LibrePortal/scripts/docker/compose/setup_compose_yml.sh
librelad 68110d199c fix(rootless): slirp4netns default, manager-vs-container helper split, sysctl path
Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted
was byte-identical/fine):

1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read ->
   can't open container netns -> rootless dockerd never starts). Default
   CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable
   for hosts that relax the profile.
2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB
   chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned,
   not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp
   and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts
   (libreportal_folders, app_folder) to runSystem — they must run as root to
   establish ownership during install. Container files (/docker/containers/<app>)
   stay runFileOp.
3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which
   'sysctl --system' does not read -> never applied. Write them to
   /etc/sysctl.d/99-libreportal-hardening.conf instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 00:12:06 +01:00

64 lines
2.1 KiB
Bash
Executable File

#!/bin/bash
dockerComposeSetupFile()
{
local app_name="$1"
local custom_file="$2"
local custom_path="$3"
# Source Filenames
if [[ $custom_file == "" ]]; then
local source_compose_file="docker-compose.yml";
elif [[ $custom_file != "" ]]; then
local source_compose_file="$custom_file";
fi
if [[ $custom_path == "" ]]; then
local source_path="$install_containers_dir$app_name"
elif [[ $custom_path != "" ]]; then
local source_path="$install_containers_dir$app_name/$custom_path/"
fi
local source_file="$source_path/$source_compose_file"
# Target Filenames
if [[ $compose_setup == "default" ]]; then
local target_compose_file="docker-compose.yml";
elif [[ $compose_setup == "app" ]]; then
local target_compose_file="docker-compose.$app_name.yml";
fi
local target_path="$containers_dir$app_name"
local target_file="$target_path/$target_compose_file"
if [ "$app_name" == "" ]; then
isError "The app_name is empty."
fi
if [ ! -f "$source_file" ]; then
isError "The source file '$source_file' does not exist."
fi
copyFile "loud" "$source_file" "$target_file" $docker_install_user | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1
if [ $? -ne 0 ]; then
isError "Failed to copy the source file to '$target_path'. Check '$docker_log_file' for more details."
fi
# Compose files often carry RANDOMIZED* placeholders for service env
# vars (DB passwords, Laravel APP_KEY, etc). The scanner is a no-op
# on files without placeholders so it's safe to call unconditionally.
if declare -F scanFileForRandomPasswordKeysUsers >/dev/null; then
scanFileForRandomPasswordKeysUsers "$target_file"
fi
# If the app's install template carries a Dockerfile, the compose
# almost certainly has `build: .` and needs the source tree alongside
# the deployed compose. dockerCopyBuildContext is itself a no-op for
# apps with no Dockerfile, so calling here is safe for every app.
if declare -F dockerCopyBuildContext >/dev/null; then
dockerCopyBuildContext "$app_name"
fi
}