Exhaustive audit (workflow: 19 finders + adversarial per-file verify; 85 raw -> 66 unique -> 39 confirmed) found 36 direct writes into the container-owned tree that bypass runFileOp/runFileWrite/runCfgOp (manager => EACCES in rootless) plus 3 $?-masking sites. Fixes by area: - apps: grafana + prometheus install hooks (sudo chmod -> runFileOp chmod); gluetun provider etag (tee -> runFileWrite). - webui generators: task-create (10 sites: mkdir/chown/tee/jq|tee/sed|tee -> runFileOp/runFileWrite); app-icons (mkdir/cp/mv); config icon cp; system metrics + update throttle stamps (runAsManager touch -> runFileOp touch); setup-lock rm; updater history seed + cp. - task health checker: 4 log writes (tee -a -> runFileWrite -a) + 3 find -delete (-> runFileOp find). - config reconcile: backup cp -> runCfgOp; live cp -> runFileWrite < tmp for container-owned configs (the container user can't read a manager 0600 tmp). - peer pull: tar extract into the container tree -> runFileOp tar. - masking: ip_find_available + folder_group(x2) — split 'local VAR=$(cmd)' so $? reaches the following [[ $? ]] check. 15 files, all pass bash -n; fixed idioms confirmed gone. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
40 lines
1.5 KiB
Bash
40 lines
1.5 KiB
Bash
#!/bin/bash
|
|
|
|
# Prometheus install hooks — drop the prometheus.yml template alongside the
|
|
# compose, and 0777 the storage dirs so the container can write its TSDB
|
|
# regardless of the host UID mapping.
|
|
|
|
prometheus_install_post_compose()
|
|
{
|
|
local app_name="$1"
|
|
|
|
local result
|
|
result=$(createFolders "loud" $docker_install_user "$containers_dir$app_name/$app_name")
|
|
checkSuccess "Created $app_name folder in $app_name"
|
|
|
|
result=$(createTouch "$containers_dir$app_name/$app_name/$app_name.yml" $docker_install_user)
|
|
checkSuccess "Created $app_name.yml file for $app_name"
|
|
|
|
result=$(copyResource "$app_name" "$app_name.yml" "$app_name" | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1)
|
|
checkSuccess "Copying $app_name.yml to containers folder."
|
|
}
|
|
|
|
prometheus_install_post_start()
|
|
{
|
|
local app_name="$1"
|
|
|
|
if [ -f "${containers_dir}prometheus/prometheus/prometheus.yml" ]; then
|
|
updateFileOwnership "${containers_dir}prometheus/prometheus/prometheus.yml" $docker_install_user $docker_install_user
|
|
fi
|
|
if [ -d "${containers_dir}prometheus/prometheus" ]; then
|
|
local result
|
|
result=$(runFileOp chmod -R 777 "${containers_dir}prometheus/prometheus")
|
|
checkSuccess "Set permissions to prometheus folder."
|
|
fi
|
|
if [ -d "${containers_dir}prometheus/prom_data" ]; then
|
|
local result
|
|
result=$(runFileOp chmod -R 777 "${containers_dir}prometheus/prom_data")
|
|
checkSuccess "Set permissions to prom_data folder."
|
|
fi
|
|
}
|