switch to rocky linux 10, add --init for zombie reaping, fix NAT setup

- base image alpine -> rockylinux:10 (cgit/fcgiwrap from EPEL) - drop spawn-fcgi, use fcgiwrap -s directly - add --init to reap zombie sshd-auth processes (PID exhaustion fix) - replace ip addr/route networking with nft DNAT/SNAT/FORWARD rules - add FORWARD accept rule that was missing for inbound DNAT traffic
author: Your Name <you@example.com> 2026-02-18 15:12:32 +0800
committer: Your Name <you@example.com> 2026-02-18 15:12:32 +0800
commit: c3a377a265d2ca92b8823be281fa0e487d30692b (patch)
tree: 1d5b4213c65635ffdd82921b633eaaf5bebd2e60
parent: b0572c958427ae6ad75109752e9741aab31ad65a (diff)
5 files changed, 29 insertions, 15 deletions
diff --git a/Caddyfile b/Caddyfile
index b783e7b..7458b93 100644
--- a/Caddyfile
+++ b/Caddyfile
@@ -1,18 +1,18 @@
 {$DOMAIN} {
    handle {$CGIT_CSS} {
-        root * /usr/share/webapps/cgit
+        root * /usr/share/cgit
        file_server
    }
    handle {$CGIT_LOGO} {
-        root * /usr/share/webapps/cgit
+        root * /usr/share/cgit
        file_server
    }
    handle {
        reverse_proxy unix/{$FCGI_SOCK} {
            transport fastcgi {
-                env SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi
+                env SCRIPT_FILENAME /var/www/cgi-bin/cgit
                env QUERY_STRING {query}
                env HTTP_HOST {host}
                env PATH_INFO {path}
diff --git a/Dockerfile b/Dockerfile
index 86352b4..65ead86 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,14 +1,16 @@
-FROM alpine:latest
+FROM rockylinux:10
-RUN apk add --no-cache \
+RUN dnf install -y epel-release && \
+    dnf copr enable -y @caddy/caddy && \
+    dnf install -y \
    caddy \
    cgit \
    git \
    fcgiwrap \
-    spawn-fcgi \
    gettext \
    openssl \
-    openssh-server
+    openssh-server \
+    && dnf clean all
 COPY cgitrc.template /etc/cgitrc.template
 COPY Caddyfile /etc/caddy/Caddyfile
diff --git a/entrypoint.sh b/entrypoint.sh
index 3e2dcc0..ba24e29 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -e
 # Check cert matches domain, else clear and renew
@@ -21,7 +21,8 @@ chmod 700 /git/.ssh
 chmod 600 /git/.ssh/authorized_keys
 /usr/sbin/sshd
-spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap
+fcgiwrap -s unix:${FCGI_SOCK} &
+sleep 0.5
 chmod 666 ${FCGI_SOCK}
 exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile
diff --git a/sshd_config b/sshd_config
index 5d31e36..0270433 100644
--- a/sshd_config
+++ b/sshd_config
@@ -7,4 +7,4 @@ AuthorizedKeysFile /git/.ssh/authorized_keys
 MaxStartups 3:50:10
 # Kill unauthenticated connections after 15 seconds
 LoginGraceTime 15
-Subsystem sftp /usr/lib/ssh/sftp-server
+Subsystem sftp /usr/libexec/openssh/sftp-server
diff --git a/start_container.sh b/start_container.sh
index 2299390..f93f5df 100755
--- a/start_container.sh
+++ b/start_container.sh
@@ -29,6 +29,7 @@ podman build -t cgit "$(dirname "$0")"
 # Run container
 podman run -d \
+    --init \
    --name ${CONTAINER_NAME} \
    --network ${NETWORK} \
    --ip ${PRIVATE_IP} \
@@ -39,11 +40,21 @@ podman run -d \
    -v /git:/git \
    localhost/cgit
-# Setup public IP
+# Setup public IP via DNAT/SNAT
 sleep 2
-# Get the container's network interface name (e.g. eth0)
+OIFACE=$(ip route show default | awk '{print $5; exit}')
-IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link | grep -v lo | head -1 | cut -d: -f2 | tr -d ' ' | cut -d@ -f1")
+BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null | python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
-podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}
-ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}
+# Clean up any stale rules for this IP
+nft -a list chain ip nat PREROUTING 2>/dev/null | grep "daddr ${PUBLIC_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "snat to ${PUBLIC_IP}" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+nft -a list chain inet netavark FORWARD 2>/dev/null | grep "daddr ${PRIVATE_IP} " | grep -oP 'handle \K\d+' | while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
+nft -a list chain ip nat POSTROUTING 2>/dev/null | grep "daddr ${PRIVATE_IP}.*masquerade" | grep -oP 'handle \K\d+' | while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
+ip route del ${PUBLIC_IP} 2>/dev/null || true
+nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
+nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
+nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
 echo "Running at https://${DOMAIN}/"
author	Your Name <you@example.com>	2026-02-18 15:12:32 +0800
committer	Your Name <you@example.com>	2026-02-18 15:12:32 +0800
commit	c3a377a265d2ca92b8823be281fa0e487d30692b (patch)
tree	1d5b4213c65635ffdd82921b633eaaf5bebd2e60
parent	b0572c958427ae6ad75109752e9741aab31ad65a (diff)

