fix: add DAC_OVERRIDE cap for rootless volume access, fix LND health check
- electrumx: add DAC_OVERRIDE to SPEC_CAPS — rootless podman maps container UID 0 to host UID 1000, but volumes are owned by host UID 100000; without DAC_OVERRIDE the container can't write to its own data directory - lnd: replace curl-based health check with lncli using readonly macaroon — the REST API requires macaroon auth, so unauthenticated curl always fails - grafana: add DAC_OVERRIDE to SPEC_CAPS for the same rootless volume issue Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Dorian
parent
6bd515cb82
commit
bc6b4e0bec
@ -170,7 +170,7 @@ load_spec_electrumx() {
|
||||
SPEC_TIER="1"
|
||||
SPEC_DATA_DIR="/var/lib/archipelago/electrumx"
|
||||
SPEC_DEPENDS="bitcoin-knots"
|
||||
SPEC_CAPS=""
|
||||
SPEC_CAPS="DAC_OVERRIDE"
|
||||
}
|
||||
|
||||
# ── Tier 2: Services ─────────────────────────────────────────────────
|
||||
@ -183,7 +183,7 @@ load_spec_lnd() {
|
||||
SPEC_PORTS="9735:9735 10009:10009 8080:8080"
|
||||
SPEC_VOLUMES="/var/lib/archipelago/lnd:/root/.lnd"
|
||||
SPEC_MEMORY="$(mem_limit lnd)"
|
||||
SPEC_HEALTH_CMD="curl -sf --insecure https://localhost:8080/v1/getinfo || exit 1"
|
||||
SPEC_HEALTH_CMD="lncli --tlscertpath /root/.lnd/tls.cert --macaroonpath /root/.lnd/data/chain/bitcoin/mainnet/readonly.macaroon --rpcserver localhost:10009 getinfo > /dev/null 2>&1 || exit 1"
|
||||
SPEC_TIER="2"
|
||||
SPEC_DATA_DIR="/var/lib/archipelago/lnd"
|
||||
SPEC_DEPENDS="bitcoin-knots"
|
||||
@ -336,7 +336,7 @@ load_spec_grafana() {
|
||||
SPEC_TIER="3"
|
||||
SPEC_DATA_DIR="/var/lib/archipelago/grafana"
|
||||
SPEC_DATA_UID="100472:100472"
|
||||
SPEC_CAPS="CHOWN SETUID SETGID"
|
||||
SPEC_CAPS="CHOWN SETUID SETGID DAC_OVERRIDE"
|
||||
}
|
||||
|
||||
load_spec_uptime-kuma() {
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user