librelad cdb2fc633d fix(install): establish container layer in root phase (real fix for scan noise)
Reverts the 2>/dev/null band-aids and fixes the root cause. The
manager-run install boot scans app configs under /docker/containers AS
the container user (runFileOp). But init.sh's initFolders creates that
dir manager-owned, and the handover to the container user happened later
(start_preinstall), AFTER the boot scans — so the scans ran as the
container user against a dir it didn't own yet: "find:
'/docker/containers/': Permission denied" (cosmetic; the dir is empty
that early, but it's the wrong ownership at the wrong time).

Add initContainerLayer() to init.sh's root phase (after initGIT +
initUpdateConfigs, before the manager-run handoff): rootless-only, it
creates the docker-install user if missing and chowns /docker/containers
to it (751). The later rootless setup is now idempotent — it finds the
user existing and just (re)asserts its password + daemon config (moved
updateDockerInstallPassword out of the create-only branch). Rooted is
unaffected (containers stay manager-owned, which the manager reads).

Result: by the time the boot scans run, /docker/containers is owned by
the user doing the scanning — no permission error, nothing suppressed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 22:53:11 +01:00

24 lines
1.2 KiB
Bash
Executable File

#!/bin/bash
installDockerRootlessUser()
{
if [[ $CFG_DOCKER_INSTALL_TYPE == "rootless" ]]; then
if id "$CFG_DOCKER_INSTALL_USER" &>/dev/null; then
isSuccessful "User $CFG_DOCKER_INSTALL_USER already exists."
else
# Create the rootless docker user. The login name (last arg) was
# missing, so useradd failed silently — masked by local result=$(...)
# — and the user never existed, breaking the whole rootless setup.
# -m makes its home; with SUB_UID/GID configured in login.defs,
# useradd also assigns its subordinate uid/gid ranges (needed for
# rootless). Run unmasked so checkSuccess sees real failures.
runSystem useradd -m -s /bin/bash -d "/home/$CFG_DOCKER_INSTALL_USER" "$CFG_DOCKER_INSTALL_USER"
checkSuccess "Creating $CFG_DOCKER_INSTALL_USER User."
fi
# (Re)assert the password regardless — the user may have been pre-created
# in init.sh's root phase (so /docker/containers ownership is ready before
# the manager-run boot scans), where the password isn't set.
updateDockerInstallPassword;
fi
}