fix(ssh): survive read-only ~/.ssh ControlPath; render sidecar on all host OSes
Publish Docker Image / smoke (push) Successful in 3m22s
Publish Docker Image / smoke-studio (push) Successful in 3m42s
Publish Docker Image / build-variant (push) Successful in 15m29s
Publish Docker Image / update-description (push) Successful in 11s
Publish Docker Image / build-variant-studio (push) Successful in 16m49s
Publish Docker Image / promote-base-latest (push) Successful in 14s
Publish Docker Image / resolve-versions (push) Successful in 8s
Publish Docker Image / base-decide (push) Successful in 8s
Publish Docker Image / build-base (push) Successful in 33m44s
Publish Docker Image / smoke (push) Successful in 3m22s
Publish Docker Image / smoke-studio (push) Successful in 3m42s
Publish Docker Image / build-variant (push) Successful in 15m29s
Publish Docker Image / update-description (push) Successful in 11s
Publish Docker Image / build-variant-studio (push) Successful in 16m49s
Publish Docker Image / promote-base-latest (push) Successful in 14s
Publish Docker Image / resolve-versions (push) Successful in 8s
Publish Docker Image / base-decide (push) Successful in 8s
Publish Docker Image / build-base (push) Successful in 33m44s
Coordinated with the pi-extensions ssh-controlmaster fix (picked up at build via PI_EXTENSIONS_REF=main), this makes `pi --ssh <host>` and `dssh`/`dscp` robust to a user ~/.ssh/config whose per-host ControlPath points under the read-only ~/.ssh bind-mount (e.g. `ControlPath ~/.ssh/cm/%r@%h:%p`). A system default can never override a user's per-host value, so the fix lives in two layers. - setup-lan-access.sh: always render the writable ~/.ssh-local/config sidecar (Host * ControlPath redirect into ~/.ssh-local/cm + Include ~/.ssh/config) on EVERY host OS. Previously the script exited early (no-op) on native Linux, leaving dssh/dscp broken when ~/.ssh was read-only there too. The host-jump block, its key generation, and the authorize hints stay gated on VM-backed detection / DEVBOX_LAN_ACCESS=jump (new NEED_JUMP flag). - Dockerfile.base: document that the /etc/ssh drop-in default cannot override a user per-host ControlPath; cross-ref the two handling layers. - entrypoint-user.sh: correct the now-stale "no-op on native Linux" comment. - README.md / DOCKER_HUB.md: document read-only-~/.ssh ControlPath handling. CHANGELOG: v1.1.5 (Fixed + Changed + pi 0.79.6 -> 0.79.7 auto-resolved bump).
This commit is contained in:
Joakim Persson
@@ -13,6 +13,57 @@ Pre-v1.0.0 tags followed the pi npm version (`v{pi_version}[letter]`).
|
||||
|
||||
## Unreleased
|
||||
|
||||
## v1.1.5 — 2026-06-18
|
||||
|
||||
Patch release: SSH ControlMaster read-only-socket fix + pi `0.79.6` → `0.79.7`
|
||||
(auto-resolved at build). The `pi-extensions` ref is auto-resolved to `main`
|
||||
HEAD at build, so the `ssh-controlmaster` fix below lands automatically.
|
||||
|
||||
### Fixed
|
||||
|
||||
- **`pi --ssh <host>` no longer fails with "Read-only file system" when the
|
||||
user's `~/.ssh/config` sets a per-host `ControlPath` under the read-only
|
||||
`~/.ssh` mount** (e.g. the common CGNAT idiom `ControlPath ~/.ssh/cm/%r@%h:%p`).
|
||||
Root cause: SSH precedence means a user's per-host `ControlPath` always wins
|
||||
over the baked `/etc/ssh/ssh_config.d` default, so the master socket tried to
|
||||
bind under the RO `~/.ssh` and `ssh … pwd` exited 255 ("Could not resolve
|
||||
remote pwd"). The `ssh-controlmaster` extension (pulled from `pi-extensions`
|
||||
`main` via `PI_EXTENSIONS_REF`) now (a) resolves the remote pwd with a direct
|
||||
connection (`-o ControlPath=none -o ControlMaster=no`), and (b) tests whether
|
||||
the system `ControlPath` dir is actually writable — falling back to its own
|
||||
`/tmp` master (whose command-line `-o ControlPath` overrides the user's path)
|
||||
when it is not. OS-agnostic and independent of whether the user uses
|
||||
ControlMaster, so the majority of configs (no ControlMaster at all) are
|
||||
unaffected.
|
||||
|
||||
### Changed
|
||||
|
||||
- **`setup-lan-access.sh` now renders the writable SSH sidecar
|
||||
(`~/.ssh-local/config`) on every host OS, not just VM-backed ones.**
|
||||
Previously the whole script no-oped on native Linux, so a Linux host that
|
||||
also bind-mounts `~/.ssh` read-only got no `ControlPath` redirect. The
|
||||
`ControlPath` redirect + `Include ~/.ssh/config` (and `dssh`/`dscp` usability)
|
||||
now work on Linux too; only the host-jump block (`Host host mac`), its key
|
||||
generation, and the authorize hints remain gated on VM-backed detection
|
||||
(`DEVBOX_LAN_ACCESS=auto`) or `=jump`.
|
||||
|
||||
### Bumped: pi 0.79.6 → 0.79.7
|
||||
|
||||
Notable upstream changes (from [pi releases](https://github.com/earendil-works/pi/releases/tag/v0.79.7)):
|
||||
|
||||
- **Automatic theme mode** — `/settings` can choose separate light and dark
|
||||
themes and follow terminal color-scheme changes (`/` is now reserved in
|
||||
theme names for this).
|
||||
- **Self-only `pi update` by default** — bare `pi update` updates pi only;
|
||||
`pi update --all` updates pi and packages together.
|
||||
- **Extension API helpers** — `CONFIG_DIR_NAME` exported so extensions resolve
|
||||
project config paths without hardcoding `.pi`; edit-diff helpers
|
||||
(`generateDiffString`, `generateUnifiedPatch`, `EditDiffResult`) exported.
|
||||
- **Warp inline images** via Kitty graphics capability detection.
|
||||
- Fixes: RPC unknown-command errors now include the request id (clients no
|
||||
longer hang); `/model` autocomplete matches provider/model regardless of
|
||||
token order; tree navigator horizontally pans deep entries.
|
||||
|
||||
## v1.1.4 — 2026-06-17
|
||||
|
||||
Patch release: config and shell-quality fixes on a preserved volume. No pi
|
||||
|
||||
Reference in New Issue
Block a user