fix(install): restore webui_logins container-group after credential write
The rootless WebUI container reads its bind-mount sources (configs/webui/*) through the container-owner GROUP since a2376e2 switched those files from world-readable to 0640 group=container-owner. But the WebUI credential randomizer rewrites webui_logins via `sed -i` as the non-root manager, which recreates the file with the manager's own group — dropping the container-owner group. The installer then started the container immediately, so node hit EACCES on /app/webui_logins at require-time (parseConfigFile) and exited 1; nothing listened on the WebUI port. `libreportal webui login reset` had the same latent bug (rewrite → restart). Under the old world-readable model a post-sed file stayed o+r so the container could still read it, which is why this only surfaced on fresh rootless installs after a2376e2. Fix: make reconcileWebuiDirOwnership the single "ready the WebUI for its container" pass — it now also restores the configs/webui bind access (new `webui-bind` ownership action) on top of the container-dir chown. Reorder the installer so the credential randomizer runs BEFORE the before-start permission pass, making that pass the last ownership touch before the container starts; and call reconcileWebuiDirOwnership before the restart in login reset. Live box recovered via `libreportal-ownership reconcile`; WebUI 200. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
38b3f189b8
commit
655dbc2bb9
@ -55,13 +55,6 @@ installLibrePortal()
|
|||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
echo ""
|
echo ""
|
||||||
echo "---- $menu_number. Updating file permissions before starting."
|
|
||||||
echo ""
|
|
||||||
|
|
||||||
fixPermissionsBeforeStart $app_name;
|
|
||||||
|
|
||||||
((menu_number++))
|
|
||||||
echo ""
|
|
||||||
echo "---- $menu_number. Randomizing WebUI login credentials."
|
echo "---- $menu_number. Randomizing WebUI login credentials."
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
@ -72,6 +65,18 @@ installLibrePortal()
|
|||||||
|
|
||||||
((menu_number++))
|
((menu_number++))
|
||||||
echo ""
|
echo ""
|
||||||
|
echo "---- $menu_number. Updating file permissions before starting."
|
||||||
|
echo ""
|
||||||
|
|
||||||
|
# Must run AFTER the credential rewrite above: that rewrite (as the non-root
|
||||||
|
# manager) resets webui_logins' group, dropping the container-owner group the
|
||||||
|
# rootless WebUI reads it through. This pass restores it, so it has to be the
|
||||||
|
# last ownership touch before the container starts — else the container can't
|
||||||
|
# read its own login file and exits on boot.
|
||||||
|
fixPermissionsBeforeStart $app_name;
|
||||||
|
|
||||||
|
((menu_number++))
|
||||||
|
echo ""
|
||||||
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
|
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
|
||||||
echo ""
|
echo ""
|
||||||
|
|
||||||
|
|||||||
@ -97,6 +97,12 @@ cliWebuiLoginReset()
|
|||||||
isNotice "Regenerating WebUI config files..."
|
isNotice "Regenerating WebUI config files..."
|
||||||
webuiLibrePortalUpdate
|
webuiLibrePortalUpdate
|
||||||
|
|
||||||
|
# The credential rewrite above ran as the non-root manager, which resets
|
||||||
|
# webui_logins' group and drops the container-owner group the rootless WebUI
|
||||||
|
# reads it through. Restore it before restarting, or the container can't read
|
||||||
|
# its own login file and exits on boot.
|
||||||
|
reconcileWebuiDirOwnership
|
||||||
|
|
||||||
# Restart the libreportal container so it picks up the new credentials
|
# Restart the libreportal container so it picks up the new credentials
|
||||||
isNotice "Restarting LibrePortal container..."
|
isNotice "Restarting LibrePortal container..."
|
||||||
dockerComposeRestart libreportal
|
dockerComposeRestart libreportal
|
||||||
|
|||||||
@ -64,6 +64,14 @@ reconcileContainersTopOwnership()
|
|||||||
# reconcile and the fresh-install WebUI setup so a fresh install gets the same
|
# reconcile and the fresh-install WebUI setup so a fresh install gets the same
|
||||||
# ownership a switch does — otherwise rootless generators hit "Permission
|
# ownership a switch does — otherwise rootless generators hit "Permission
|
||||||
# denied" on a manager-owned frontend/data tree.
|
# denied" on a manager-owned frontend/data tree.
|
||||||
|
#
|
||||||
|
# Also restores the configs/webui bind-mount access (webui-bind): those system-tree
|
||||||
|
# files are read by the container through the container-owner GROUP, but any rewrite
|
||||||
|
# by the non-root manager (e.g. the credential randomizer's sed of webui_logins)
|
||||||
|
# resets their group to the manager's own — after which the rootless container can
|
||||||
|
# no longer read them and exits on boot. Folding it in here makes this the single
|
||||||
|
# "ready the WebUI for its container" pass: run it after any config write and right
|
||||||
|
# before the container (re)starts.
|
||||||
reconcileWebuiDirOwnership()
|
reconcileWebuiDirOwnership()
|
||||||
{
|
{
|
||||||
local mode="${1:-$CFG_DOCKER_INSTALL_TYPE}"
|
local mode="${1:-$CFG_DOCKER_INSTALL_TYPE}"
|
||||||
@ -74,6 +82,7 @@ reconcileWebuiDirOwnership()
|
|||||||
return 0
|
return 0
|
||||||
fi
|
fi
|
||||||
runOwnership webui
|
runOwnership webui
|
||||||
|
runOwnership webui-bind
|
||||||
isSuccessful "Reconciled WebUI dir ($webui_dir)"
|
isSuccessful "Reconciled WebUI dir ($webui_dir)"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -259,9 +259,10 @@ case "$action" in
|
|||||||
db-own) db_own;;
|
db-own) db_own;;
|
||||||
app-perms) app_perms;;
|
app-perms) app_perms;;
|
||||||
webui) webui;;
|
webui) webui;;
|
||||||
|
webui-bind) _webui_bind_access;;
|
||||||
taskdir) taskdir;;
|
taskdir) taskdir;;
|
||||||
app-data-nobody) app_data_nobody "${1:-}";;
|
app-data-nobody) app_data_nobody "${1:-}";;
|
||||||
app-data-remove) app_data_remove "${1:-}";;
|
app-data-remove) app_data_remove "${1:-}";;
|
||||||
app-file) app_file "${1:-}" "${2:-}";;
|
app-file) app_file "${1:-}" "${2:-}";;
|
||||||
*) echo "usage: libreportal-ownership {reconcile [mode]|traversal|containers-top|backups-top|db-own|app-perms|webui|taskdir|app-data-nobody <app>|app-data-remove <app>|app-file <app> <relpath>}" >&2; exit 2;;
|
*) echo "usage: libreportal-ownership {reconcile [mode]|traversal|containers-top|backups-top|db-own|app-perms|webui|webui-bind|taskdir|app-data-nobody <app>|app-data-remove <app>|app-file <app> <relpath>}" >&2; exit 2;;
|
||||||
esac
|
esac
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user