Skip to content

fix(docker): run as root so Codex can read auth.json#266

Merged
jlia0 merged 1 commit intomainfrom
jlia0/codex-docker-debug
Mar 26, 2026
Merged

fix(docker): run as root so Codex can read auth.json#266
jlia0 merged 1 commit intomainfrom
jlia0/codex-docker-debug

Conversation

@jlia0
Copy link
Copy Markdown
Collaborator

@jlia0 jlia0 commented Mar 26, 2026

Description

Fix Codex failing with WebSocket 500 errors inside Docker. The root cause was that gosu tinyagi dropped privileges, preventing Codex from reading /root/.codex/auth.json where it stores the OpenAI API key at runtime.

Changes

  • Remove gosu and non-root tinyagi user — run the Node process as root directly
  • Move all persistent data paths from /home/tinyagi to /root
  • Update docker-compose.yml volume mount accordingly
  • Drop a reset_flag on first agent bootstrap so Codex doesn't try to resume --last a non-existent session
  • Auto-reset Codex on first invocation for new agent directories in invoke.ts

Testing

  • Verified codex exec --json works as root inside the container
  • Confirmed auth.json is readable and WebSocket connection succeeds

Checklist

  • PR title follows conventional commit format (type(scope): description)
  • I have tested these changes locally
  • My changes don't introduce new warnings or errors
  • I have updated documentation if needed

@jlia0 @claude
fix(docker): run as root so Codex can read auth.json
8d97fe8 
Codex stores its API key in /root/.codex/auth.json at runtime. Running
the Node process as a non-root tinyagi user via gosu meant Codex could
not read the auth file, causing WebSocket 500 errors against the OpenAI
Responses API.

Switch Docker to run as root directly — container isolation is handled
by gVisor at the infrastructure level, making the in-container user
separation unnecessary.

Also fix Codex adapter to always use `resume --last` by default and
auto-reset on first invocation for new agent directories.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@jlia0 jlia0 merged commit 9ccd691 into main Mar 26, 2026
@github-actions github-actions Bot mentioned this pull request Mar 27, 2026
Open
@jlia0 jlia0 deleted the jlia0/codex-docker-debug branch March 28, 2026 15:26
@github-actions github-actions Bot mentioned this pull request Mar 29, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jlia0