fix(desudo): de-sudo config scan so the manager runtime loads CFG

scan_files used 'sudo find' to enumerate config files to source. Under the
scoped sudoers that's denied, so NO configs got sourced -> CFG_DOCKER_INSTALL_TYPE
ended up empty -> runFileOp/runFileWrite fell back to the manager branch and
every container-path write failed. Root cause of the 'sudo: a password is
required' + 'tee: Permission denied' storm when running under the scoped grant.

- configs/ scan (manager-owned): plain find
- app_configs scan (/docker/containers, docker-install-owned, not list-readable
  by the manager): runFileOp find (enumerate as that user; manager still sources
  each .config, which is o+r). 'containers' install templates stay plain find.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-24 18:38:19 +01:00
parent 2d9450fed4
commit 13d2c15074
2 changed files with 10 additions and 4 deletions

View File

@ -4,7 +4,7 @@ checkDockerRootlessRequirement()
{ {
if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
### Docker Rootless ### Docker Rootless
if runSystem grep -q "ROOTLESS" $sysctl; then if grep -q "ROOTLESS" $sysctl; then
isSuccessful "Docker Rootless appears to be installed." isSuccessful "Docker Rootless appears to be installed."
else else
isNotice "Docker Rootless does not appear to be installed." isNotice "Docker Rootless does not appear to be installed."

View File

@ -26,7 +26,7 @@ sourceScanFiles()
# echo "$load_type NEW FILE $file" # echo "$load_type NEW FILE $file"
fi fi
fi fi
done < <(sudo find "$folder_dir" -maxdepth 2 -type f ! -name "*.category" ! -name "config_*" ! -name ".*" -print0) done < <(find "$folder_dir" -maxdepth 2 -type f ! -name "*.category" ! -name "config_*" ! -name ".*" -print0)
# Per-location backup configs live nested at depth 3 # Per-location backup configs live nested at depth 3
# (configs/backup/locations/<idx>/location.config) — source them via # (configs/backup/locations/<idx>/location.config) — source them via
@ -48,14 +48,20 @@ sourceScanFiles()
echo "Invalid load type: $load_type" echo "Invalid load type: $load_type"
fi fi
# Scanning function for other types (not libreportal_configs) # Scanning function for other types (not libreportal_configs).
# app_configs live under /docker/containers (owned by the docker install user
# and not list-readable by the manager), so enumerate them AS that user via
# runFileOp; the manager still sources each (the .config files are o+r). The
# 'containers' install templates are manager-owned, so a plain find suffices.
if [ "$load_type" != "libreportal_configs" ]; then if [ "$load_type" != "libreportal_configs" ]; then
local scan_op=""
[[ "$load_type" == "app_configs" ]] && scan_op="runFileOp"
while IFS= read -r -d '' file; do while IFS= read -r -d '' file; do
if [ -f "$file" ]; then if [ -f "$file" ]; then
source "$file" source "$file"
# echo "$load_type FILE $file" # echo "$load_type FILE $file"
fi fi
done < <(sudo find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0) done < <($scan_op find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0)
fi fi
# Load the categories from the file into an array # Load the categories from the file into an array