -COPY ./*/thv /usr/local/bin/thv +COPY --chmod=755 linux-x64/thv /usr/local/bin/thv +COPY ./ephemeral/entrypoint.sh /usr/local/bin/ +RUN chmod +x /usr/local/bin/entrypoint.sh -USER rootless -CMD ["thv", "serve"] +ENTRYPOINT ["entrypoint.sh"] +CMD [] diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh new file mode 100644 index 00000000..926b7477 --- /dev/null +++ b/bin/ephemeral/entrypoint.sh @@ -0,0 +1,7 @@ +#!/bin/sh +set -e + +/usr/local/bin/dockerd-entrypoint.sh & +until docker info >/dev/null 2>&1; do sleep 0.5; done + +exec "$@" From d8c2fe8f22dbe3fd06a159b0504a2cb51ef7bb26 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Thu, 31 Jul 2025 13:52:57 +0200 Subject: [PATCH 04/13] add wrapper script --- bin/ephemeral/thv.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100755 bin/ephemeral/thv.sh diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh new file mode 100755 index 00000000..8721e918 --- /dev/null +++ b/bin/ephemeral/thv.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash +# ./ephemeral/thv.sh – run `thv` inside its Docker-in-Docker sandbox +# Works even when you give it no arguments (defaults to port 8080). + +set -euo pipefail + +# ── locate the project root (one dir up from this script) ────────────── +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" + +# ── quick scan for a --port flag; if absent, default to 8080 ─────────── +PORT=8080 +for (( i=1; i<=$#; i++ )); do + arg="${!i}" + case "$arg" in + --port=*) PORT="${arg#--port=}" ;; + --port) + next=$((i+1)) + if (( next <= $# )); then PORT="${!next}"; fi + ;; + esac +done + +# ── run container from the project root ──────────────────────────────── +( + cd "${ROOT_DIR}" + + docker run --privileged --rm -it \ + -p "${PORT}:${PORT}" \ + -v "${ROOT_DIR}:/workspace" \ + -w /workspace \ + thv-containerized thv "$@" +) From 1d2d9df392f765a2b8b6d81ef78d2d440c70f107 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Mon, 4 Aug 2025 12:43:46 +0200 Subject: [PATCH 05/13] . --- bin/ephemeral/thv.sh | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh index 8721e918..df71be6b 100755 --- a/bin/ephemeral/thv.sh +++ b/bin/ephemeral/thv.sh @@ -1,14 +1,9 @@ #!/usr/bin/env bash -# ./ephemeral/thv.sh – run `thv` inside its Docker-in-Docker sandbox -# Works even when you give it no arguments (defaults to port 8080). - set -euo pipefail -# ── locate the project root (one dir up from this script) ────────────── SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" -# ── quick scan for a --port flag; if absent, default to 8080 ─────────── PORT=8080 for (( i=1; i<=$#; i++ )); do arg="${!i}" @@ -21,12 +16,11 @@ for (( i=1; i<=$#; i++ )); do esac done -# ── run container from the project root ──────────────────────────────── ( cd "${ROOT_DIR}" docker run --privileged --rm -it \ - -p "${PORT}:${PORT}" \ + -p ${PORT}:${PORT} \ -v "${ROOT_DIR}:/workspace" \ -w /workspace \ thv-containerized thv "$@" From 2cba182960a113c906fafc39e1b4d8c002291e33 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Mon, 4 Aug 2025 13:13:32 +0200 Subject: [PATCH 06/13] run e2e in ephemeral mode --- main/src/toolhive-manager.ts | 22 +++++++--------------- package.json | 2 +- 2 files changed, 8 insertions(+), 16 deletions(-) diff --git a/main/src/toolhive-manager.ts b/main/src/toolhive-manager.ts index 176c57ee..be0c7511 100644 --- a/main/src/toolhive-manager.ts +++ b/main/src/toolhive-manager.ts @@ -8,22 +8,14 @@ import { updateTrayStatus } from './system-tray' import log from './logger' import * as Sentry from '@sentry/electron/main' -const binName = process.platform === 'win32' ? 'thv.exe' : 'thv' +// Use environment variables for binary customization with Windows fallback +const binName = + process.env.BIN_NAME ?? (process.platform === 'win32' ? 