Skip to content

Commit 2a0af43

Browse files
fix(docker): remove noisy root-drop log from CLI launcher (#1342)
* fix(docker): remove noisy root-drop log from CLI launcher The ADR-004 self-drop echo fires on every `netclaw` invocation via `kubectl exec` / `docker exec`, cluttering interactive sessions with a message the operator already expects. The drop itself is unchanged. * fix(docker): update ADR-004 smoke test to not depend on stderr breadcrumb Phase B (file-ownership check) already proves the root-drop works. Remove the Phase A stderr assertion that required the noisy echo, and the now-vacuous Phase C negative assertion. The error-signature belt-and-suspenders check is retained.
1 parent 8b62cd5 commit 2a0af43

2 files changed

Lines changed: 3 additions & 13 deletions

File tree

docker/netclaw-cli-launcher.sh

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,6 @@ set -eu
2626
REAL=/opt/netclaw/cli/netclaw
2727

2828
if [ "$(id -u)" = 0 ]; then
29-
echo "[netclaw] invoked as root; dropping to the 'netclaw' user (ADR-004)." >&2
3029
export HOME=/home/netclaw
3130
exec gosu netclaw "$REAL" "$@"
3231
fi

scripts/docker/test-nonroot-cli.sh

Lines changed: 3 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,8 @@
1515
# breakage path — a root `docker exec -- netclaw <cmd>` — and asserts:
1616
#
1717
# Phase A — a root-context CLI invocation succeeds and drops to netclaw:
18-
# `docker exec` (default user = root) running `netclaw --version` must exit 0,
19-
# print a version (NOT the EACCES bundle-extraction error), and emit the
20-
# launcher's drop breadcrumb on stderr (proving it re-execed as netclaw).
18+
# `docker exec` (default user = root) running `netclaw --version` must exit 0
19+
# and print a version (NOT the EACCES bundle-extraction error).
2120
#
2221
# Phase B — it leaves NOTHING root-owned under the netclaw home:
2322
# After root-context CLI runs (incl. the offline `doctor`, which touches
@@ -87,13 +86,8 @@ echo " stdout: $out (rc=$rc)"
8786
[[ "$rc" -eq 0 ]] || fail "root 'netclaw --version' exited $rc (the bundle-extraction EACCES regression?)"
8887
echo "$out" | grep -qi 'netclaw' || fail "root 'netclaw --version' did not print a version: $out"
8988

90-
# stderr must carry the launcher's drop breadcrumb -> proves it re-execed as netclaw.
91-
err="$(docker exec "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
92-
echo " stderr: $err"
93-
echo "$err" | grep -qi "dropping to the 'netclaw' user" \
94-
|| fail "launcher did not report dropping to the netclaw user — is /usr/local/bin/netclaw still the self-dropping launcher?"
95-
9689
# Belt-and-suspenders: the failure mode's signature must never appear.
90+
err="$(docker exec "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
9791
if echo "$out $err" | grep -qiE 'Failed to create directory|Error code: 13|Failure processing application bundle'; then
9892
fail "bundle-extraction failure signature present — root CLI was not dropped"
9993
fi
@@ -113,9 +107,6 @@ echo "==> Phase C: 'docker exec -u netclaw -- netclaw --version' (no double drop
113107
rc=0
114108
cout="$(docker exec -u netclaw "$CONTAINER" netclaw --version 2>/dev/null)" || rc=$?
115109
[[ "$rc" -eq 0 ]] || fail "'netclaw --version' as the netclaw user exited $rc"
116-
cerr="$(docker exec -u netclaw "$CONTAINER" netclaw --version 2>&1 1>/dev/null)" || true
117-
echo "$cerr" | grep -qi "dropping to the 'netclaw' user" \
118-
&& fail "launcher dropped privileges even though it was already the netclaw user (should exec directly)"
119110
assert_no_root_owned "Phase C"
120111

121112
# ── Phase D: daemon still healthy after all the exec traffic ─────────────────

0 commit comments

Comments
 (0)