Move the last runtime-critical root file-primitive subsystems behind
root-owned helpers so the type switcher + task service work under a scoped
sudoers:
- scripts/system/libreportal-socket: {rootless|rooted} {on|off} chmod of
the docker sockets (paths computed from config, not caller-supplied;
exit 3 = absent so the *_found flags come from its exit code)
- scripts/system/libreportal-svc: GENERATES + installs the systemd unit
from config (mode/uid/baked manager) — never accepts unit content from
the caller (arbitrary unit = root). Idempotent install/enable/restart.
- ownership helper: add db-own + app-file <app> <relpath> actions
- run_privileged: runSocket / runSvc
- set_socket_permissions -> runSocket; webui_install_systemd -> runSvc
(+ crontab cleanup runs as the manager directly, no sudo -u self)
- before_start: db chown -> runOwnership db-own; traefik cert/yml ->
runOwnership app-file (retires updateFileOwnership/changeRootOwnedFile)
- init.sh installs all five helpers
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
48 lines
2.1 KiB
Bash
Executable File
48 lines
2.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# LibrePortal Task Processor Systemd Service Setup
|
|
# Replaces crontabSetupTaskProcessor with systemd service.
|
|
#
|
|
# Idempotent: computes the desired unit for the CURRENT docker mode and only
|
|
# rewrites + daemon-reloads + restarts when it actually differs from what's on
|
|
# disk. So routine re-runs are no-ops (no needless restart that would kill an
|
|
# in-flight task), while a rooted<->rootless switch — which changes the env
|
|
# block — triggers exactly one rewrite + restart so the processor re-reads the
|
|
# new mode. Safe to call from install AND from the docker-type switcher.
|
|
installLibrePortalWebUITaskService()
|
|
{
|
|
[[ "$CFG_REQUIREMENT_WEBUI_SERVICE" == "true" ]] || return 0
|
|
|
|
local task_processor_script="$install_scripts_dir/crontab/task/crontab_task_processor.sh"
|
|
local task_dir="$containers_dir/libreportal/frontend/data/tasks"
|
|
|
|
# Point the processor at the task dir (idempotent). This edits the
|
|
# manager-owned install tree, so no privilege is needed.
|
|
if [ -f "$task_processor_script" ]; then
|
|
sed -i "s|TASK_DIR=\".*\"|TASK_DIR=\"$task_dir\"|g" "$task_processor_script"
|
|
chmod +x "$task_processor_script"
|
|
else
|
|
isNotice "Task processor script not found"
|
|
fi
|
|
|
|
# The unit itself is generated + installed by the root-owned svc helper (it
|
|
# reads the mode + install-user uid from config to build the rootless
|
|
# DOCKER_HOST/XDG_RUNTIME_DIR Environment= lines). Idempotent: only restarts on
|
|
# an actual change, so a rooted<->rootless switch re-reads the new mode without
|
|
# bouncing the processor on routine re-runs.
|
|
local svc_result
|
|
svc_result="$(runSvc install)"
|
|
if [[ "$svc_result" == "updated" ]]; then
|
|
isSuccessful "LibrePortal task processor service installed/updated ($CFG_DOCKER_INSTALL_TYPE)."
|
|
else
|
|
isSuccessful "LibrePortal task processor service already up to date."
|
|
fi
|
|
|
|
# Drop the legacy crontab entry if present (superseded by the service). We are
|
|
# the manager, so operate on its own crontab directly.
|
|
if crontab -l 2>/dev/null | grep -q "task_processor.sh"; then
|
|
crontab -l 2>/dev/null | grep -v "task_processor.sh" | crontab -
|
|
isNotice "Removed task processor from crontab"
|
|
fi
|
|
}
|