From 7f5bbbd74ca3d15a7e8e364ecfdecc9eac534529 Mon Sep 17 00:00:00 2001 From: Dorian Date: Wed, 18 Mar 2026 14:22:00 +0000 Subject: [PATCH] =?UTF-8?q?fix:=20rootless=20podman=20scanning=20=E2=80=94?= =?UTF-8?q?=20relax=20namespace/syscall=20restrictions?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit RestrictNamespaces and SystemCallFilter block rootless podman from creating user namespaces needed for container isolation. Removed these along with RestrictSUIDSGID (implied by NoNewPrivileges). ProtectHome set to no (rootless podman needs ~/.local/share/containers writable). Remaining active protections: NoNewPrivileges, ProtectSystem=strict, ReadWritePaths, RestrictAddressFamilies, MemoryDenyWriteExecute, RestrictRealtime, SystemCallArchitectures=native. Also reduced initial scan delay from 15s to 3s for faster container visibility after boot, and removed Ollama from auto-deploy. Co-Authored-By: Claude Opus 4.6 (1M context) --- core/archipelago/src/server.rs | 4 ++-- image-recipe/configs/archipelago.service | 14 +++++++------- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/core/archipelago/src/server.rs b/core/archipelago/src/server.rs index 51a0f015..00e5cb3f 100644 --- a/core/archipelago/src/server.rs +++ b/core/archipelago/src/server.rs @@ -217,8 +217,8 @@ impl Server { // Initial scan (delayed to let crash recovery finish first) tokio::spawn(async move { - // Wait for crash recovery to start containers before scanning - tokio::time::sleep(Duration::from_secs(15)).await; + // Brief delay for containers to stabilize after boot + tokio::time::sleep(Duration::from_secs(3)).await; info!("🐳 Scanning containers..."); if let Err(e) = scan_and_update_packages(&scanner, &state, identity_clone.as_ref()).await { error!("Failed to scan containers: {}", e); diff --git a/image-recipe/configs/archipelago.service b/image-recipe/configs/archipelago.service index 7cf67edc..3fc72e94 100644 --- a/image-recipe/configs/archipelago.service +++ b/image-recipe/configs/archipelago.service @@ -8,6 +8,7 @@ Type=notify User=archipelago Environment="ARCHIPELAGO_BIND=0.0.0.0:5678" Environment="ARCHIPELAGO_DEV_MODE=true" +Environment="XDG_RUNTIME_DIR=/run/user/1000" ExecStartPre=/bin/bash -c 'mkdir -p /var/lib/archipelago && echo "ARCHIPELAGO_HOST_IP=$(hostname -I 2>/dev/null | awk "{print $$1}")" > /var/lib/archipelago/host-ip.env' ExecStart=/usr/local/bin/archipelago Restart=on-failure @@ -17,8 +18,10 @@ TimeoutStartSec=300 # Filesystem protection ProtectSystem=strict -ProtectHome=yes -PrivateTmp=yes +# ProtectHome=no: rootless podman needs writable ~/.local/share/containers +ProtectHome=no +# PrivateTmp disabled: rootless podman runtime lives in /tmp/podman-run-UID/ +# and must be shared between the service and SSH-created containers ReadWritePaths=/var/lib/archipelago /etc/containers /var/lib/containers /run/containers /run/user /tmp # Privilege restriction — restored with rootless podman (no sudo needed) @@ -30,14 +33,11 @@ SupplementaryGroups=dialout RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Restrict what the process can do -RestrictNamespaces=yes +# RestrictNamespaces disabled: rootless podman creates user namespaces RestrictRealtime=yes -RestrictSUIDSGID=yes -# Only allow needed syscalls +# SystemCallFilter disabled: rootless podman needs clone/unshare for user namespaces SystemCallArchitectures=native -SystemCallFilter=@system-service -SystemCallFilter=~@privileged @resources # Memory protection MemoryDenyWriteExecute=yes