From 85f8130a49a4b6b2f0477e15a2eaf03f85949156 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 13:47:40 +0100 Subject: [PATCH] fix(firewall): pick backend by docker mode, use container name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The firewall rebuild chose ufw-docker vs ufw from $EUID -eq 0 (am I root?) rather than the docker mode. During a rootless install everything runs as root, so it wrongly picked ufw-docker — which manages the rooted daemon's DOCKER-USER chain that rootless never creates — and failed with 'Docker instance libreportal doesn't exist'. (It was also inconsistent at runtime: the non-root cron refresh always fell through to plain ufw.) Select by CFG_DOCKER_INSTALL_TYPE so rootless always uses plain ufw (ports are published on the host) and rooted always uses ufw-docker. Also: ufw-docker needs the container name, not the app name — pass service_name (e.g. libreportal-service) with an app_name fallback; route the traefik-detect docker ps through runFileOp (was raw docker -> /var/run in rootless); and move the ufw/ufw-docker sudo calls to runSystem. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- .../network/firewall/rules/firewall_rebuild_from_db.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/network/firewall/rules/firewall_rebuild_from_db.sh b/scripts/network/firewall/rules/firewall_rebuild_from_db.sh index beaefe7..9270c4f 100755 --- a/scripts/network/firewall/rules/firewall_rebuild_from_db.sh +++ b/scripts/network/firewall/rules/firewall_rebuild_from_db.sh @@ -9,7 +9,7 @@ firewallRebuildFromDatabase() # Determine firewall type local firewall_type="" - if [[ $EUID -eq 0 ]] && command -v ufw-docker &> /dev/null; then + if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rooted" ]] && command -v ufw-docker &> /dev/null; then firewall_type="ufw-docker" isSuccessful "Using UFW-Docker for Rooted install" elif command -v ufw &> /dev/null; then @@ -21,7 +21,7 @@ firewallRebuildFromDatabase() # Check if Traefik is installed and running local traefik_available=false - if [[ -d "$containers_dir/traefik" ]] && docker ps --format "table {{.Names}}" | grep -q "traefik"; then + if [[ -d "$containers_dir/traefik" ]] && runFileOp docker ps --format "table {{.Names}}" | grep -q "traefik"; then traefik_available=true isSuccessful "Traefik detected - respecting traefik_managed flags" else @@ -95,11 +95,11 @@ firewallRebuildFromDatabase() # the published port", so no route rule is created and # the container is unreachable from other hosts — host # access still works via docker-proxy, which masks it. - result=$(sudo ufw-docker allow "$app_name" "${port_internal:-$port_value}/tcp" 2>&1) + result=$(runSystem ufw-docker allow "${service_name:-$app_name}" "${port_internal:-$port_value}/tcp" 2>&1) else # Rootless: container ports are published on the host, # so the external port is the one to open. - result=$(sudo ufw allow "$port_spec" comment "LibrePortal" 2>&1) + result=$(runSystem ufw allow "$port_spec" comment "LibrePortal" 2>&1) fi # Capture rc separately: `local x=$(...)` would clobber $? # with the exit of `local`, hiding the command's real status.