fix(install): establish container layer in root phase (real fix for scan noise)
Reverts the 2>/dev/null band-aids and fixes the root cause. The manager-run install boot scans app configs under /docker/containers AS the container user (runFileOp). But init.sh's initFolders creates that dir manager-owned, and the handover to the container user happened later (start_preinstall), AFTER the boot scans — so the scans ran as the container user against a dir it didn't own yet: "find: '/docker/containers/': Permission denied" (cosmetic; the dir is empty that early, but it's the wrong ownership at the wrong time). Add initContainerLayer() to init.sh's root phase (after initGIT + initUpdateConfigs, before the manager-run handoff): rootless-only, it creates the docker-install user if missing and chowns /docker/containers to it (751). The later rootless setup is now idempotent — it finds the user existing and just (re)asserts its password + daemon config (moved updateDockerInstallPassword out of the create-only branch). Rooted is unaffected (containers stay manager-owned, which the manager reads). Result: by the time the boot scans run, /docker/containers is owned by the user doing the scanning — no permission error, nothing suppressed. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
parent
cf87cbeb0f
commit
cdb2fc633d
40
init.sh
40
init.sh
@ -830,6 +830,45 @@ initFolders()
|
|||||||
isSuccessful "All folders have been created."
|
isSuccessful "All folders have been created."
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Establish the rootless container layer — the docker-install user and ownership
|
||||||
|
# of /docker/containers — during the ROOT phase, BEFORE the manager-run install
|
||||||
|
# boots. That boot scans app configs under /docker/containers AS the container
|
||||||
|
# user (runFileOp), so if the dir is still manager-owned (as initFolders leaves
|
||||||
|
# it) the scan errors with "Permission denied". Handing the dir to the container
|
||||||
|
# user here means the scan reads a dir it owns. Rootless-only — rooted keeps
|
||||||
|
# containers manager/root-owned, which the manager reads fine. Idempotent: the
|
||||||
|
# later rootless setup finds the user existing and just (re)asserts its password
|
||||||
|
# + daemon config. Runs after initGIT (config present) + initFolders (dir present).
|
||||||
|
initContainerLayer()
|
||||||
|
{
|
||||||
|
local cfg="$configs_dir/general/general_docker_install"
|
||||||
|
local dtype duser
|
||||||
|
dtype=$(grep -h '^CFG_DOCKER_INSTALL_TYPE=' "$cfg" 2>/dev/null | head -1 | cut -d= -f2 | awk '{print $1}')
|
||||||
|
[[ "$dtype" != "rootless" ]] && return 0
|
||||||
|
duser=$(grep -h '^CFG_DOCKER_INSTALL_USER=' "$cfg" 2>/dev/null | head -1 | cut -d= -f2 | awk '{print $1}')
|
||||||
|
duser="${duser:-dockerinstall}"
|
||||||
|
|
||||||
|
isHeader "Container Layer Setup"
|
||||||
|
if id "$duser" &>/dev/null; then
|
||||||
|
isSuccessful "Container user '$duser' already exists."
|
||||||
|
else
|
||||||
|
# -m + the system login.defs SUB_UID/GID defaults assign its subordinate
|
||||||
|
# uid/gid ranges (needed for rootless). The later rootless setup sees it
|
||||||
|
# existing and configures the daemon/linger/password.
|
||||||
|
sudo useradd -m -s /bin/bash -d "/home/$duser" "$duser" 2>/dev/null
|
||||||
|
isSuccessful "Created container user '$duser'."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Hand containers/ to the container user (it owns per-app data in rootless) so
|
||||||
|
# the manager-run startup config scans can read it. 751: owner full; the
|
||||||
|
# manager (other) can traverse in to known paths (it lists/writes via runFileOp).
|
||||||
|
if [[ -d "$containers_dir" ]]; then
|
||||||
|
sudo chown "$duser:$duser" "$containers_dir"
|
||||||
|
sudo chmod 751 "$containers_dir"
|
||||||
|
isSuccessful "containers/ handed to '$duser'."
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
setupConfigsFromRepo()
|
setupConfigsFromRepo()
|
||||||
{
|
{
|
||||||
isNotice "Setting up configuration files from repository..."
|
isNotice "Setting up configuration files from repository..."
|
||||||
@ -1468,6 +1507,7 @@ else
|
|||||||
initRootHelpers
|
initRootHelpers
|
||||||
initLibrePortalCommand
|
initLibrePortalCommand
|
||||||
initUpdateConfigs
|
initUpdateConfigs
|
||||||
|
initContainerLayer
|
||||||
completeInitMessage
|
completeInitMessage
|
||||||
elif [[ "$param1" == "uninstall" ]]; then
|
elif [[ "$param1" == "uninstall" ]]; then
|
||||||
runFullUninstall
|
runFullUninstall
|
||||||
|
|||||||
@ -9,10 +9,7 @@ checkApplicationsConfigFilesMissingVariables()
|
|||||||
app=$(basename "$live" .config)
|
app=$(basename "$live" .config)
|
||||||
remote="$install_containers_dir$app/$app.config"
|
remote="$install_containers_dir$app/$app.config"
|
||||||
reconcileConfigFile "$live" "$remote"
|
reconcileConfigFile "$live" "$remote"
|
||||||
# 2>/dev/null: before the docker-type config loads (early install) runFileOp
|
done < <(runFileOp find "$containers_dir" -maxdepth 2 -type f -name '*.config' ! -name '*.bak')
|
||||||
# falls back to the manager, which can't list the container-owned containers/
|
|
||||||
# dir — harmless "Permission denied" on a best-effort reconcile (no apps yet).
|
|
||||||
done < <(runFileOp find "$containers_dir" -maxdepth 2 -type f -name '*.config' ! -name '*.bak' 2>/dev/null)
|
|
||||||
|
|
||||||
isSuccessful "Application config reconciliation completed."
|
isSuccessful "Application config reconciliation completed."
|
||||||
}
|
}
|
||||||
|
|||||||
@ -14,7 +14,10 @@ installDockerRootlessUser()
|
|||||||
# rootless). Run unmasked so checkSuccess sees real failures.
|
# rootless). Run unmasked so checkSuccess sees real failures.
|
||||||
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
|
||||||
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
|
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
|
||||||
updateDockerInstallPassword;
|
|
||||||
fi
|
fi
|
||||||
|
# (Re)assert the password regardless — the user may have been pre-created
|
||||||
|
# in init.sh's root phase (so /docker/containers ownership is ready before
|
||||||
|
# the manager-run boot scans), where the password isn't set.
|
||||||
|
updateDockerInstallPassword;
|
||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|||||||
@ -61,12 +61,7 @@ sourceScanFiles()
|
|||||||
source "$file"
|
source "$file"
|
||||||
# echo "$load_type FILE $file"
|
# echo "$load_type FILE $file"
|
||||||
fi
|
fi
|
||||||
# 2>/dev/null: early in an install the docker-type config isn't loaded
|
done < <($scan_op find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0)
|
||||||
# yet, so runFileOp falls back to the manager, which can't list the
|
|
||||||
# container-owned containers/ dir — a harmless "Permission denied" on a
|
|
||||||
# best-effort scan (no app configs exist yet). Suppress that noise; the
|
|
||||||
# -print0 output still flows.
|
|
||||||
done < <($scan_op find "$folder_dir" -maxdepth 3 -type d \( -name 'resources' \) -prune -o -type f -name "$file_pattern" -print0 2>/dev/null)
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Load the categories from the file into an array
|
# Load the categories from the file into an array
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user