Run entrypoint as root so it can access /.fly/api for OIDC token#11658
Merged
Conversation
The www user (set by USER in the Dockerfile) can't access the /.fly/api Unix socket, which is owned by root. This caused the curl to return empty, producing a useless JSONDecodeError instead of the actual failure reason. Fix: remove USER www before ENTRYPOINT so the script starts as root, fetch the OIDC token, then drop to www via `su --preserve-environment` before exec'ing chamber or the app command. The token file is chown'd to www before the privilege drop so chamber can read AWS_WEB_IDENTITY_TOKEN_FILE. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
Code Coverage Report: Only Changed Files listed
Minimum allowed coverage is |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose
Two problems, fixed together in this PR:
Problem 1:
wwwuser can't access/.fly/apiThe previous PR (#11655) fixed the error message, which confirmed the root cause: the Unix socket is owned by root, and the container was running as
www.USER wwwis removed from the Dockerfile beforeENTRYPOINTso the script starts as root and can reach the socket. After fetching the OIDC token it drops towwwviasu --preserve-environment, andchowns the token file towwwfirst so chamber can read it.Problem 2: Fly's OIDC endpoint returns a raw JWT, not
{"token":"..."}JSONThe Python one-liner was doing
json.load(sys.stdin)['token']expecting a JSON object, but the endpoint returns the bare token string. Python failed withJSONDecodeError. The fix tries JSON-parse first and falls back to using the raw response as the token value, so it works with either format.🤖 Generated with Claude Code