Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted was byte-identical/fine): 1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read -> can't open container netns -> rootless dockerd never starts). Default CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable for hosts that relax the profile. 2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned, not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts (libreportal_folders, app_folder) to runSystem — they must run as root to establish ownership during install. Container files (/docker/containers/<app>) stay runFileOp. 3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which 'sysctl --system' does not read -> never applied. Write them to /etc/sysctl.d/99-libreportal-hardening.conf instead. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
64 lines
2.1 KiB
Bash
Executable File
64 lines
2.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
dockerComposeSetupFile()
|
|
{
|
|
local app_name="$1"
|
|
local custom_file="$2"
|
|
local custom_path="$3"
|
|
|
|
# Source Filenames
|
|
if [[ $custom_file == "" ]]; then
|
|
local source_compose_file="docker-compose.yml";
|
|
elif [[ $custom_file != "" ]]; then
|
|
local source_compose_file="$custom_file";
|
|
fi
|
|
|
|
if [[ $custom_path == "" ]]; then
|
|
local source_path="$install_containers_dir$app_name"
|
|
elif [[ $custom_path != "" ]]; then
|
|
local source_path="$install_containers_dir$app_name/$custom_path/"
|
|
fi
|
|
|
|
local source_file="$source_path/$source_compose_file"
|
|
|
|
# Target Filenames
|
|
if [[ $compose_setup == "default" ]]; then
|
|
local target_compose_file="docker-compose.yml";
|
|
elif [[ $compose_setup == "app" ]]; then
|
|
local target_compose_file="docker-compose.$app_name.yml";
|
|
fi
|
|
|
|
local target_path="$containers_dir$app_name"
|
|
local target_file="$target_path/$target_compose_file"
|
|
|
|
|
|
if [ "$app_name" == "" ]; then
|
|
isError "The app_name is empty."
|
|
fi
|
|
|
|
if [ ! -f "$source_file" ]; then
|
|
isError "The source file '$source_file' does not exist."
|
|
fi
|
|
|
|
copyFile "loud" "$source_file" "$target_file" $docker_install_user | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1
|
|
|
|
if [ $? -ne 0 ]; then
|
|
isError "Failed to copy the source file to '$target_path'. Check '$docker_log_file' for more details."
|
|
fi
|
|
|
|
# Compose files often carry RANDOMIZED* placeholders for service env
|
|
# vars (DB passwords, Laravel APP_KEY, etc). The scanner is a no-op
|
|
# on files without placeholders so it's safe to call unconditionally.
|
|
if declare -F scanFileForRandomPasswordKeysUsers >/dev/null; then
|
|
scanFileForRandomPasswordKeysUsers "$target_file"
|
|
fi
|
|
|
|
# If the app's install template carries a Dockerfile, the compose
|
|
# almost certainly has `build: .` and needs the source tree alongside
|
|
# the deployed compose. dockerCopyBuildContext is itself a no-op for
|
|
# apps with no Dockerfile, so calling here is safe for every app.
|
|
if declare -F dockerCopyBuildContext >/dev/null; then
|
|
dockerCopyBuildContext "$app_name"
|
|
fi
|
|
}
|