From f4e759c07ac47de165fa590a7b439bb68c6dc7ca Mon Sep 17 00:00:00 2001 From: Jason Woltje Date: Sun, 15 Feb 2026 00:13:57 -0600 Subject: [PATCH] fix(devops): bypass OpenBao base entrypoint to prevent dev-mode flags The base openbao image's docker-entrypoint.sh injects -dev-root-token-id and -dev-listen-address flags when it sees 'server' as $1, causing the server to exit immediately (code 0). Override entrypoint with dumb-init and call bao directly to avoid the dev-mode flag injection. Co-Authored-By: Claude Opus 4.6 --- docker-compose.openbao.yml | 3 ++- docker-compose.portainer.yml | 3 ++- docker-compose.swarm.yml | 3 ++- docker-compose.yml | 1 + docker/docker-compose.build.yml | 1 + docker/docker-compose.yml | 4 ++-- 6 files changed, 10 insertions(+), 5 deletions(-) diff --git a/docker-compose.openbao.yml b/docker-compose.openbao.yml index 5a56a00..d07e9dc 100644 --- a/docker-compose.openbao.yml +++ b/docker-compose.openbao.yml @@ -15,7 +15,8 @@ services: # ====================== openbao: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev} - command: server -config=/openbao/config/config.hcl + entrypoint: ["dumb-init", "--"] + command: ["bao", "server", "-config=/openbao/config/config.hcl"] environment: OPENBAO_ADDR: http://0.0.0.0:8200 volumes: diff --git a/docker-compose.portainer.yml b/docker-compose.portainer.yml index fc40242..54430b4 100644 --- a/docker-compose.portainer.yml +++ b/docker-compose.portainer.yml @@ -27,7 +27,8 @@ services: openbao: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-dev} container_name: mosaic-openbao - command: server -config=/openbao/config/config.hcl + entrypoint: ["dumb-init", "--"] + command: ["bao", "server", "-config=/openbao/config/config.hcl"] environment: OPENBAO_ADDR: http://0.0.0.0:8200 ports: diff --git a/docker-compose.swarm.yml b/docker-compose.swarm.yml index 398e05a..69efcbf 100644 --- a/docker-compose.swarm.yml +++ b/docker-compose.swarm.yml @@ -84,7 +84,8 @@ services: # ====================== openbao: image: git.mosaicstack.dev/mosaic/stack-openbao:${IMAGE_TAG:-latest} - command: server -config=/openbao/config/config.hcl + entrypoint: ["dumb-init", "--"] + command: ["bao", "server", "-config=/openbao/config/config.hcl"] env_file: .env environment: OPENBAO_ADDR: http://0.0.0.0:8200 diff --git a/docker-compose.yml b/docker-compose.yml index 036f6f6..e88da0a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -269,6 +269,7 @@ services: environment: VAULT_ADDR: http://0.0.0.0:8200 SKIP_SETCAP: "true" + entrypoint: ["dumb-init", "--"] command: ["bao", "server", "-config=/openbao/config/config.hcl"] cap_add: - IPC_LOCK diff --git a/docker/docker-compose.build.yml b/docker/docker-compose.build.yml index 9f60045..9a647a4 100644 --- a/docker/docker-compose.build.yml +++ b/docker/docker-compose.build.yml @@ -273,6 +273,7 @@ services: environment: VAULT_ADDR: http://0.0.0.0:8200 SKIP_SETCAP: "true" + entrypoint: ["dumb-init", "--"] command: ["bao", "server", "-config=/openbao/config/config.hcl"] cap_add: - IPC_LOCK diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index c1fe544..465ecc1 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -82,8 +82,8 @@ services: environment: VAULT_ADDR: http://0.0.0.0:8200 SKIP_SETCAP: "true" - entrypoint: ["/bin/sh", "-c"] - command: ["bao server -config=/openbao/config/config.hcl"] + entrypoint: ["dumb-init", "--"] + command: ["bao", "server", "-config=/openbao/config/config.hcl"] cap_add: - IPC_LOCK healthcheck: