gortium/infra
1
1
Fork 0
Code Issues 13 Pull Requests 21 Actions Packages Projects 1 Releases Wiki Activity
Files
feat/restrict-docker-commands-for-ai-worker
infra/modules/nixos/security/README-ai-worker.md

127 lines
4.2 KiB
Markdown
Raw Permalink Normal View History

Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
# AI Worker Restricted Access
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
This module provides SSH access for the AI worker (hermes-agent) to run docker commands on the host.
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
## Security Model
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
### Overview
The `ai-worker` user has **no direct docker group access**. All docker commands must go through `sudo`, and only specific subcommands are whitelisted:
- **Container lifecycle**: `docker ps`, `docker inspect`, `docker logs`, `docker images`, `docker info`, `docker version`, `docker stats`
- **Control**: `docker start`, `docker stop`, `docker restart`, `docker rm`, `docker rmi`, `docker wait`
- **Image management**: `docker pull`, `docker build`, `docker run`, `docker compose`
- **Disk cleanup**: `docker system`
- **Network/Volume**: `docker network ls`, `docker volume ls` (read-only)
### EXPLICITLY BLOCKED (not in sudo whitelist)
| Command | Risk | Result |
|---------|------|--------|
| `docker exec` | Execute arbitrary commands inside containers (FILE MODIFICATION) | Blocked by sudo |
| `docker cp` | Copy files between containers and host | Blocked by sudo |
| `docker commit` | Create images from running containers (data exfil) | Blocked by sudo |
| `docker diff` | Inspect filesystem changes | Blocked by sudo |
| `docker export` | Export container filesystem | Blocked by sudo |
| `docker import` | Import filesystem archives | Blocked by sudo |
| `docker load` | Load docker images | Blocked by sudo |
| `docker save` | Save docker images to tar | Blocked by sudo |
| `docker attach` | Interactive access to containers | Blocked by sudo |
| `docker push` | Push images to registries | Blocked by sudo |
| `docker tag` | Rename images | Blocked by sudo |
### Why This Approach?
Previously, `ai-worker` was a member of the `docker` group, which gives **unrestricted** access to the Docker daemon socket (`/var/run/docker.sock`). Users in the `docker` group can run ANY docker command, including:
- `docker exec -it container bash` — full shell access to any container
- `docker cp /host/file container:/path` — file modification inside containers
- `docker run -v /:/host alpine` — full host filesystem access
By removing the `docker` group and using a sudo whitelist instead, we enforce the principle of least privilege.
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
### Filesystem Access
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
- **Home directory**: `/home/ai-worker` (standard user home)
- **No bind mounts**: Cannot access `/home/gortium/infra` or other host files
- **Cannot access**: Any files outside standard system paths
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
### Sudo Access
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
- **Restricted**: ai-worker has `NOPASSWD` access only to whitelisted commands
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
- Cannot run `nh`, `nixos-rebuild`, `nixpkgs-fmt`, or `nix` with elevated permissions
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
## Workflow: SSH + Restricted Docker
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
All docker commands must be prefixed with `sudo`:
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```bash
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
# From Hermes container, SSH to host
ssh -i /path/to/ssh/key ai-worker@host.docker.internal
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Check container status (works)
sudo docker ps
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Restart a container (works)
sudo docker restart ollama
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Run benchmark (works - docker run is allowed)
sudo docker run --rm alpine echo "test"
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# ANY of these will FAIL (not in whitelist):
sudo docker exec ollama ollama list # FAILS - docker exec blocked
sudo docker cp file.txt container:/path/ # FAILS - docker cp blocked
sudo docker commit container new-image # FAILS - docker commit blocked
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# For ollama operations, use the HTTP API instead of docker exec:
curl http://ollama:11434/api/tags
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```
## SSH Access
Connect as:
```bash
ssh ai-worker@lazyworkhorse
```
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
The working directory will be `/home/ai-worker`. No infra repo access.
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
## Verification
Check ai-worker permissions:
```bash
# On the host, as root or gortium:
sudo -u ai-worker sudo -l
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Should show the whitelisted commands only (no docker exec/cp/commit)
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Verify NOT in docker group
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
groups ai-worker
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Should show: ai-worker (NO docker group)
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
```
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
## Troubleshooting
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
If docker commands fail:
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```bash
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Check sudo permissions
sudo -u ai-worker sudo -l | grep docker
# Verify group membership
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
groups ai-worker
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Test allowed command
sudo -u ai-worker sudo docker ps
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: restrict docker commands for ai-worker user Remove ai-worker from docker group and enforce sudo whitelist. SECURITY: Being in the docker group gives unrestricted access to the Docker daemon socket (/var/run/docker.sock), allowing any docker command: docker exec, docker cp, docker run -v /:/host, docker commit, etc. Changes: - Remove extraGroups = ["docker"] from ai-worker user definition - Add comprehensive sudo NOPASSWD whitelist for safe docker subcommands ALLOWED: ps, inspect, logs, images, info, version, stats, start, stop, restart, rm, rmi, wait, pull, build, run, compose, system, network ls, volume ls BLOCKED (implicitly): exec, cp, commit, diff, export, import, load, save, attach, push, tag, create, plugin, network create, volume create - Update ai-worker-restricted.nix module to reflect new approach - Update README-ai-worker.md with new security model and examples All docker commands must now be prefixed with sudo. The Hermes agent's host_run tool needs to be updated to prepend sudo.
2026-05-20 20:34:19 -04:00
# Test blocked command (should fail)
sudo -u ai-worker sudo docker exec ollama ollama list
# Expected: "Sorry, user ai-worker is not allowed to execute"
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
If SSH connection fails:
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```bash
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
# Check SSH key is authorized
cat /home/ai-worker/.ssh/authorized_keys
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
fix: ai-worker docker-only access for ollama benchmarking Remove infra repo bind mount and sudo access from ai-worker user. Now ai-worker can only: - SSH into host from Hermes container - Run docker commands via docker group membership - Execute ollama benchmarks via docker exec Results saved to /opt/data/ai-optimizer/ in Hermes container.
2026-04-29 19:55:19 +00:00
# Check SSH service
systemctl status sshd
Add restricted AI worker access with deployment capabilities - New module: modules/nixos/security/ai-worker-restricted.nix - Bind mount for infra repo access (RW) - Whitelisted sudo commands: nh, nixos-rebuild, nixpkgs-fmt, nix - Audit logging for infra changes - Documentation in README-ai-worker.md - Updated users/ai-worker.nix: - Enable services.aiWorkerAccess - Lock password (SSH key only) - Security documentation comments - Updated flake.nix: - Include new security module SECURITY: AI must ask for user confirmation before running nh os switch
2026-04-28 15:34:38 +00:00
```
Reference in New Issue Copy Permalink