Compare commits
2 Commits
14efcc579b
...
e89ce25a19
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
e89ce25a19 | ||
|
|
5c928fe9c0 |
46
scripts/docker/command/run_privileged.sh
Normal file
46
scripts/docker/command/run_privileged.sh
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Mode-aware privileged operations.
|
||||||
|
#
|
||||||
|
# The privilege a file operation needs depends on the Docker mode:
|
||||||
|
# rooted — app/container files under /docker are root-owned, so ops run via
|
||||||
|
# sudo. This is byte-for-byte the historical behaviour.
|
||||||
|
# rootless — those files are owned by the unprivileged Docker install user, so
|
||||||
|
# ops run AS that user over the existing SSH channel and need no
|
||||||
|
# root at all.
|
||||||
|
# Centralising the branch here means each call site is written once and is
|
||||||
|
# correct in both modes, and rooted installs (incl. live boxes) are unchanged.
|
||||||
|
|
||||||
|
# Run a /docker data-plane command — mkdir/chown/rm/cp/mv/find/sqlite3/etc. on
|
||||||
|
# app or container files.
|
||||||
|
# rooted -> sudo <cmd>
|
||||||
|
# rootless -> run <cmd> as the Docker install user (no sudo)
|
||||||
|
# Note: for stdin-fed writes (e.g. `… | sudo tee file`) use runFileWrite below;
|
||||||
|
# this helper is for self-contained commands.
|
||||||
|
runFileOp() {
|
||||||
|
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
||||||
|
dockerCommandRunInstallUser "$*"
|
||||||
|
else
|
||||||
|
sudo "$@"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Write stdin to a path with the right privilege (replaces `… | sudo tee path`).
|
||||||
|
# rooted -> sudo tee
|
||||||
|
# rootless -> tee as the Docker install user
|
||||||
|
# Usage: some_command | runFileWrite /path/to/file
|
||||||
|
runFileWrite() {
|
||||||
|
local dest="$1"
|
||||||
|
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
||||||
|
dockerCommandRunInstallUser "tee '$dest' >/dev/null"
|
||||||
|
else
|
||||||
|
sudo tee "$dest" >/dev/null
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
# Genuine system-administration command (ufw/systemctl/apt/sysctl/useradd, /etc
|
||||||
|
# edits). Needs real root in both modes; kept as sudo and funnelled through one
|
||||||
|
# place so it can later be confined to a scoped sudoers allowlist.
|
||||||
|
runSystem() {
|
||||||
|
sudo "$@"
|
||||||
|
}
|
||||||
@ -31,6 +31,7 @@ docker_scripts=(
|
|||||||
"docker/checks/running_for_user.sh"
|
"docker/checks/running_for_user.sh"
|
||||||
"docker/command/docker_run_install.sh"
|
"docker/command/docker_run_install.sh"
|
||||||
"docker/command/docker_run.sh"
|
"docker/command/docker_run.sh"
|
||||||
|
"docker/command/run_privileged.sh"
|
||||||
"docker/compose/copy_build_context.sh"
|
"docker/compose/copy_build_context.sh"
|
||||||
"docker/compose/restart_after_update.sh"
|
"docker/compose/restart_after_update.sh"
|
||||||
"docker/compose/setup_compose_yml.sh"
|
"docker/compose/setup_compose_yml.sh"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user