'thv.exe' : 'thv') +const binArch = process.env.BIN_ARCH ?? `${process.platform}-${process.arch}` + const binPath = app.isPackaged - ? path.join( - process.resourcesPath, - 'bin', - `${process.platform}-${process.arch}`, - binName - ) - : path.resolve( - __dirname, - '..', - '..', - 'bin', - `${process.platform}-${process.arch}`, - binName - ) + ? path.join(process.resourcesPath, 'bin', binArch, binName) + : path.resolve(__dirname, '..', '..', 'bin', binArch, binName) let toolhiveProcess: ReturnType | undefined let toolhivePort: number | undefined diff --git a/package.json b/package.json index 431462ee..cc50d147 100644 --- a/package.json +++ b/package.json @@ -10,7 +10,7 @@ }, "scripts": { "start": "electron-forge start", - "e2e": "tsc -b --clean && tsc -b && electron-forge package && playwright test", + "e2e": "tsc -b --clean && tsc -b && electron-forge package && BIN_NAME='thv.sh' BIN_ARCH='ephemeral' playwright test", "start:mockUpdate": "MOCK_UPDATE_SERVER=true ELECTRON_IS_DEV=0 electron-forge start", "package": "tsc -b --clean && tsc -b && electron-forge package", "make": "tsc -b --clean && tsc -b && electron-forge make", From 48167eb54d1980067cb89419f38731cca1b30a13 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Mon, 4 Aug 2025 13:26:00 +0200 Subject: [PATCH 07/13] fix docker arguments --- bin/ephemeral/thv.sh | 14 +------------- package.json | 1 + 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh index df71be6b..a79786bd 100755 --- a/bin/ephemeral/thv.sh +++ b/bin/ephemeral/thv.sh @@ -4,23 +4,11 @@ set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" -PORT=8080 -for (( i=1; i<=$#; i++ )); do - arg="${!i}" - case "$arg" in - --port=*) PORT="${arg#--port=}" ;; - --port) - next=$((i+1)) - if (( next <= $# )); then PORT="${!next}"; fi - ;; - esac -done - ( cd "${ROOT_DIR}" docker run --privileged --rm -it \ - -p ${PORT}:${PORT} \ + --network host \ -v "${ROOT_DIR}:/workspace" \ -w /workspace \ thv-containerized thv "$@" diff --git a/package.json b/package.json index cc50d147..85dd0cc2 100644 --- a/package.json +++ b/package.json @@ -10,6 +10,7 @@ }, "scripts": { "start": "electron-forge start", + "start:ephemeral": "BIN_NAME='thv.sh' BIN_ARCH='ephemeral' electron-forge start", "e2e": "tsc -b --clean && tsc -b && electron-forge package && BIN_NAME='thv.sh' BIN_ARCH='ephemeral' playwright test", "start:mockUpdate": "MOCK_UPDATE_SERVER=true ELECTRON_IS_DEV=0 electron-forge start", "package": "tsc -b --clean && tsc -b && electron-forge package", From 7f6dcebf5b815d5b468c1fadf71e14eeeedf0d06 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Mon, 4 Aug 2025 15:18:48 +0200 Subject: [PATCH 08/13] add delay to start_thv --- bin/ephemeral/thv.sh | 3 ++- main/src/toolhive-manager.ts | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh index a79786bd..bed0752b 100755 --- a/bin/ephemeral/thv.sh +++ b/bin/ephemeral/thv.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +set -x SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" @@ -7,7 +8,7 @@ ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" ( cd "${ROOT_DIR}" - docker run --privileged --rm -it \ + docker run --privileged --rm -i \ --network host \ -v "${ROOT_DIR}:/workspace" \ -w /workspace \ diff --git a/main/src/toolhive-manager.ts b/main/src/toolhive-manager.ts index be0c7511..c3fd4e50 100644 --- a/main/src/toolhive-manager.ts +++ b/main/src/toolhive-manager.ts @@ -7,6 +7,7 @@ import type { Tray } from 'electron' import { updateTrayStatus } from './system-tray' import log from './logger' import * as Sentry from '@sentry/electron/main' +import { delay } from '../../utils/delay' // Use environment variables for binary customization with Windows fallback const binName = @@ -67,6 +68,8 @@ export async function startToolhive(tray?: Tray): Promise { } ) + await delay(4000) + log.info(`[startToolhive] Process spawned with PID: ${toolhiveProcess.pid}`) if (tray) { From 912acfc193c0a62156fd929b1e273cf12d8ff4c0 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Mon, 4 Aug 2025 17:10:24 +0200 Subject: [PATCH 09/13] set up secret provider --- bin/Dockerfile | 8 ++++++++ bin/ephemeral/entrypoint.sh | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/bin/Dockerfile b/bin/Dockerfile index bad511e2..aca2402b 100644 --- a/bin/Dockerfile +++ b/bin/Dockerfile @@ -1,4 +1,12 @@ FROM docker:dind + +RUN apk add --no-cache dbus dbus-x11 gnome-keyring libsecret + +ENV XDG_CURRENT_DESKTOP=GNOME \ + XDG_SESSION_DESKTOP=gnome \ + DESKTOP_SESSION=gnome \ + # a writable runtime dir (glib falls back to /tmp if this is unset) + XDG_RUNTIME_DIR=/tmp/xdg-runtime ENV DOCKER_HOST=unix:///var/run/docker.sock COPY --chmod=755 linux-x64/thv /usr/local/bin/thv diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh index 926b7477..8be02548 100644 --- a/bin/ephemeral/entrypoint.sh +++ b/bin/ephemeral/entrypoint.sh @@ -1,6 +1,16 @@ #!/bin/sh set -e +: "${XDG_RUNTIME_DIR:=/tmp/xdg-runtime}" +mkdir -p "$XDG_RUNTIME_DIR" +chmod 700 "$XDG_RUNTIME_DIR" +eval "$(dbus-launch --sh-syntax --exit-with-session)" +trap 'kill "$DBUS_SESSION_BUS_PID"' EXIT # tidy up on shutdown +eval "$(gnome-keyring-daemon --start --components=secrets,ssh,pkcs11)" +if ! secret-tool lookup sentinel sentinel 2>/dev/null; then + printf '\n' | secret-tool store --label init sentinel sentinel || true +fi + /usr/local/bin/dockerd-entrypoint.sh & until docker info >/dev/null 2>&1; do sleep 0.5; done From 7117a491807f2bb5f91583083e0cf6311c464de5 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Tue, 5 Aug 2025 15:03:14 +0200 Subject: [PATCH 10/13] attempt to fix keyring --- bin/ephemeral/entrypoint.sh | 48 ++++++++++++++++++++++++++++++------- bin/ephemeral/thv.sh | 6 +++-- 2 files changed, 43 insertions(+), 11 deletions(-) diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh index 8be02548..b74d724b 100644 --- a/bin/ephemeral/entrypoint.sh +++ b/bin/ephemeral/entrypoint.sh @@ -1,17 +1,47 @@ -#!/bin/sh -set -e +#!/usr/bin/env sh +set -eu -: "${XDG_RUNTIME_DIR:=/tmp/xdg-runtime}" +export CI=true + +############################################################################### +# 0. Runtime dir for D-Bus +############################################################################### +export XDG_RUNTIME_DIR=/tmp/xdg-runtime mkdir -p "$XDG_RUNTIME_DIR" chmod 700 "$XDG_RUNTIME_DIR" -eval "$(dbus-launch --sh-syntax --exit-with-session)" -trap 'kill "$DBUS_SESSION_BUS_PID"' EXIT # tidy up on shutdown -eval "$(gnome-keyring-daemon --start --components=secrets,ssh,pkcs11)" -if ! secret-tool lookup sentinel sentinel 2>/dev/null; then - printf '\n' | secret-tool store --label init sentinel sentinel || true -fi +############################################################################### +# 1. Session D-Bus (no dbus-run-session needed) +############################################################################### +dbus-daemon --session \ + --address="unix:path=$XDG_RUNTIME_DIR/bus.sock" \ + --nopidfile --nofork & +DBUS_SESSION_BUS_PID=$! +export DBUS_SESSION_BUS_ADDRESS="unix:path=$XDG_RUNTIME_DIR/bus.sock" +trap 'kill "$DBUS_SESSION_BUS_PID"' EXIT + +############################################################################### +# 2. Start + unlock gnome-keyring (prints env; we eval it) +# • empty password (printf '\n') ⇒ unlocked +# • forks