Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted was byte-identical/fine): 1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read -> can't open container netns -> rootless dockerd never starts). Default CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable for hosts that relax the profile. 2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned, not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts (libreportal_folders, app_folder) to runSystem — they must run as root to establish ownership during install. Container files (/docker/containers/<app>) stay runFileOp. 3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which 'sysctl --system' does not read -> never applied. Write them to /etc/sysctl.d/99-libreportal-hardening.conf instead. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Signed-off-by: librelad <librelad@digitalangels.vip>
21 lines
860 B
Bash
Executable File
21 lines
860 B
Bash
Executable File
#!/bin/bash
|
|
|
|
tailscaleInstallToContainer()
|
|
{
|
|
local app_name="$1"
|
|
local type="$2"
|
|
|
|
local result=$(createFolders "loud" $docker_install_user $containers_dir$app_name/tailscale)
|
|
checkSuccess "Creating Tailscale folder"
|
|
|
|
copyFile "loud" "${install_scripts_dir}tailscale.sh" "$containers_dir$app_name/tailscale/tailscale.sh" $docker_install_user | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1
|
|
|
|
if [[ "$type" != "install" ]]; then
|
|
dockerComposeRestart $app_name;
|
|
fi
|
|
#dockerCommandRun "docker cp ${install_scripts_dir}tailscale.sh $app_name:/usr/local/bin/tailscale.sh"
|
|
#checkSuccess "Installing Tailscale installer script into the $app_name container"
|
|
|
|
dockerCommandRun "docker exec -it $app_name /usr/local/bin/tailscale.sh"
|
|
checkSuccess "Executing Tailscale installer script in the $app_name container"
|
|
} |