fix(install): make /docker traversable in the root-phase container layer

The previous commit handed /docker/containers to the container user but
left /docker itself at initFolders' 750 (manager-only) during the install
— so the container user couldn't traverse INTO /docker to reach its now-
owned containers/, and the boot scan still hit "find:
'/docker/containers/': Permission denied" (the dir's documented rootless
mode is 751, but the reconcile that sets it runs later). initContainerLayer
now adds the o+x traversal bit to /docker (→ 751) alongside the
containers/ handover, so the boot scan can both enter /docker and read
containers/.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
This commit is contained in:
librelad 2026-05-24 23:01:04 +01:00
parent 6ca52f9f98
commit ebab6accb5

View File

@ -859,13 +859,19 @@ initContainerLayer()
isSuccessful "Created container user '$duser'."
fi
# /docker is manager-owned and initFolders makes it 750; give it the rootless
# traversal bit (o+x → 751, its documented rootless mode) so the container
# user can traverse INTO /docker to reach its containers/ dir. Without this
# the boot scan can't enter /docker at all, no matter who owns containers/.
[[ -d "$docker_dir" ]] && sudo chmod o+x "$docker_dir"
# Hand containers/ to the container user (it owns per-app data in rootless) so
# the manager-run startup config scans can read it. 751: owner full; the
# manager (other) can traverse in to known paths (it lists/writes via runFileOp).
if [[ -d "$containers_dir" ]]; then
sudo chown "$duser:$duser" "$containers_dir"
sudo chmod 751 "$containers_dir"
isSuccessful "containers/ handed to '$duser'."
isSuccessful "containers/ handed to '$duser' (+ /docker traversable)."
fi
}