Skip to content

fix(rpm): restore 0.0.0.0 bind address for Podman via default gateway.toml#1438

Merged
TaylorMutch merged 5 commits into
NVIDIA:mainfrom
maxamillion:podman-toml-gateway-listener
May 18, 2026
Merged

fix(rpm): restore 0.0.0.0 bind address for Podman via default gateway.toml#1438
TaylorMutch merged 5 commits into
NVIDIA:mainfrom
maxamillion:podman-toml-gateway-listener

Conversation

@maxamillion
Copy link
Copy Markdown
Collaborator

@maxamillion maxamillion commented May 18, 2026

Summary

Recent commits (b61a98d, f257ed0) changed the gateway binary default bind address from `0.0.0.0` to `127.0.0.1` as a secure-by-default improvement. This is correct for source builds and non-Podman deployments, but breaks the Podman compute driver: sandbox containers reach the gateway over the host network bridge and cannot connect to the loopback address.

This fix ships a default TOML config template with the RPM package. The systemd user unit seeds `~/.config/openshell/gateway.toml` from the template on first start (if no config exists yet), overriding the binary default to `0.0.0.0:17670` for Podman users. The binary default stays `127.0.0.1` — non-RPM installs remain secure-by-default.

The Helm chart already handles this the same way for Kubernetes (via its generated ConfigMap). This brings RPM installs into parity.

Related Issue

N/A — regression introduced in #1415.

Changes

  • deploy/rpm/gateway.toml.default (new): default config template setting `bind_address = "0.0.0.0:17670"` and `compute_drivers = ["podman"]`. Pinning the driver prevents unexpected selection when Docker is also installed (auto-detect order is Kubernetes > Podman > Docker).
  • openshell.spec:
    • Install template to `/usr/share/openshell-gateway/gateway.toml.default`
    • Add `ExecStartPre` to seed `~/.config/openshell/gateway.toml` on first start (skipped if file already exists)
    • Add `%check` assertions verifying the template is installed and the systemd unit references it
  • deploy/rpm/CONFIGURATION.md: document the default config, seed-on-first-start behavior, and all override paths
  • deploy/rpm/QUICKSTART.md: update bind address note to reflect the RPM default
  • crates/openshell-server/src/config_file.rs: contract test `rpm_default_config_parses_and_has_podman_defaults` — loads the actual template through `load()` and asserts `bind_address = 0.0.0.0:17670` and `compute_drivers = ["podman"]`
  • e2e/with-podman-gateway.sh: start from the RPM template as the base config (instead of synthesizing from scratch), so the Podman e2e exercises the same TOML path RPM users get on first start

Testing

  • `mise run pre-commit` passes (fmt, lint, license, markdown, helm all green)
  • Unit test added: `cargo test -p openshell-server rpm_default_config` passes
  • Contract test parses the actual template file through the real `load()` parser
  • Podman e2e updated to use RPM template as base config (integration coverage)
  • E2E tests run against a live Podman gateway (requires Podman environment)

Checklist

  • Follows Conventional Commits
  • Commits are signed off (DCO)

@maxamillion maxamillion requested review from a team, derekwaynecarr and mrunalp as code owners May 18, 2026 22:20
@copy-pr-bot
Copy link
Copy Markdown

copy-pr-bot Bot commented May 18, 2026

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@TaylorMutch TaylorMutch self-assigned this May 18, 2026
@TaylorMutch TaylorMutch added the test:e2e Requires end-to-end coverage label May 18, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 18, 2026

Label test:e2e applied, but pull-request/1438 is at {"messa while the PR head is 636b649. A maintainer needs to comment /ok to test 636b6495539e067f87953ae3e6824762d8c19a89 to refresh the mirror. Once the mirror catches up, re-run Branch E2E Checks from the Actions tab.

@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test 636b649

@maxamillion
fix(rpm): restore 0.0.0.0 bind address for Podman via default gateway…
8c0cb7c 
….toml

The gateway binary default changed to 127.0.0.1 in recent commits
(b61a98d, f257ed0). This breaks the Podman compute driver because
sandbox containers reach the gateway over the host network bridge and
cannot connect to the loopback address.

Ship a default TOML config template that the RPM systemd unit seeds
into ~/.config/openshell/gateway.toml on first start. The template
sets bind_address = "0.0.0.0:17670" and pins compute_drivers =
["podman"] to prevent unexpected driver selection when Docker is also
installed. The binary default remains 127.0.0.1 (secure-by-default
for non-RPM installs).

Changes:
- deploy/rpm/gateway.toml.default: new default config template
- openshell.spec: install template to %{_datadir}/openshell-gateway/;
  add ExecStartPre to seed ~/.config/openshell/gateway.toml on first
  start; add %check assertions for template presence and unit reference
- deploy/rpm/CONFIGURATION.md: document default config, override paths,
  and updated bind address throughout
- deploy/rpm/QUICKSTART.md: update bind address note for RPM installs
- crates/openshell-server/src/config_file.rs: contract test that parses
  the RPM template through load() and asserts bind_address=0.0.0.0
  and compute_drivers=[podman]
- e2e/with-podman-gateway.sh: start from RPM template as base config
  so e2e exercises the same TOML path RPM users get on first start
@maxamillion maxamillion force-pushed the podman-toml-gateway-listener branch from 636b649 to 8c0cb7c Compare May 18, 2026 22:45
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test 8c0cb7c

TaylorMutch
TaylorMutch reviewed May 18, 2026
View reviewed changes
Comment thread openshell.spec Outdated
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test 886f2e1

TaylorMutch
TaylorMutch previously approved these changes May 18, 2026
View reviewed changes
@maxamillion
fix(rpm): reset Packit-managed version fields to match main baseline
8ef9d7a 
Version, Source0, and Source1 were stamped to 0.0.43 by Packit CI
during branch builds. Reset to 0.0.37 (current main baseline) so
the spec diff only contains our intentional changes. Packit's
fix-spec-file action will re-stamp these fields at build time.
TaylorMutch
TaylorMutch previously approved these changes May 18, 2026
View reviewed changes
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test 1cc95f2

@maxamillion
fix(rpm): introduce openshell_version macro; remove hardcoded versions
e3c786c 
Add %global openshell_version as the single source of truth for the
package version. Version:, Source0:, Source1:, openshell_cargo_version,
and openshell_python_version all expand from this one macro.

Update .packit.yaml fix-spec-file to patch %global openshell_version
instead of the Version:, Source0:, and Source1: lines individually.
@TaylorMutch
Copy link
Copy Markdown
Collaborator

TaylorMutch commented May 18, 2026

/ok to test e3c786c

@TaylorMutch TaylorMutch merged commit 436c59a into NVIDIA:main May 18, 2026
35 of 37 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TaylorMutch TaylorMutch TaylorMutch approved these changes

@mrunalp mrunalp Awaiting requested review from mrunalp mrunalp is a code owner

@derekwaynecarr derekwaynecarr Awaiting requested review from derekwaynecarr derekwaynecarr is a code owner

Assignees

@TaylorMutch TaylorMutch

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@maxamillion @TaylorMutch