From bea7d64146d60749027571f924ea73d30977f92e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Lesimple?=
 <stephane.lesimple+bastion@ovhcloud.com>
Date: Thu, 11 Sep 2025 07:54:14 +0000
Subject: [PATCH] fix: docker sandbox: restore ACLs on start

---
 docker/entrypoint.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index d17c71e..6245f33 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -8,6 +8,13 @@ else
     test -x /etc/rc.d/sshd && /etc/rc.d/sshd onestart
 fi
 
+# If the container was committed and pushed to a registry and later retrieved,
+# the extended ACLs on the filesystem may have silently disappeared,
+# as the registry storage may not support them.
+# cf https://forums.docker.com/t/setfacl-very-long-setting/131897
+# Ensure we repair/restore them before opening the SSH service:
+/opt/bastion/bin/admin/install --minimal
+
 if [ "$1" = "--sandbox" ]; then
     echo "The Bastion sandbox container is running, you can now connect to its port 22 (probably remapped to another port on the host)"
 fi