docs: per-host ControlPath under ~/.ssh breaks pi --ssh (read-only mount)
The bind-mounted ~/.ssh/config is read before the baked Host * default and SSH uses the first ControlPath it sees. A per-host block pointing ControlPath under ~/.ssh/ (CGNAT-multiplexing pattern) wins but fails in-container because ~/.ssh is read-only, silently breaking pi --ssh <host> (falls back to local tools). Documented the host-side fix: drop the override or repoint at the writable /tmp/sshcm/. README + CHANGELOG only, no image change.
This commit is contained in:
pi
@@ -8,6 +8,19 @@ Tags follow `v{opencode_version}[letter]` — bare tag for the first build on a
|
||||
|
||||
## Unreleased
|
||||
|
||||
### Docs: per-host `ControlPath` overrides break `pi --ssh` (read-only `~/.ssh`)
|
||||
|
||||
Documented a gotcha in the README "Reaching your LAN" section: the bind-mounted
|
||||
`~/.ssh/config` is read before the baked `Host *` default, and SSH uses the
|
||||
first `ControlPath` it sees. A per-host block that sets `ControlPath` under
|
||||
`~/.ssh/` (a common CGNAT-multiplexing pattern, e.g. `~/.ssh/cm/%r@%h:%p`) wins
|
||||
but then fails inside the container because `~/.ssh` is mounted read-only — the
|
||||
master socket can't bind. This silently breaks `pi --ssh <host>`: the SSH layer
|
||||
fails and pi falls back to running its tools locally in the container. Fix is
|
||||
host-side — drop the per-host `ControlPath` or repoint it at the writable
|
||||
`/tmp/sshcm/%r@%h:%p` (works on both host and container, preserves multiplexing).
|
||||
No image change; documentation only.
|
||||
|
||||
### Fixed: validate.yml false-negative on fork/recall registration checks
|
||||
|
||||
The push-to-main `validate.yml` builds variants FROM the published `base-latest`
|
||||
|
||||
Reference in New Issue
Block a user