fix(rpm): restore 0.0.0.0 bind address for Podman via default gateway.toml#1438
Merged
TaylorMutch merged 5 commits intoMay 18, 2026
Merged
Conversation
maxamillion
requested review from
a team,
derekwaynecarr and
mrunalp
as code owners
|
Label |
Collaborator
|
/ok to test 636b649 |
….toml The gateway binary default changed to 127.0.0.1 in recent commits (b61a98d, f257ed0). This breaks the Podman compute driver because sandbox containers reach the gateway over the host network bridge and cannot connect to the loopback address. Ship a default TOML config template that the RPM systemd unit seeds into ~/.config/openshell/gateway.toml on first start. The template sets bind_address = "0.0.0.0:17670" and pins compute_drivers = ["podman"] to prevent unexpected driver selection when Docker is also installed. The binary default remains 127.0.0.1 (secure-by-default for non-RPM installs). Changes: - deploy/rpm/gateway.toml.default: new default config template - openshell.spec: install template to %{_datadir}/openshell-gateway/; add ExecStartPre to seed ~/.config/openshell/gateway.toml on first start; add %check assertions for template presence and unit reference - deploy/rpm/CONFIGURATION.md: document default config, override paths, and updated bind address throughout - deploy/rpm/QUICKSTART.md: update bind address note for RPM installs - crates/openshell-server/src/config_file.rs: contract test that parses the RPM template through load() and asserts bind_address=0.0.0.0 and compute_drivers=[podman] - e2e/with-podman-gateway.sh: start from RPM template as base config so e2e exercises the same TOML path RPM users get on first start
maxamillion
force-pushed
the
podman-toml-gateway-listener
branch
from
636b649 to
8c0cb7c
Compare
Collaborator
|
/ok to test 8c0cb7c |
TaylorMutch
reviewed
May 18, 2026
Collaborator
|
/ok to test 886f2e1 |
TaylorMutch
previously approved these changes
May 18, 2026
Version, Source0, and Source1 were stamped to 0.0.43 by Packit CI during branch builds. Reset to 0.0.37 (current main baseline) so the spec diff only contains our intentional changes. Packit's fix-spec-file action will re-stamp these fields at build time.
…aseline" This reverts commit 8ef9d7a.
TaylorMutch
previously approved these changes
May 18, 2026
Collaborator
|
/ok to test 1cc95f2 |
Add %global openshell_version as the single source of truth for the package version. Version:, Source0:, Source1:, openshell_cargo_version, and openshell_python_version all expand from this one macro. Update .packit.yaml fix-spec-file to patch %global openshell_version instead of the Version:, Source0:, and Source1: lines individually.
Collaborator
|
/ok to test e3c786c |
TaylorMutch
approved these changes
May 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Recent commits (b61a98d, f257ed0) changed the gateway binary default bind address from `0.0.0.0` to `127.0.0.1` as a secure-by-default improvement. This is correct for source builds and non-Podman deployments, but breaks the Podman compute driver: sandbox containers reach the gateway over the host network bridge and cannot connect to the loopback address.
This fix ships a default TOML config template with the RPM package. The systemd user unit seeds `~/.config/openshell/gateway.toml` from the template on first start (if no config exists yet), overriding the binary default to `0.0.0.0:17670` for Podman users. The binary default stays `127.0.0.1` — non-RPM installs remain secure-by-default.
The Helm chart already handles this the same way for Kubernetes (via its generated ConfigMap). This brings RPM installs into parity.
Related Issue
N/A — regression introduced in #1415.
Changes
deploy/rpm/gateway.toml.default(new): default config template setting `bind_address = "0.0.0.0:17670"` and `compute_drivers = ["podman"]`. Pinning the driver prevents unexpected selection when Docker is also installed (auto-detect order is Kubernetes > Podman > Docker).openshell.spec:deploy/rpm/CONFIGURATION.md: document the default config, seed-on-first-start behavior, and all override pathsdeploy/rpm/QUICKSTART.md: update bind address note to reflect the RPM defaultcrates/openshell-server/src/config_file.rs: contract test `rpm_default_config_parses_and_has_podman_defaults` — loads the actual template through `load()` and asserts `bind_address = 0.0.0.0:17670` and `compute_drivers = ["podman"]`e2e/with-podman-gateway.sh: start from the RPM template as the base config (instead of synthesizing from scratch), so the Podman e2e exercises the same TOML path RPM users get on first startTesting
Checklist