diff --git a/Caddyfile b/Caddyfile index b783e7b..7458b93 100644 --- a/Caddyfile +++ b/Caddyfile
@@ -1,18 +1,18 @@
1	{$DOMAIN} {	1	{$DOMAIN} {
2	handle {$CGIT_CSS} {	2	handle {$CGIT_CSS} {
3	root * /usr/share/webapps/cgit	3	root * /usr/share/cgit
4	file_server	4	file_server
5	}	5	}
6		6
7	handle {$CGIT_LOGO} {	7	handle {$CGIT_LOGO} {
8	root * /usr/share/webapps/cgit	8	root * /usr/share/cgit
9	file_server	9	file_server
10	}	10	}
11		11
12	handle {	12	handle {
13	reverse_proxy unix/{$FCGI_SOCK} {	13	reverse_proxy unix/{$FCGI_SOCK} {
14	transport fastcgi {	14	transport fastcgi {
15	env SCRIPT_FILENAME /usr/share/webapps/cgit/cgit.cgi	15	env SCRIPT_FILENAME /var/www/cgi-bin/cgit
16	env QUERY_STRING {query}	16	env QUERY_STRING {query}
17	env HTTP_HOST {host}	17	env HTTP_HOST {host}
18	env PATH_INFO {path}	18	env PATH_INFO {path}


diff --git a/Dockerfile b/Dockerfile index 86352b4..65ead86 100644 --- a/Dockerfile +++ b/Dockerfile
@@ -1,14 +1,16 @@
1	FROM alpine:latest	1	FROM rockylinux:10
2		2
3	RUN apk add --no-cache \	3	RUN dnf install -y epel-release && \
		4	dnf copr enable -y @caddy/caddy && \
		5	dnf install -y \
4	caddy \	6	caddy \
5	cgit \	7	cgit \
6	git \	8	git \
7	fcgiwrap \	9	fcgiwrap \
8	spawn-fcgi \
9	gettext \	10	gettext \
10	openssl \	11	openssl \
11	openssh-server	12	openssh-server \
		13	&& dnf clean all
12		14
13	COPY cgitrc.template /etc/cgitrc.template	15	COPY cgitrc.template /etc/cgitrc.template
14	COPY Caddyfile /etc/caddy/Caddyfile	16	COPY Caddyfile /etc/caddy/Caddyfile


diff --git a/entrypoint.sh b/entrypoint.sh index 3e2dcc0..ba24e29 100644 --- a/entrypoint.sh +++ b/entrypoint.sh
@@ -1,4 +1,4 @@
1	#!/bin/sh	1	#!/bin/bash
2	set -e	2	set -e
3		3
4	# Check cert matches domain, else clear and renew	4	# Check cert matches domain, else clear and renew
@@ -21,7 +21,8 @@ chmod 700 /git/.ssh
21	chmod 600 /git/.ssh/authorized_keys	21	chmod 600 /git/.ssh/authorized_keys
22	/usr/sbin/sshd	22	/usr/sbin/sshd
23		23
24	spawn-fcgi -s ${FCGI_SOCK} /usr/bin/fcgiwrap	24	fcgiwrap -s unix:${FCGI_SOCK} &
		25	sleep 0.5
25	chmod 666 ${FCGI_SOCK}	26	chmod 666 ${FCGI_SOCK}
26		27
27	exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile	28	exec caddy run --config /etc/caddy/Caddyfile --adapter caddyfile


