refactor(de-sudo): compose/setup/run misc off raw sudo
- copy_build_context: rsync/cp/rm -> runFileOp (writes the deployed tree AS the container owner with --no-owner); drop the now-redundant runSystem chown. - setup_lock: .setup_complete is in the docker-install-owned frontend/data -> runFileOp touch/chmod/rm (drop the chown). - tags_processor_docker_installation 'user:' enable + update_compose_yml jail.local -> runFileOp (deployed compose/config under containers). - crontab_clear: clear the manager's own crontab via runInstallOp. - reinstall: cp init.sh to /root -> runSystem (genuine root path). - create_successful_run_file: drop the pointless sudo echo -> runInstallWrite to /docker/run.txt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
db681fbcd1
commit
2c907b25c2
@ -18,7 +18,7 @@ tagsProcessorDockerInstallation()
|
|||||||
tagsManagerUpdateUniversalTag "$full_file_path" "GID_TAG" "$docker_install_user_id"
|
tagsManagerUpdateUniversalTag "$full_file_path" "GID_TAG" "$docker_install_user_id"
|
||||||
|
|
||||||
# Enable user directive (non-tag replacement)
|
# Enable user directive (non-tag replacement)
|
||||||
sudo sed -i 's|#user:|user:|g' "$full_file_path"
|
runFileOp sed -i 's|#user:|user:|g' "$full_file_path"
|
||||||
|
|
||||||
checkSuccess "Docker rootless installation tags applied using universal tag manager"
|
checkSuccess "Docker rootless installation tags applied using universal tag manager"
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -8,6 +8,6 @@ crontabClear()
|
|||||||
# user rename. The sticky bit on /var/spool/cron/crontabs otherwise stops
|
# user rename. The sticky bit on /var/spool/cron/crontabs otherwise stops
|
||||||
# the user replacing a file it doesn't own ("rename: Operation not
|
# the user replacing a file it doesn't own ("rename: Operation not
|
||||||
# permitted"); setup recreates the crontab as the user next.
|
# permitted"); setup recreates the crontab as the user next.
|
||||||
sudo crontab -u "$sudo_user_name" -r 2>/dev/null
|
runInstallOp crontab -r 2>/dev/null
|
||||||
isSuccessful "All crontab data has been deleted."
|
isSuccessful "All crontab data has been deleted."
|
||||||
}
|
}
|
||||||
@ -41,7 +41,7 @@ dockerCopyBuildContext()
|
|||||||
# container dir — the chown below sets the correct owner. Without this the
|
# container dir — the chown below sets the correct owner. Without this the
|
||||||
# rsync re-stamps the WebUI tree as uid 1000 every install.
|
# rsync re-stamps the WebUI tree as uid 1000 every install.
|
||||||
if command -v rsync >/dev/null 2>&1; then
|
if command -v rsync >/dev/null 2>&1; then
|
||||||
sudo rsync -a --no-owner --no-group \
|
runFileOp rsync -a --no-owner --no-group \
|
||||||
--exclude="docker-compose.yml" \
|
--exclude="docker-compose.yml" \
|
||||||
--exclude="docker-compose.${app_name}.yml" \
|
--exclude="docker-compose.${app_name}.yml" \
|
||||||
--exclude="${app_name}.config" \
|
--exclude="${app_name}.config" \
|
||||||
@ -52,15 +52,12 @@ dockerCopyBuildContext()
|
|||||||
else
|
else
|
||||||
# Best-effort fallback. Copies everything then nukes the
|
# Best-effort fallback. Copies everything then nukes the
|
||||||
# excluded items in the target.
|
# excluded items in the target.
|
||||||
sudo cp -R "$source_dir/." "$target_dir/"
|
runFileOp cp -R "$source_dir/." "$target_dir/"
|
||||||
sudo rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
|
runFileOp rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Own the deployed tree as the mode's container owner (config-authoritative,
|
# runFileOp above wrote the tree AS the container owner (rootless: the docker
|
||||||
# never the stale/empty $docker_install_user global that let uid 1000 slip
|
# install user; rooted: the manager) with --no-owner so the repo-clone uid
|
||||||
# through before).
|
# isn't carried — no root, no chown needed.
|
||||||
local owner
|
|
||||||
owner="$(dockerContainerOwner)"
|
|
||||||
runSystem chown -R "$owner:$owner" "$target_dir"
|
|
||||||
isSuccessful "Build context copied for $app_name."
|
isSuccessful "Build context copied for $app_name."
