lifecycle: default MODE_FILE to /tmp when TMPDIR is unset

Line 6 already uses \${TMPDIR:-/tmp} for PROMETHEUS_MULTIPROC_DIR; apply the same fallback to MODE_FILE so \`ak server\` works outside a container where TMPDIR is not exported.
2026-04-25 17:15:26 +02:00 · 2026-04-21 02:27:17 +00:00
parent 1036844a1a
commit 634c58f753
1 changed files with 6 additions and 2 deletions
--- a/lifecycle/ak
+++ b/lifecycle/ak
@@ -1,6 +1,6 @@
 #!/usr/bin/env -S bash
 set -e -o pipefail
-MODE_FILE="${TMPDIR}/authentik-mode"
+MODE_FILE="${TMPDIR:-/tmp}/authentik-mode"

 if [[ -z "${PROMETHEUS_MULTIPROC_DIR}" ]]; then
    export PROMETHEUS_MULTIPROC_DIR="${TMPDIR:-/tmp}/authentik_prometheus_tmp"
@@ -73,6 +73,10 @@ function prepare_debug {
 }

 mkdir -p "${PROMETHEUS_MULTIPROC_DIR}"
+if [[ ! -w "$(dirname "$MODE_FILE")" ]]; then
+    log "Cannot write mode file — $(dirname "$MODE_FILE") is not writable; check TMPDIR"
+    exit 1
+fi

 if [[ "$(python -m authentik.lib.config debugger 2>/dev/null)" == "True" ]]; then
    prepare_debug
@@ -90,7 +94,7 @@ elif [[ "$1" == "worker" ]]; then
    if [[ -n "${AUTHENTIK_BOOTSTRAP_PASSWORD}" || -n "${AUTHENTIK_BOOTSTRAP_TOKEN}" ]]; then
        python -m manage apply_blueprint system/bootstrap.yaml || true
    fi
-    check_if_root "python -m manage worker --pid-file ${TMPDIR}/authentik-worker.pid $@"
+    check_if_root "python -m manage worker --pid-file ${TMPDIR:-/tmp}/authentik-worker.pid $@"
 elif [[ "$1" == "bash" ]]; then
    /bin/bash
 elif [[ "$1" == "test-all" ]]; then