once, but that’s fine outside dbus-run-session +############################################################################### +eval "$(printf '\n' | gnome-keyring-daemon \ + --unlock \ + --components=secrets,ssh)" +# ↑ prints GNOME_KEYRING_CONTROL, SSH_AUTH_SOCK, etc. + +# Ensure the collection exists (idempotent) +printf '\n' | secret-tool store --label init sentinel sentinel || true +echo "✅ GNOME Keyring is running and unlocked." + +############################################################################### +# 3. Start Docker-in-Docker daemon in background +############################################################################### /usr/local/bin/dockerd-entrypoint.sh & until docker info >/dev/null 2>&1; do sleep 0.5; done +echo "🐳 Inner Docker daemon is ready." +############################################################################### +# 4. Hand control to *your* command +############################################################################### exec "$@" diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh index bed0752b..73bfe9ee 100755 --- a/bin/ephemeral/thv.sh +++ b/bin/ephemeral/thv.sh @@ -7,8 +7,10 @@ ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" ( cd "${ROOT_DIR}" - - docker run --privileged --rm -i \ + docker run --privileged \ + --cap-drop=SETPCAP \ + --cap-add=IPC_LOCK \ + --rm -i \ --network host \ -v "${ROOT_DIR}:/workspace" \ -w /workspace \ From 65604564d16b1694fa5c99c2166ac3f26b67f404 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Tue, 5 Aug 2025 15:28:56 +0200 Subject: [PATCH 11/13] . --- bin/ephemeral/entrypoint.sh | 43 ++++--------------------------------- 1 file changed, 4 insertions(+), 39 deletions(-) diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh index b74d724b..6943289b 100644 --- a/bin/ephemeral/entrypoint.sh +++ b/bin/ephemeral/entrypoint.sh @@ -3,45 +3,10 @@ set -eu export CI=true -############################################################################### -# 0. Runtime dir for D-Bus -############################################################################### -export XDG_RUNTIME_DIR=/tmp/xdg-runtime -mkdir -p "$XDG_RUNTIME_DIR" -chmod 700 "$XDG_RUNTIME_DIR" - -############################################################################### -# 1. Session D-Bus (no dbus-run-session needed) -############################################################################### -dbus-daemon --session \ - --address="unix:path=$XDG_RUNTIME_DIR/bus.sock" \ - --nopidfile --nofork & -DBUS_SESSION_BUS_PID=$! -export DBUS_SESSION_BUS_ADDRESS="unix:path=$XDG_RUNTIME_DIR/bus.sock" -trap 'kill "$DBUS_SESSION_BUS_PID"' EXIT - -############################################################################### -# 2. Start + unlock gnome-keyring (prints env; we eval it) -# • empty password (printf '\n') ⇒ unlocked -# • forks once, but that’s fine outside dbus-run-session -############################################################################### -eval "$(printf '\n' | gnome-keyring-daemon \ - --unlock \ - --components=secrets,ssh)" -# ↑ prints GNOME_KEYRING_CONTROL, SSH_AUTH_SOCK, etc. - -# Ensure the collection exists (idempotent) -printf '\n' | secret-tool store --label init sentinel sentinel || true -echo "✅ GNOME Keyring is running and unlocked." - -############################################################################### -# 3. Start Docker-in-Docker daemon in background -############################################################################### /usr/local/bin/dockerd-entrypoint.sh & until docker info >/dev/null 2>&1; do sleep 0.5; done -echo "🐳 Inner Docker daemon is ready." +echo "🐳 Docker-in-Docker daemon is ready." + +echo "none" | thv