refactor(de-sudo): compose/setup/run misc off raw sudo

- copy_build_context: rsync/cp/rm -> runFileOp (writes the deployed tree AS the
  container owner with --no-owner); drop the now-redundant runSystem chown.
- setup_lock: .setup_complete is in the docker-install-owned frontend/data ->
  runFileOp touch/chmod/rm (drop the chown).
- tags_processor_docker_installation 'user:' enable + update_compose_yml
  jail.local -> runFileOp (deployed compose/config under containers).
- crontab_clear: clear the manager's own crontab via runInstallOp.
- reinstall: cp init.sh to /root -> runSystem (genuine root path).
- create_successful_run_file: drop the pointless sudo echo -> runInstallWrite to
  /docker/run.txt.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-24 17:35:09 +01:00
parent db681fbcd1
commit 2c907b25c2
7 changed files with 20 additions and 22 deletions

View File

@ -18,7 +18,7 @@ tagsProcessorDockerInstallation()
tagsManagerUpdateUniversalTag "$full_file_path" "GID_TAG" "$docker_install_user_id"
# Enable user directive (non-tag replacement)
sudo sed -i 's|#user:|user:|g' "$full_file_path"
runFileOp sed -i 's|#user:|user:|g' "$full_file_path"
checkSuccess "Docker rootless installation tags applied using universal tag manager"
fi

View File

@ -8,6 +8,6 @@ crontabClear()
# user rename. The sticky bit on /var/spool/cron/crontabs otherwise stops
# the user replacing a file it doesn't own ("rename: Operation not
# permitted"); setup recreates the crontab as the user next.
sudo crontab -u "$sudo_user_name" -r 2>/dev/null
runInstallOp crontab -r 2>/dev/null
isSuccessful "All crontab data has been deleted."
}

View File

@ -41,7 +41,7 @@ dockerCopyBuildContext()
# container dir — the chown below sets the correct owner. Without this the
# rsync re-stamps the WebUI tree as uid 1000 every install.
if command -v rsync >/dev/null 2>&1; then
sudo rsync -a --no-owner --no-group \
runFileOp rsync -a --no-owner --no-group \
--exclude="docker-compose.yml" \
--exclude="docker-compose.${app_name}.yml" \
--exclude="${app_name}.config" \
@ -52,15 +52,12 @@ dockerCopyBuildContext()
else
# Best-effort fallback. Copies everything then nukes the
# excluded items in the target.
sudo cp -R "$source_dir/." "$target_dir/"
sudo rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
runFileOp cp -R "$source_dir/." "$target_dir/"
runFileOp rm -f "$target_dir/${app_name}.config" "$target_dir/${app_name}.tools.json"
fi
# Own the deployed tree as the mode's container owner (config-authoritative,
# never the stale/empty $docker_install_user global that let uid 1000 slip
# through before).
local owner
owner="$(dockerContainerOwner)"
runSystem chown -R "$owner:$owner" "$target_dir"
# runFileOp above wrote the tree AS the container owner (rootless: the docker
# install user; rooted: the manager) with --no-owner so the repo-clone uid
# isn't carried — no root, no chown needed.
isSuccessful "Build context copied for $app_name."
}

View File

@ -33,11 +33,11 @@ dockerComposeUpdate()
local jail_local_file="$containers_dir/$app_name/config/$app_name/jail.local"
if [ -f "$jail_local_file" ]; then
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
# Whitelist not set up yet
if sudo grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
local result=$(sudo sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
if runFileOp grep -q "ignoreip = ips_whitelist" "$jail_local_file"; then
local result=$(runFileOp sed -i "s/ips_whitelist/$CFG_IPS_WHITELIST/" "$jail_local_file")
checkSuccess "Update the IP whitelist for $app_name"
local whitelistupdates=true
fi
@ -45,7 +45,7 @@ dockerComposeUpdate()
# If the IPs are set up already but need an update
local current_ip_range=$(grep "ignoreip = " "$jail_local_file" | cut -d ' ' -f 2)
if [ "$current_ip_range" != "$CFG_IPS_WHITELIST" ]; then
local result=$(sudo sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
local result=$(runFileOp sed -i "s/ignoreip = ips_whitelist/ignoreip = $CFG_IPS_WHITELIST/" "$jail_local_file")
checkSuccess "Update the IP whitelist for $app_name"
local whitelistupdates=true
fi

View File

@ -2,5 +2,5 @@
createSuccessfulRunFile()
{
sudo echo "LibrePortal last ran on :" $(date) > $docker_dir/run.txt
echo "LibrePortal last ran on : $(date)" | runInstallWrite "$docker_dir/run.txt"
}

View File

@ -64,7 +64,7 @@ runReinstall()
# Try HTTPS first
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTPS_REPO_URL" "/docker/install" 2>/dev/null; then
sudo cp -f /docker/install/init.sh /root/
runSystem cp -f /docker/install/init.sh /root/
echo "SUCCESS: Git repository cloned via HTTPS into /docker/install."
echo ""
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."
@ -72,7 +72,7 @@ runReinstall()
else
# If HTTPS fails, try HTTP
if sudo -u $sudo_user_name git clone -q "$AUTH_HTTP_REPO_URL" "/docker/install" 2>/dev/null; then
sudo cp -f /docker/install/init.sh /root/
runSystem cp -f /docker/install/init.sh /root/
echo "SUCCESS: Git repository cloned via HTTP into /docker/install."
echo ""
echo "SUCCESS: Reinstallation complete, you can now run the "libreportal run" command."

View File

@ -9,12 +9,13 @@ isSetupWizardComplete()
setupWizardMarkComplete()
{
sudo touch "$SETUP_LOCK_FILE" 2>/dev/null
sudo chown "$sudo_user_name:$sudo_user_name" "$SETUP_LOCK_FILE" 2>/dev/null
sudo chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
# .setup_complete lives in the docker-install-owned frontend/data -> runFileOp
# (created as that user; no root, no chown).
runFileOp touch "$SETUP_LOCK_FILE" 2>/dev/null
runFileOp chmod 644 "$SETUP_LOCK_FILE" 2>/dev/null
}
setupWizardReset()
{
sudo rm -f "$SETUP_LOCK_FILE" 2>/dev/null
runFileOp rm -f "$SETUP_LOCK_FILE" 2>/dev/null
}