mirror of
https://github.com/goauthentik/authentik.git
synced 2026-06-17 19:09:11 +03:00
Teffen Ellis
5cbefcd207
Round 3 dropped `User=0:0` from the worker container after thmo asked for it. thmo has since walked that back, confirming the worker really does need root for the documented outpost auto-deploy flow. The worker bind-mounts the host podman socket (`/run/podman/podman.sock` for rootful, `%t/podman/podman.sock` for rootless) so authentik can deploy outposts. The socket is root-owned at `0660`, and the authentik server image runs the worker as a non-root user, so without `User=0:0` the worker can't read it and outpost deployment fails. In a rootless deployment, container UID 0 maps back to the socket-owning host user via the user namespace, so this stays safe. The fix lives in `scripts/generate_quadlet.py`; both worker variants also get an inline comment above the `User=` line explaining why root is required, so a future pass doesn't quietly drop it again. Server and PostgreSQL units are untouched. Running `make gen-quadlet` reproduces the committed units exactly. Co-authored-by: Agent (authentik-i22454-difficult-ideal-marrs) <279763771+playpen-agent@users.noreply.github.com>