Skip to content

WIP dev fixes #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Traubert wants to merge 4 commits into
base: main
Choose a base branch
from
Open

WIP dev fixes #28

Traubert wants to merge 4 commits into from

Conversation

@Traubert
Copy link

@Traubert Traubert commented Jan 8, 2026

Various issues prevented the client commands from completing successfully. This branch at least makes things complete, though some things should still be fixed more correctly.

The essential changes at this point:

  • Add get_vault_client() helper to refresh JWT tokens before Vault operations (JWT SVIDs expire after 1h, Vault tokens after 24h)
    • I don't know how it was supposed to work before this
  • Change workload selector from docker:image_id: to unix:uid:0
    • The docker attestor wasn't working, working, all client containers run as root, so this will at least allow it to proceed. Not sure what's up with the attestor.
  • Add chmod 777 for SPIRE agent socket after creation so it can be used by the client
    • This was breaking SVID fetching. Not sure how it worked before.

@Traubert
Fix Vault token expiration, workload selector, and socket permissions
bdf7d3c 
- Add get_vault_client() helper to refresh JWT tokens before Vault operations
  (JWT SVIDs expire after 1h, Vault tokens after 24h)
- Change workload selector from docker:image_id: to unix:uid:0
  (Docker attestor not working, all client containers run as root)
- Add chmod 777 for SPIRE agent socket after creation
  (Fixes socket permission issues preventing SVID fetching)

These changes fix the client registration failures and allow data/container/job
preparation workflows to complete successfully.
@Traubert
Update Dockerfile pinned requirements to existing packages
b6765ee
@Traubert
Add --force and --sif-host-path
ad66c7d 
Container building can somewhat confusingly fail when the sif image
already exists, or when the host /tmp ends up getting mounted to the
build container's /output. These are intended to defaultly avoid those
problems, and provide some configurability.
@Traubert
Only print apptainer build logs if verbose
8584020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Traubert