librelad 68110d199c fix(rootless): slirp4netns default, manager-vs-container helper split, sysctl path
Reinstall test on Debian 12 surfaced three rootless-only breakages (rooted
was byte-identical/fine):

1. pasta blocked by Debian's passt AppArmor profile (DENIED ptrace read ->
   can't open container netns -> rootless dockerd never starts). Default
   CFG_ROOTLESS_NET back to slirp4netns (reliable); pasta stays selectable
   for hosts that relax the profile.
2. de-sudo mis-assigned helpers by owner. /docker management layer (apps DB
   chowned to libreportal by install_sqlite, /docker/logs) is MANAGER-owned,
   not dockerinstall. Add runInstallWrite; move apps-DB sqlite3 -> runInstallOp
   and /docker/logs appends -> runInstallWrite. Revert ownership-SETUP scripts
   (libreportal_folders, app_folder) to runSystem — they must run as root to
   establish ownership during install. Container files (/docker/containers/<app>)
   stay runFileOp.
3. kernel hardening sysctls written to /etc/sysctl/99-custom.conf, which
   'sysctl --system' does not read -> never applied. Write them to
   /etc/sysctl.d/99-libreportal-hardening.conf instead.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: librelad <librelad@digitalangels.vip>
2026-05-24 00:12:06 +01:00

127 lines
3.2 KiB
Bash
Executable File

#!/bin/bash
# Category : Networking
# Description : Unbound - DNS Resolver (c/u/s/r/i):
installUnbound()
{
local config_variables="$1"
if [[ "$unbound" == *[cCtTuUsSrRiI]* ]]; then
dockerConfigSetupToContainer silent unbound;
local app_name=$CFG_UNBOUND_APP_NAME
initializeAppVariables $app_name;
fi
if [[ "$unbound" == *[cC]* ]]; then
editAppConfig $app_name;
fi
if [[ "$unbound" == *[uU]* ]]; then
dockerUninstallApp $app_name;
fi
if [[ "$unbound" == *[sS]* ]]; then
dockerComposeDown $app_name;
fi
if [[ "$unbound" == *[rR]* ]]; then
dockerComposeRestart $app_name;
fi
if [[ "$unbound" == *[iI]* ]]; then
isHeader "Install $app_name"
((menu_number++))
echo ""
echo "---- $menu_number. Setting up install folder and config file for $app_name."
echo ""
dockerConfigSetupToContainer "loud" "$app_name" "install" "$config_variables";
isSuccessful "Install folders and Config files have been setup for $app_name."
((menu_number++))
echo ""
((menu_number++))
echo ""
echo "---- $menu_number. Setting up the $app_name docker-compose.yml file."
echo ""
dockerComposeSetupFile $app_name;
monitoringToggleAppConfig "$app_name" "docker-compose.yml";
local result=$(copyResource "$app_name" "unbound.conf" "etc" | runInstallWrite -a "$logs_dir/$docker_log_file" 2>&1)
checkSuccess "Copying unbound.conf to containers folder."
monitoringToggleAppConfig "$app_name" "etc/unbound.conf";
((menu_number++))
echo ""
echo "---- $menu_number. Updating file permissions before starting."
echo ""
fixPermissionsBeforeStart $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Running the docker-compose.yml to install and start $app_name"
echo ""
dockerComposeUpdateAndStartApp $app_name install;
((menu_number++))
echo ""
echo "---- $menu_number. Running Application specific updates (if required)"
echo ""
appUpdateSpecifics $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Running Headscale setup (if required)"
echo ""
setupHeadscale $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Adding $app_name to the Apps Database table."
echo ""
databaseInstallApp $app_name;
((menu_number++))
echo ""
echo "---- $menu_number. Updating WebUI config file."
echo ""
webuiContainerSetup $app_name install;
((menu_number++))
echo ""
echo "---- $menu_number. Refreshing monitoring integration."
echo ""
monitoringRefreshAll;
((menu_number++))
echo ""
echo "---- $menu_number. You can find $app_name files at $containers_dir$app_name"
echo ""
echo " You can now navigate to your $app_name service using any of the options below : "
echo ""
echo " NOTICE : Below are the URLs for the admin panel to use after you have setup Unbound"
echo ""
menuShowFinalMessages $app_name;
menu_number=0
#sleep 3s
cd
fi
unbound=n
}