|
||||||
}
|
}
|
||||||
|
|||||||
@ -33,11 +33,11 @@ dockerComposeUpdate()
|
|||||||
local jail_local_file="$containers_dir/$app_name/config/$app_name/jail.local"
|
local jail_local_file="$containers_dir/$app_name/config/$app_name/jail.local"
|
||||||
|
|
||||||
if [ -f "$jail_local_file" ]; then
|
if [ -f "$jail_local_file" ]; then
|
||||||
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||||
|
|
||||||
# Whitelist not set up yet
|
# Whitelist not set up yet
|
||||||
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||||
local result=$(sudo sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
|
local result=$(runFileOp sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||||
checkSuccess "Update the IP whitelist for $app_name"
|
checkSuccess "Update the IP whitelist for $app_name"
|
||||||
local whitelistupdates=true
|
local whitelistupdates=true
|
||||||
fi
|
fi
|
||||||
@ -45,7 +45,7 @@ dockerComposeUpdate()
|
|||||||
# If the IPs are set up already but need an update
|
# If the IPs are set up already but need an update
|
||||||
local current_ip_range=$(grep "ignoreip = " "$jail_local_file" | cut -d ' ' -f 2)
|
local current_ip_range=$(grep "ignoreip = " "$jail_local_file" | cut -d ' ' -f 2)
|
||||||
if [ "$current_ip_range" != "$CFG_IPS_WHITELIST" ]; then
|
if [ "$current_ip_range" != "$CFG_IPS_WHITELIST" ]; then
|
||||||
local result=$(sudo sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
|
local result=$(runFileOp sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||||
checkSuccess "Update the IP whitelist for $app_name"
|
checkSuccess "Update the IP whitelist for $app_name"
|
||||||
local whitelistupdates=true
|
local whitelistupdates=true
|
||||||
fi
|
fi
|
||||||
|
|||||||
@ -2,5 +2,5 @@
|
|||||||
|
|
||||||
createSuccessfulRunFile()
|
createSuccessfulRunFile()
|
||||||
{
|
{
|
||||||
sudo echo "LibrePortal last ran on :" $(date) > $docker_dir/run.txt
|
echo "LibrePortal last ran on : $(date)" | runInstallWrite "$docker_dir/run.txt"
|
||||||
}
|
}
|
||||||
@ -64,7 +64,7 @@ runReinstall()
|
|||||||
|
|
||||||
# Try HTTPS first
|
# Try HTTPS first
|
||||||
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTPS_REPO_URL" "/docker/install" 2>/dev/null; then
|
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTPS_REPO_URL" "/docker/install" 2>/dev/null; then
|
||||||
sudo cp -f /docker/install/init.sh /root/
|
runSystem cp -f /docker/install/init.sh /root/
|
||||||
echo "SUCCESS: Git repository cloned via HTTPS into /docker/install."
|
echo "SUCCESS: Git repository cloned via HTTPS into /docker/install."
|
||||||
echo ""
|
echo ""
|
||||||
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
||||||
@ -72,7 +72,7 @@ runReinstall()
|
|||||||
else
|
else
|
||||||
# If HTTPS fails, try HTTP
|
# If HTTPS fails, try HTTP
|
||||||
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTP_REPO_URL" "/docker/install" 2>/dev/null; then
|
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTP_REPO_URL" "/docker/install" 2>/dev/null; then
|
||||||
sudo cp -f /docker/install/init.sh /root/
|
runSystem cp -f /docker/install/init.sh /root/
|
||||||
echo "SUCCESS: Git repository cloned via HTTP into /docker/install."
|
echo "SUCCESS: Git repository cloned via HTTP into /docker/install."
|
||||||
echo ""
|
echo ""
|
||||||
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
||||||
|
|||||||
@ -9,12 +9,13 @@ isSetupWizardComplete()
|
|||||||
|
|
||||||
setupWizardMarkComplete()
|
setupWizardMarkComplete()
|
||||||
{
|
{
|
||||||
sudo touch "$SETUP_LOCK_FILE" 2>/dev/null
|
# .setup_complete lives in the docker-install-owned frontend/data -> runFileOp
|
||||||
sudo chown "$sudo_user_name:$sudo_user_name" "$SETUP_LOCK_FILE" 2>/dev/null
|
# (created as that user; no root, no chown).
|
||||||
sudo chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
|
runFileOp touch "$SETUP_LOCK_FILE" 2>/dev/null
|
||||||
|
runFileOp chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|
||||||
setupWizardReset()
|
setupWizardReset()
|
||||||
{
|
{
|
||||||
sudo rm -f "$SETUP_LOCK_FILE" 2>/dev/null
|
runFileOp rm -f "$SETUP_LOCK_FILE" 2>/dev/null
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user