diff --git a/sshd_config b/sshd_config index 5d31e36..0270433 100644 --- a/sshd_config +++ b/sshd_config
@@ -7,4 +7,4 @@ AuthorizedKeysFile /git/.ssh/authorized_keys
7	MaxStartups 3:50:10	7	MaxStartups 3:50:10
8	# Kill unauthenticated connections after 15 seconds	8	# Kill unauthenticated connections after 15 seconds
9	LoginGraceTime 15	9	LoginGraceTime 15
10	Subsystem sftp /usr/lib/ssh/sftp-server	10	Subsystem sftp /usr/libexec/openssh/sftp-server


diff --git a/start_container.sh b/start_container.sh index 2299390..f93f5df 100755 --- a/start_container.sh +++ b/start_container.sh
@@ -29,6 +29,7 @@ podman build -t cgit "$(dirname "$0")"
29		29
30	# Run container	30	# Run container
31	podman run -d \	31	podman run -d \
		32	--init \
32	--name ${CONTAINER_NAME} \	33	--name ${CONTAINER_NAME} \
33	--network ${NETWORK} \	34	--network ${NETWORK} \
34	--ip ${PRIVATE_IP} \	35	--ip ${PRIVATE_IP} \
@@ -39,11 +40,21 @@ podman run -d \
39	-v /git:/git \	40	-v /git:/git \
40	localhost/cgit	41	localhost/cgit
41		42
42	# Setup public IP	43	# Setup public IP via DNAT/SNAT
43	sleep 2	44	sleep 2
44	# Get the container's network interface name (e.g. eth0)	45	OIFACE=$(ip route show default \| awk '{print $5; exit}')
45	IFACE=$(podman exec ${CONTAINER_NAME} sh -c "ip -o link \| grep -v lo \| head -1 \| cut -d: -f2 \| tr -d ' ' \| cut -d@ -f1")	46	BRIDGE=$(podman network inspect ${NETWORK} 2>/dev/null \| python3 -c "import json,sys; print(json.load(sys.stdin)[0]['network_interface'])")
46	podman exec ${CONTAINER_NAME} ip addr add ${PUBLIC_IP}/32 dev ${IFACE}	47
47	ip route add ${PUBLIC_IP}/32 via ${PRIVATE_IP}	48	# Clean up any stale rules for this IP
		49	nft -a list chain ip nat PREROUTING 2>/dev/null \| grep "daddr ${PUBLIC_IP} " \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat PREROUTING handle "$h"; done
		50	nft -a list chain ip nat POSTROUTING 2>/dev/null \| grep "snat to ${PUBLIC_IP}" \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
		51	nft -a list chain inet netavark FORWARD 2>/dev/null \| grep "daddr ${PRIVATE_IP} " \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule inet netavark FORWARD handle "$h"; done
		52	nft -a list chain ip nat POSTROUTING 2>/dev/null \| grep "daddr ${PRIVATE_IP}.*masquerade" \| grep -oP 'handle \K\d+' \| while read h; do nft delete rule ip nat POSTROUTING handle "$h"; done
		53	ip route del ${PUBLIC_IP} 2>/dev/null \|\| true
		54
		55	nft add rule ip nat PREROUTING ip daddr ${PUBLIC_IP} dnat to ${PRIVATE_IP}
		56	nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_IP} oifname ${OIFACE} snat to ${PUBLIC_IP}
		57	nft insert rule inet netavark FORWARD ip daddr ${PRIVATE_IP} oifname ${BRIDGE} accept
		58	nft add rule ip nat POSTROUTING ip saddr ${PRIVATE_SUBNET} ip daddr ${PRIVATE_IP} oifname ${BRIDGE} masquerade
48		59
49	echo "Running at https://${DOMAIN}/"	60	echo "Running at https://${DOMAIN}/"