diff --git a/init.sh b/init.sh index 794b9a5..729d60d 100755 --- a/init.sh +++ b/init.sh @@ -859,13 +859,19 @@ initContainerLayer() isSuccessful "Created container user '$duser'." fi + # /docker is manager-owned and initFolders makes it 750; give it the rootless + # traversal bit (o+x → 751, its documented rootless mode) so the container + # user can traverse INTO /docker to reach its containers/ dir. Without this + # the boot scan can't enter /docker at all, no matter who owns containers/. + [[ -d "$docker_dir" ]] && sudo chmod o+x "$docker_dir" + # Hand containers/ to the container user (it owns per-app data in rootless) so # the manager-run startup config scans can read it. 751: owner full; the # manager (other) can traverse in to known paths (it lists/writes via runFileOp). if [[ -d "$containers_dir" ]]; then sudo chown "$duser:$duser" "$containers_dir" sudo chmod 751 "$containers_dir" - isSuccessful "containers/ handed to '$duser'." + isSuccessful "containers/ handed to '$duser' (+ /docker traversable)." fi }