fix: add uidmap/slirp4netns for rootless Podman, fix Tor permissions

Two critical issues found on fresh .198 install: 1. Podman broken — uidmap package missing from rootfs because --no-install-recommends dropped it. Without newuidmap, rootless Podman can't create user namespaces. Also add slirp4netns and fuse-overlayfs which are required for rootless networking and storage. 2. Tor hidden service dirs created with 750 permissions (setgid). Tor requires exactly 700. Added explicit mkdir + chmod 700 for all hidden service dirs before starting Tor. Both issues fixed on .198 live. Build script updated for future installs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-28 02:40:39 +00:00 · 2026-03-28 02:40:39 +00:00 · 10bf53bc83
commit 10bf53bc83
parent 0abce929ba
1 changed files with 11 additions and 0 deletions
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@ -245,6 +245,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
    openssh-server \
    nginx \
    podman \
+    uidmap \
+    slirp4netns \
+    fuse-overlayfs \
    tor \
    curl \
    git \
@ -1094,6 +1097,14 @@ HiddenServiceDir $TOR_DIR/hidden_service_fedimint
 HiddenServicePort 8175 127.0.0.1:8175
 TORRC

+# Create hidden service dirs with correct ownership and permissions (700, not 750)
+# Tor refuses to start if permissions are too permissive
+for svc in archipelago bitcoin electrumx lnd btcpay mempool fedimint; do
+    mkdir -p "$TOR_DIR/hidden_service_$svc"
+    chown debian-tor:debian-tor "$TOR_DIR/hidden_service_$svc"
+    chmod 700 "$TOR_DIR/hidden_service_$svc"
+done
+
 # Prefer system Tor (installed via apt)
 if command -v tor >/dev/null 2>&1; then
    echo "$(date): Using system Tor daemon" >> "$LOG"