From ebab6accb5c9ed8e4b48dd8464f9f7e49cbc69b8 Mon Sep 17 00:00:00 2001 From: librelad Date: Sun, 24 May 2026 23:01:04 +0100 Subject: [PATCH] fix(install): make /docker traversable in the root-phase container layer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous commit handed /docker/containers to the container user but left /docker itself at initFolders' 750 (manager-only) during the install — so the container user couldn't traverse INTO /docker to reach its now- owned containers/, and the boot scan still hit "find: '/docker/containers/': Permission denied" (the dir's documented rootless mode is 751, but the reconcile that sets it runs later). initContainerLayer now adds the o+x traversal bit to /docker (→ 751) alongside the containers/ handover, so the boot scan can both enter /docker and read containers/. Co-Authored-By: Claude Opus 4.7 Signed-off-by: librelad --- init.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/init.sh b/init.sh index 794b9a5..729d60d 100755 --- a/init.sh +++ b/init.sh @@ -859,13 +859,19 @@ initContainerLayer() isSuccessful "Created container user '$duser'." fi + # /docker is manager-owned and initFolders makes it 750; give it the rootless + # traversal bit (o+x → 751, its documented rootless mode) so the container + # user can traverse INTO /docker to reach its containers/ dir. Without this + # the boot scan can't enter /docker at all, no matter who owns containers/. + [[ -d "$docker_dir" ]] && sudo chmod o+x "$docker_dir" + # Hand containers/ to the container user (it owns per-app data in rootless) so # the manager-run startup config scans can read it. 751: owner full; the # manager (other) can traverse in to known paths (it lists/writes via runFileOp). if [[ -d "$containers_dir" ]]; then sudo chown "$duser:$duser" "$containers_dir" sudo chmod 751 "$containers_dir" - isSuccessful "containers/ handed to '$duser'." + isSuccessful "containers/ handed to '$duser' (+ /docker traversable)." fi }