Compare commits
No commits in common. "e89ce25a19357f5df562d5ecb24511d74855021f" and "14efcc579b2f2112fc034ecf0a24dad1cc8a7176" have entirely different histories.
e89ce25a19
...
14efcc579b
@ -1,46 +0,0 @@
|
|||||||
#!/bin/bash
|
|
||||||
|
|
||||||
# Mode-aware privileged operations.
|
|
||||||
#
|
|
||||||
# The privilege a file operation needs depends on the Docker mode:
|
|
||||||
# rooted — app/container files under /docker are root-owned, so ops run via
|
|
||||||
# sudo. This is byte-for-byte the historical behaviour.
|
|
||||||
# rootless — those files are owned by the unprivileged Docker install user, so
|
|
||||||
# ops run AS that user over the existing SSH channel and need no
|
|
||||||
# root at all.
|
|
||||||
# Centralising the branch here means each call site is written once and is
|
|
||||||
# correct in both modes, and rooted installs (incl. live boxes) are unchanged.
|
|
||||||
|
|
||||||
# Run a /docker data-plane command — mkdir/chown/rm/cp/mv/find/sqlite3/etc. on
|
|
||||||
# app or container files.
|
|
||||||
# rooted -> sudo <cmd>
|
|
||||||
# rootless -> run <cmd> as the Docker install user (no sudo)
|
|
||||||
# Note: for stdin-fed writes (e.g. `… | sudo tee file`) use runFileWrite below;
|
|
||||||
# this helper is for self-contained commands.
|
|
||||||
runFileOp() {
|
|
||||||
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
|
||||||
dockerCommandRunInstallUser "$*"
|
|
||||||
else
|
|
||||||
sudo "$@"
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Write stdin to a path with the right privilege (replaces `… | sudo tee path`).
|
|
||||||
# rooted -> sudo tee
|
|
||||||
# rootless -> tee as the Docker install user
|
|
||||||
# Usage: some_command | runFileWrite /path/to/file
|
|
||||||
runFileWrite() {
|
|
||||||
local dest="$1"
|
|
||||||
if [[ "$CFG_DOCKER_INSTALL_TYPE" == "rootless" ]]; then
|
|
||||||
dockerCommandRunInstallUser "tee '$dest' >/dev/null"
|
|
||||||
else
|
|
||||||
sudo tee "$dest" >/dev/null
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
# Genuine system-administration command (ufw/systemctl/apt/sysctl/useradd, /etc
|
|
||||||
# edits). Needs real root in both modes; kept as sudo and funnelled through one
|
|
||||||
# place so it can later be confined to a scoped sudoers allowlist.
|
|
||||||
runSystem() {
|
|
||||||
sudo "$@"
|
|
||||||
}
|
|
||||||
@ -31,7 +31,6 @@ docker_scripts=(
|
|||||||
"docker/checks/running_for_user.sh"
|
"docker/checks/running_for_user.sh"
|
||||||
"docker/command/docker_run_install.sh"
|
"docker/command/docker_run_install.sh"
|
||||||
"docker/command/docker_run.sh"
|
"docker/command/docker_run.sh"
|
||||||
"docker/command/run_privileged.sh"
|
|
||||||
"docker/compose/copy_build_context.sh"
|
"docker/compose/copy_build_context.sh"
|
||||||
"docker/compose/restart_after_update.sh"
|
"docker/compose/restart_after_update.sh"
|
||||||
"docker/compose/setup_compose_yml.sh"
|
"docker/compose/setup_compose_yml.sh"
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user