From 10bf53bc8339863de4b892bf1bda4a07a59c7edc Mon Sep 17 00:00:00 2001 From: Dorian Date: Sat, 28 Mar 2026 02:40:39 +0000 Subject: [PATCH] fix: add uidmap/slirp4netns for rootless Podman, fix Tor permissions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two critical issues found on fresh .198 install: 1. Podman broken — uidmap package missing from rootfs because --no-install-recommends dropped it. Without newuidmap, rootless Podman can't create user namespaces. Also add slirp4netns and fuse-overlayfs which are required for rootless networking and storage. 2. Tor hidden service dirs created with 750 permissions (setgid). Tor requires exactly 700. Added explicit mkdir + chmod 700 for all hidden service dirs before starting Tor. Both issues fixed on .198 live. Build script updated for future installs. Co-Authored-By: Claude Opus 4.6 (1M context) --- image-recipe/build-auto-installer-iso.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh index d3d87fd3..13443460 100755 --- a/image-recipe/build-auto-installer-iso.sh +++ b/image-recipe/build-auto-installer-iso.sh @@ -245,6 +245,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \ openssh-server \ nginx \ podman \ + uidmap \ + slirp4netns \ + fuse-overlayfs \ tor \ curl \ git \ @@ -1094,6 +1097,14 @@ HiddenServiceDir $TOR_DIR/hidden_service_fedimint HiddenServicePort 8175 127.0.0.1:8175 TORRC +# Create hidden service dirs with correct ownership and permissions (700, not 750) +# Tor refuses to start if permissions are too permissive +for svc in archipelago bitcoin electrumx lnd btcpay mempool fedimint; do + mkdir -p "$TOR_DIR/hidden_service_$svc" + chown debian-tor:debian-tor "$TOR_DIR/hidden_service_$svc" + chmod 700 "$TOR_DIR/hidden_service_$svc" +done + # Prefer system Tor (installed via apt) if command -v tor >/dev/null 2>&1; then echo "$(date): Using system Tor daemon" >> "$LOG"