From c68f3325bbaf0201b228ac6f2cac6aac34a21d70 Mon Sep 17 00:00:00 2001 From: Malin Date: Wed, 11 Mar 2026 10:56:34 +0100 Subject: [PATCH] fix: stub openvpn-systemd-resolved to prevent missing-components sudo call + binary inspection --- vpn-node/Dockerfile | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/vpn-node/Dockerfile b/vpn-node/Dockerfile index c198738..e40689f 100644 --- a/vpn-node/Dockerfile +++ b/vpn-node/Dockerfile @@ -13,25 +13,36 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ net-tools openresolv \ && rm -rf /var/lib/apt/lists/* +# ── Stub openvpn-systemd-resolved ──────────────────────────────────────────── +# This package is not in Debian repos. Its absence is what triggers purevpn-cli +# to call `sudo --install-missing-components`. A no-op stub satisfies the check. +RUN mkdir -p /usr/lib/openvpn \ + && printf '#!/bin/sh\nexit 0\n' \ + | tee /usr/local/bin/openvpn-systemd-resolved \ + /usr/lib/openvpn/openvpn-systemd-resolved > /dev/null \ + && chmod +x /usr/local/bin/openvpn-systemd-resolved \ + /usr/lib/openvpn/openvpn-systemd-resolved + # ── Install purevpn-cli ─────────────────────────────────────────────────────── -# Pre-installing its dependencies above means the installer's own apt calls -# find everything already present and skip cleanly. -# Binary lands at /opt/purevpn-cli/bin/purevpn-cli RUN curl -fsSL https://apps.purevpn-tools.com/cross-platform/linux-cli/production/cli-install.sh \ -o /tmp/cli-install.sh \ && bash /tmp/cli-install.sh \ && rm -f /tmp/cli-install.sh -# ── Fake sudo wrapper ───────────────────────────────────────────────────────── -# purevpn-cli calls `sudo purevpn-cli --connect X --install-missing-components` -# which crashes in its own pkg/Node.js bootstrap when that flag combination is -# run through pkg's argument parser (bug in the CLI). -# Fix: strip --install-missing-components and run the real command as-is. -# We are already root in Docker so the re-run won't trigger sudo again. -RUN printf '#!/bin/bash\nnew=(); for a in "$@"; do [[ "$a" == "--install-missing-components" ]] && continue; new+=("$a"); done\nexec "${new[@]}"\n' \ +# ── Inspect binary (visible in build log, remove once confirmed working) ────── +RUN echo "=== binary type ===" \ + && file /opt/purevpn-cli/bin/purevpn-cli /opt/purevpn-cli/purevpn-cli 2>/dev/null || true \ + && echo "=== bin/purevpn-cli header ===" \ + && head -3 /opt/purevpn-cli/bin/purevpn-cli 2>/dev/null || true + +# ── Fake sudo — last-resort safety net ─────────────────────────────────────── +# If purevpn-cli still calls sudo despite the stub above, this wrapper runs +# the command minus --install-missing-components so it doesn't crash the +# pkg/Node.js bootstrap. The echo lets us see in logs if it fires. +RUN printf '#!/bin/bash\nnew=()\nfor a in "$@"; do\n [[ "$a" == "--install-missing-components" ]] && { echo "[sudo] stripped --install-missing-components"; continue; }\n new+=("$a")\ndone\necho "[sudo] exec: ${new[*]}"\nexec "${new[@]}"\n' \ > /usr/local/bin/sudo && chmod +x /usr/local/bin/sudo -# ── PATH: installer puts binary in /opt/purevpn-cli/bin/ ───────────────────── +# ── PATH ────────────────────────────────────────────────────────────────────── ENV PATH=/opt/purevpn-cli/bin:/opt/purevpn-cli:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin # ── Location list ─────────────────────────────────────────────────────────────