diff --git a/scripts/config/docker/docker_config_setup_data.sh b/scripts/config/docker/docker_config_setup_data.sh index 66a8f97..09f31ee 100755 --- a/scripts/config/docker/docker_config_setup_data.sh +++ b/scripts/config/docker/docker_config_setup_data.sh @@ -35,12 +35,21 @@ dockerConfigSetupFileWithData() # UID (was 1001) breaks wherever that user's UID differs — the # container dies with EACCES on first write and never binds its port. # No-op for compose files without a USER_TAG. - local container_user="${docker_install_user:-$sudo_user_name}" - local install_uid install_gid - install_uid=$(id -u "$container_user" 2>/dev/null) - install_gid=$(id -g "$container_user" 2>/dev/null) - if [[ -n "$install_uid" && -n "$install_gid" ]]; then - tagsManagerUpdateUniversalTag "$full_file_path" "USER_TAG" "${install_uid}:${install_gid}" + if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then + # Rootless: the daemon runs as the install user, so container UID 0 + # maps to it on the host — it owns the bind-mounts and the rootless + # socket. Using the host UID instead lands on an unmapped sub-UID + # (EACCES on writes; and group_add then calls setgroups() with a + # sub-GID outside the userns → EINVAL, container won't start). + tagsManagerUpdateUniversalTag "$full_file_path" "USER_TAG" "0:0" + else + local container_user="${docker_install_user:-$sudo_user_name}" + local install_uid install_gid + install_uid=$(id -u "$container_user" 2>/dev/null) + install_gid=$(id -g "$container_user" 2>/dev/null) + if [[ -n "$install_uid" && -n "$install_gid" ]]; then + tagsManagerUpdateUniversalTag "$full_file_path" "USER_TAG" "${install_uid}:${install_gid}" + fi fi tagsProcessorPasswordAndKeyGeneration "$full_file_path" tagsProcessorRandomUserGeneration "$full_file_path" diff --git a/scripts/config/tags/processors/tags_processor_socket_configuration.sh b/scripts/config/tags/processors/tags_processor_socket_configuration.sh index e1b3055..fbca725 100755 --- a/scripts/config/tags/processors/tags_processor_socket_configuration.sh +++ b/scripts/config/tags/processors/tags_processor_socket_configuration.sh @@ -26,15 +26,25 @@ tagsProcessorSocketConfiguration() if [[ -n "$socket_path" ]]; then tagsManagerUpdateUniversalTag "$full_file_path" "SOCKET_TAG" "${socket_path}:${socket_path}" - # Resolve the socket's group GID so the (non-root) container user - # can connect via group_add. Without this, the socket is owned - # root:docker mode 660 and a non-member UID sees EACCES. + # Resolve the socket's group GID so the container can connect via + # group_add. local socket_gid="" - if [[ -S "$socket_path" ]]; then - socket_gid=$(stat -c '%g' "$socket_path" 2>/dev/null) + if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then + # Rootless: container runs as UID 0 = the install user = socket + # owner, so inside the userns the socket's group is root (0). The + # host shows a high sub-GID (e.g. 166528); using that would make + # group_add call setgroups() with a GID outside the userns → EINVAL + # and the container fails to start. + socket_gid=0 + else + # Rooted: socket is owned root:docker mode 660, so a non-member UID + # needs the docker group via group_add or it sees EACCES. + if [[ -S "$socket_path" ]]; then + socket_gid=$(stat -c '%g' "$socket_path" 2>/dev/null) + fi + [[ -z "$socket_gid" ]] && socket_gid=$(getent group docker 2>/dev/null | cut -d: -f3) + [[ -z "$socket_gid" ]] && socket_gid="999" fi - [[ -z "$socket_gid" ]] && socket_gid=$(getent group docker 2>/dev/null | cut -d: -f3) - [[ -z "$socket_gid" ]] && socket_gid="999" tagsManagerUpdateUniversalTag "$full_file_path" "SOCKET_GID_TAG" "$socket_gid" fi }