secret setup -############################################################################### -# 4. Hand control to *your* command -############################################################################### -exec "$@" +exec "$@" From 0825ff68951e89bcbf071f79aa94be9cbd6c6bf8 Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Wed, 6 Aug 2025 12:08:09 +0200 Subject: [PATCH 12/13] . --- bin/Dockerfile | 3 +++ bin/ephemeral/entrypoint.sh | 17 +++++++++++++++-- bin/ephemeral/thv.sh | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/bin/Dockerfile b/bin/Dockerfile index aca2402b..22f3effa 100644 --- a/bin/Dockerfile +++ b/bin/Dockerfile @@ -2,6 +2,9 @@ FROM docker:dind RUN apk add --no-cache dbus dbus-x11 gnome-keyring libsecret +# Remove file capabilities that trigger GLib's security hardening (GLib 2.70+) +RUN setcap -r /usr/bin/gnome-keyring-daemon 2>/dev/null || true + ENV XDG_CURRENT_DESKTOP=GNOME \ XDG_SESSION_DESKTOP=gnome \ DESKTOP_SESSION=gnome \ diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh index 6943289b..f85e3426 100644 --- a/bin/ephemeral/entrypoint.sh +++ b/bin/ephemeral/entrypoint.sh @@ -7,6 +7,19 @@ export CI=true until docker info >/dev/null 2>&1; do sleep 0.5; done echo "🐳 Docker-in-Docker daemon is ready." -echo "none" | thv secret setup +# Ensure runtime dirs exist and are secure +mkdir -p /tmp/xdg-runtime/keyring +chmod 700 /tmp/xdg-runtime /tmp/xdg-runtime/keyring -exec "$@" +# Start a DBus session and gnome-keyring-daemon in the same shell +eval "$(dbus-launch --sh-syntax)" +export XDG_RUNTIME_DIR=/tmp/xdg-runtime + +# Start gnome-keyring-daemon and unlock it with a default password +echo "default-password" | gnome-keyring-daemon --unlock --components=secrets,ssh & +sleep 2 + +# Export the keyring environment variables +export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID + +exec "$@" diff --git a/bin/ephemeral/thv.sh b/bin/ephemeral/thv.sh index 73bfe9ee..8654717e 100755 --- a/bin/ephemeral/thv.sh +++ b/bin/ephemeral/thv.sh @@ -10,6 +10,7 @@ ROOT_DIR="$(cd "${SCRIPT_DIR}/.." && pwd)" docker run --privileged \ --cap-drop=SETPCAP \ --cap-add=IPC_LOCK \ + --tmpfs /run \ --rm -i \ --network host \ -v "${ROOT_DIR}:/workspace" \ From 72010e38d103b724614c222756ff55c8cb1d0b5d Mon Sep 17 00:00:00 2001 From: Daniel Kantor Date: Wed, 6 Aug 2025 15:12:02 +0200 Subject: [PATCH 13/13] cleanup --- bin/Dockerfile | 1 - bin/ephemeral/entrypoint.sh | 4 ---- 2 files changed, 5 deletions(-) diff --git a/bin/Dockerfile b/bin/Dockerfile index 22f3effa..7e36d084 100644 --- a/bin/Dockerfile +++ b/bin/Dockerfile @@ -2,7 +2,6 @@ FROM docker:dind RUN apk add --no-cache dbus dbus-x11 gnome-keyring libsecret -# Remove file capabilities that trigger GLib's security hardening (GLib 2.70+) RUN setcap -r /usr/bin/gnome-keyring-daemon 2>/dev/null || true ENV XDG_CURRENT_DESKTOP=GNOME \ diff --git a/bin/ephemeral/entrypoint.sh b/bin/ephemeral/entrypoint.sh index f85e3426..9c46426e 100644 --- a/bin/ephemeral/entrypoint.sh +++ b/bin/ephemeral/entrypoint.sh @@ -7,19 +7,15 @@ export CI=true until docker info >/dev/null 2>&1; do sleep 0.5; done echo "🐳 Docker-in-Docker daemon is ready." -# Ensure runtime dirs exist and are secure mkdir -p /tmp/xdg-runtime/keyring chmod 700 /tmp/xdg-runtime /tmp/xdg-runtime/keyring -# Start a DBus session and gnome-keyring-daemon in the same shell eval "$(dbus-launch --sh-syntax)" export XDG_RUNTIME_DIR=/tmp/xdg-runtime -# Start gnome-keyring-daemon and unlock it with a default password echo "default-password" | gnome-keyring-daemon --unlock --components=secrets,ssh & sleep 2 -# Export the keyring environment variables export GNOME_KEYRING_CONTROL GNOME_KEYRING_PID exec "$@"