refactor(de-sudo): compose/setup/run misc off raw sudo
- copy_build_context: rsync/cp/rm -> runFileOp (writes the deployed tree AS the container owner with --no-owner); drop the now-redundant runSystem chown. - setup_lock: .setup_complete is in the docker-install-owned frontend/data -> runFileOp touch/chmod/rm (drop the chown). - tags_processor_docker_installation 'user:' enable + update_compose_yml jail.local -> runFileOp (deployed compose/config under containers). - crontab_clear: clear the manager's own crontab via runInstallOp. - reinstall: cp init.sh to /root -> runSystem (genuine root path). - create_successful_run_file: drop the pointless sudo echo -> runInstallWrite to /docker/run.txt. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
db681fbcd1
commit
2c907b25c2
@ -18,7 +18,7 @@ tagsProcessorDockerInstallation()
|
||||
tagsManagerUpdateUniversalTag "$full_file_path" "GID_TAG" "$docker_install_user_id"
|
||||
|
||||
# Enable user directive (non-tag replacement)
|
||||
sudo sed -i 's|#user:|user:|g' "$full_file_path"
|
||||
runFileOp sed -i 's|#user:|user:|g' "$full_file_path"
|
||||
|
||||
checkSuccess "Docker rootless installation tags applied using universal tag manager"
|
||||
fi
|
||||
|
||||
@ -8,6 +8,6 @@ crontabClear()
|
||||
# user rename. The sticky bit on /var/spool/cron/crontabs otherwise stops
|
||||
# the user replacing a file it doesn't own ("rename: Operation not
|
||||
# permitted"); setup recreates the crontab as the user next.
|
||||
sudo crontab -u "$sudo_user_name" -r 2>/dev/null
|
||||
runInstallOp crontab -r 2>/dev/null
|
||||
isSuccessful "All crontab data has been deleted."
|
||||
}
|
||||
@ -41,7 +41,7 @@ dockerCopyBuildContext()
|
||||
# container dir — the chown below sets the correct owner. Without this the
|
||||
# rsync re-stamps the WebUI tree as uid 1000 every install.
|
||||
if command -v rsync >/dev/null 2>&1; then
|
||||
sudo rsync -a --no-owner --no-group \
|
||||
runFileOp rsync -a --no-owner --no-group \
|
||||
--exclude="docker-compose.yml" \
|
||||
--exclude="docker-compose.${app_name}.yml" \
|
||||
--exclude="${app_name}.config" \
|
||||
@ -52,15 +52,12 @@ dockerCopyBuildContext()
|
||||
else
|
||||
# Best-effort fallback. Copies everything then nukes the
|
||||
# excluded items in the target.
|
||||
sudo cp -R "$source_dir/." "$target_dir/"
|
||||
sudo rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
|
||||
runFileOp cp -R "$source_dir/." "$target_dir/"
|
||||
runFileOp rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
|
||||
fi
|
||||
|
||||
# Own the deployed tree as the mode's container owner (config-authoritative,
|
||||
# never the stale/empty $docker_install_user global that let uid 1000 slip
|
||||
# through before).
|
||||
local owner
|
||||
owner="$(dockerContainerOwner)"
|
||||
runSystem chown -R "$owner:$owner" "$target_dir"
|
||||
# runFileOp above wrote the tree AS the container owner (rootless: the docker
|
||||
# install user; rooted: the manager) with --no-owner so the repo-clone uid
|
||||
# isn't carried — no root, no chown needed.
|
||||
isSuccessful "Build context copied for $app_name."
|
||||
}
|
||||
|
||||
@ -33,11 +33,11 @@ dockerComposeUpdate()
|
||||
local jail_local_file="$containers_dir/$app_name/config/$app_name/jail.local"
|
||||
|
||||
if [ -f "$jail_local_file" ]; then
|
||||
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||
|
||||
# Whitelist not set up yet
|
||||
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||
local result=$(sudo sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
|
||||
local result=$(runFileOp sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||
checkSuccess "Update the IP whitelist for $app_name"
|
||||
local whitelistupdates=true
|
||||
fi
|
||||
@ -45,7 +45,7 @@ dockerComposeUpdate()
|
||||
# If the IPs are set up already but need an update
|
||||
local current_ip_range=$(grep "ignoreip = " "$jail_local_file" | cut -d ' ' -f 2)
|
||||
if [ "$current_ip_range" != "$CFG_IPS_WHITELIST" ]; then
|
||||
local result=$(sudo sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||
local result=$(runFileOp sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
|
||||
checkSuccess "Update the IP whitelist for $app_name"
|
||||
local whitelistupdates=true
|
||||
fi
|
||||
|
||||
@ -2,5 +2,5 @@
|
||||
|
||||
createSuccessfulRunFile()
|
||||
{
|
||||
sudo echo "LibrePortal last ran on :" $(date) > $docker_dir/run.txt
|
||||
echo "LibrePortal last ran on : $(date)" | runInstallWrite "$docker_dir/run.txt"
|
||||
}
|
||||
@ -64,7 +64,7 @@ runReinstall()
|
||||
|
||||
# Try HTTPS first
|
||||
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTPS_REPO_URL" "/docker/install" 2>/dev/null; then
|
||||
sudo cp -f /docker/install/init.sh /root/
|
||||
runSystem cp -f /docker/install/init.sh /root/
|
||||
echo "SUCCESS: Git repository cloned via HTTPS into /docker/install."
|
||||
echo ""
|
||||
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
||||
@ -72,7 +72,7 @@ runReinstall()
|
||||
else
|
||||
# If HTTPS fails, try HTTP
|
||||
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTP_REPO_URL" "/docker/install" 2>/dev/null; then
|
||||
sudo cp -f /docker/install/init.sh /root/
|
||||
runSystem cp -f /docker/install/init.sh /root/
|
||||
echo "SUCCESS: Git repository cloned via HTTP into /docker/install."
|
||||
echo ""
|
||||
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
|
||||
|
||||
@ -9,12 +9,13 @@ isSetupWizardComplete()
|
||||
|
||||
setupWizardMarkComplete()
|
||||
{
|
||||
sudo touch "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
sudo chown "$sudo_user_name:$sudo_user_name" "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
sudo chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
# .setup_complete lives in the docker-install-owned frontend/data -> runFileOp
|
||||
# (created as that user; no root, no chown).
|
||||
runFileOp touch "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
runFileOp chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
}
|
||||
|
||||
setupWizardReset()
|
||||
{
|
||||
sudo rm -f "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
runFileOp rm -f "$SETUP_LOCK_FILE" 2>/dev/null
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user